Hooray!  As of about 6:30PM on Saturday, 20 Dec 08, I am done with SRA 311 (Risk Management) for the Fall 2008 semester!  I have been thinking for several weeks now about what worked in SRA 311, what didn’t work, and what could be better from both student and instructor (and teaching assistant) perspectives.  And now that class is over, I decided to take a few hours to write-about how I plan to do things differently for iteration 2 of SRA 311 in Spring 2009.  For reference, I include my Fall 2008 syllabus below:

Sra311 Syllabus Fall2008 Final

In the following I will just highlight a few of the changes I plan to make in the second iteration of SRA 311.

Revised Course Content for Iteration Two of SRA 311

Probability Theory: Looking back, I think I overstressed some less important topics, and forgot to include others I am now finding to be quite important.  The most important thing I should have done was go over the basics of probability theory in detail rather than assume that my students were fully equipped to think probabilistically (I should have known better given that, at best, my students have had only a few lectures on the subject prior to taking this course).  So, for the first part of the course, I plan to get serious about teaching probability theory from first principles.  But of course, I will discuss this subject with respect to its place in security risk management.  (btw: the book I plan to draw from is Introduction to Applied Probability by Pfeiffer and Schum, 1973, ISBN: 0125531508).

The Six Questions of Risk, Risk Triplet, and Definitions: As I did last semester, I plan to stress the six questions of risk assessment and risk management over and over again.  The same holds for my repeated mention of the risk triplet and the definition of risk.  This time, however, I will emphasize the risk triplet as being the set of scenario, s (which is the pair of initiating event and outcome, or s = (e,o)), probability of the scenario, p, and utility associated with the scenario, u.  That is, risk is the set of all relevant ordered triples {<s,p,u>}.  As for definitions, I am going to largely focus on risk as the potential for harm or loss, and thus save the more generic definition (i.e., risk as uncertainty about future events) for graduate discussions.  Also, I will also stress the need for common definitions issue less as I found that such talk either goes over my students heads at best, or confuses them at worst.

Set Theory and Open vs. Closed Worlds: As I did last semester, I will spend about a week talking about sets (mutually exclusive, collectively exhaustive, conditionally exhaustive, etc.), as well as talk quite a bit about the difference between open and closed world thinking (w/ residual  hypothesis).   I still think that talking about open worlds (i.e., admitting the possibility of a residual hypothesis) should be introduced at the very beginning of a student’s exposure to risk and uncertainty.  See my previous post on the topic.  I plan to keep this lecture pretty much intact, but I do think I might add a few more security-oriented examples.

Utility Theory: To accommodate a full discussion of risk, I will be sure to spend a full lecture on the basics of utility theory, to cover what utility is, aspects of multicriteria decision analysis, risk attitudes, and so on. Last semester I spoke about utility for only 10 or so minutes, and consequently my students could not speak to the topic on the final.  Though I a lot of utility theory was already covered in the prerequisite class SRA 231 (Decision Analysis), a little review couldn’t hurt.

Support Theory, Possibility Theory and Surprise: Integrated into my discussion of probability theory will be a discussion of support theory (the descriptive side of humans and probability), mention of possibility theory and its axioms, and also mention of Shackle’s theory of potential surprise.  I am not clear yet how just where these discussions will occur, but they will surely happen somewhere during the first part (fundamentals) of the course.

Talk About Uncertainty: The discussion of uncertainty (aleatory and epistemic) and all its types will be presented up front with or soon after the introduction of the concept of risk.  If all goes well, this will happen during lecture 2.  We will also include the discussion of different types of ignorance at this time (unlike last time when it felt out of place in lecture 11).

Security Context and the Eight Elements of Thought: As I did last semester, I will introduce Liner and Paul’s Eight Elements of Thought and Intellectual Standards in great detail during the first lecture.  Then, as before, the students will apply the Eight Elements and Intellectual Standards to their first Critical Article Review (CAR) assignment of Manunta’s paper “What is Security?” (published in a 1999 issue of Security Journal).  The second lecture will be spent going over the Eight Elements and the Intellectual Standards as they apply to Manunta’s article, discussing the concept of a security context, and then proceed to do an in class example identifying and articulating different security contexts.  This semester I want the students to be confident about the Eight Elements and Intellectual Standards by the end of their first week.

Accreditation: As part of the discussion on risk acceptance in Part III of the course, I will include a discussion of accreditation, or the practice of acknowledging that the risk associated with a protected asset is acceptable with respect to its value and purpose.  I didn’t do this last semester, but now that SRA 311 is an essential part of the NSA Certificate in Risk Analysis, I figured I ought to start talking about accredidation.  I will also include a discussion on standards, whether implicit (e.g., what would a normal security manager do) or explicit (e.g., contractually).

Life-Cycle Cost: When I talk about risk management this semester, I will be sure to include a discussion of life cycle cost of a risk mitigation strategy, to include maintenance costs, replacement costs, operational and procurement costs, and more interestingly, the implicit costs of decreased performance as adversary’s adapt and learn to overcome the countermeasure.

The Insurance Game: My good friend Professor Bilal Ayyub at the University of Maryland recently pointed out to me an interesting pedagogical exercise aimed at teaching undergraduates how to appreciate the role insurance plays in risk management.  This semester, I plan to try out this game in the classroom to see how it works (and perhaps spend some money making cool game props, such as custom cards and so on).

Expert Elicitation and Probability Calibration: Last semester I spoke about probability, but did not talk at all about how to elicit probabilistic information when needed.  This means that I also did not talk about how to calibrate personal probability judgments.  Though I had every intention of talking about this during my fact finding discussion (which I also skipped over), this semester I will be sure to spend a whole lecture on the subject.  I will call this lecture “Expert Elicitation and Fact Finding.”

Analytic Confidence: The discussion of analytic confidence will take place sometime in the first 5 weeks of class, probably after my discussion of conditional probability and possibility theory.  Last semester I spoke about this all-too-important subject during lecture 20 - by then it was already too late for the concepts to sink in.  I won’t make this mistake again.

Influence Diagrams: I am kicking myself for not discussing influence diagrams in class this past semester.  Next semester I plan to not only talk about influence diagrams, but also have students use one or more software tools to draw and quantitatively analyze influence diagrams.  This should be fun.

Decision Advantage: While risk analysis does promote decision advantage, I think that I will abandon this awkward phrase next semester.  Instead, I will simply stick with “risk analysis informs decision making.”

Metrics and Formulas for Risk: As I did last semester, this semester I plan to cover all the relevant measurement scales and formula types one might encounter in a risk analysis methodology.  But this time I will do it all in one lecture (or maybe a lecture and a half).  I will also have some references to draw on this time around.

Pre-Mortem Analysis, Root Cause Analysis, and Convergent/Divergent Thinking: Last semester I ran an interesting case study focused on the 2007 shooting incident at the Virginia Tech campus.  A few lectures after running this case study I figured out how to relate pre-mortem analysis and convergent/divergent thinking ot the case-study.  But by the time I did this, it was already too late to solidify the connection in the student’s minds.  So, this semester I plan to spend a week covering pre-mortem analysis and covergent/divergent thinking (and introduce the similar topic of root cause analysis) concurrently with running the case study.  But unlike last semester’s VT case study, this semester’s focus will be on Aum Shimrikyo and the mid-1990’s sarin gas attack on the Tokyo subway.  Other options might be a case study on the Khobar Towers bombing or one focused on the bombing of the Marine barracks in Beirut.

More Information Security and Crime, Less Terrorism: While terrorism is a hot topic these days (though becoming less so), I want to be sure that my course on security risk management (i.e., security in general) covers more than notional terrorists with bombs.  This semester I plan to spend more time thinking about information security problems, routine criminal problems, and perhaps a little bit of personnel security/executive prevention.  I will also talk about loss prevention as an idea, and also spend some time examining how safety balances and sometimes interferes with security.

CORAS, the McCumber Cube Model, and others: This semester I will start talking about a number of established security concepts and processes, to include CORAS, the McCumber Cube model, and OCTAVE, in addition to reviewing the basic concepts of the security bow tie and the swiss cheese model.  But since these topics are no fun to hear about on their own, I still need to figure out a strategy for integrating them into the standard flow of course ideas.  I think I figured out a way…

Certifications, Professional Societies, and Ethics: This time around, I will emphasize all the different certifications and security professional societies all throughout the semester.  I plan to also integrate ethics into the curriculum in two ways - first by highlighting ethical issues as a matter of course during the semester, and to cap the course off with an ethics story-telling exercise on the last day of class (as I did this past semester, but this time it will be more structured).

Real Questions from Real Certification Exams: This semester I plan to integrate real risk management questions from either the CISSP exam, CPP or PSP exam, perhaps even the CAS Exam P (for actuaries).  The goal here is to highlight that everything I teach in my class is relevant to things that matter in the professional world.  I anticipate that no less than 25% of the final exam will consist of questions taken from professional exam study guides.

Assignments and Policies

Established Groups at the Beginning of the Semester: On day one I will assign all students to work in groups of my crafting.  They are free to make individual trades among themselves long as the class is evenly divided into groups.   These groups will work on all in-class exercises, homework, and projects together.

More Quizzes: Attendance was a big problem for me last semester.  Without having the data in front of me, I estimate that, on average, only 60% of students showed up for any given lecture.  So, this semester, in attempt to better prepare my class for the multiple-choice final exam, to review course material in a fast and effective way, and to take attendance, I plan to give frequent in-class multiple choice quizzes on either the assigned readings (CAR-style questions) or previous lecture’s material.  Quizzes will be my means of taking attendance as well as gauging student performance.

More Organized CARs: Unlike last semester where I divided up the class so that 10-14 CARs were due at each lecture, this semester I plan to arrange the schedule such that all students work on CARs at the same time.  This means five CARs, each due for all students at the same time.  No make-ups.  The format for these CAR assignments will be exactly the same as it was last semester.

Critical Book Reviews: Like last semester there will be two required book reviews.  But unlike last semester, I will prescribe both books.  The first book is Against the Gods: The Remarkable Story of Risk by Peter Bernstein, and the second book is Risk Intelligence by David Apgar.  The format for these assignments will be exactly the same as before.

Homework: Ah, there will be homework assignments this semester.  Homework will largely consist of preparatory exercises for quizzes.  But there will be times when I ask for, say, an influence diagram, some worked problems, etc.  All homework will be done in groups.

Final Course Project: This semester, the focus of the final project will be focused on building a risk assessment tool for exploring a particular risk problem of interest to real decision makers.  That is, the tool is primary, and will be supported with some multi-media presentation (e.g., reports, poster, auto slide show, You Tube, etc.).  While the topics have yet to be determined, I will make available 5-10 topics that groups may choose from.  I am tentatively thinking about one or two on maritime piracy, one or two on lab site security, one or two on online communities, one on social engineering, one on party security, and so on.  I am still eliciting ideas from people, and hope to have a list in hand by the second week of class.

Methodology Appraisal: There will be no formal methodology appraisal this semester.  Rather, I will integrate a methodology review into one or two of the five CAR assignments.

Final Exam: There will be a final exam that, for the most part, will assume the same form as the exam from the Fall semester.  There is some question in my mind whether to keep the CAR in the exam or if I should make the entire exam one big multiple choice test.  I think I will keep my options open for the next few weeks.

Extra Credit: I always give extra credit, but never anything that amounts to more than 5% on top of a student’s final grade.  This semester, extra credit was very helpful for those students who, for some reason or another, didn’t do well on the first assignments of the semester.  Although I will not guarantee extra credit opportunities, I suspect that something will come up toward the middle-end of the semester.  After all, it helps out those who did well on previous assignments, but not well enough to meet my cutoff values for certain letter grades.  But in a perfect world there would be no need for extra credit since everyone would have already done superb routine work…

Attendance: Attendance in required.  I will take attendance most of the time this semester, but not always.  My policy for attendance is that I don’t give points to students for showing up to class.  Rather, I take away points for not showing up to class.  My plan for Spring is to implement an attendance policy that is tolerant of up to two (2) random absences, and then for apply a reduction factor to the final exam grade that is in proportion to the number of classes missed.  If a student misses all classes, that student will get a zero on the final regardless of whether he or she actually takes it [in math speak, the final exam grade = actual score * (attendance days - missed days)/attendance days].  This is a hard core policy, but perfectly reasonable.

Course Materials: This semester three books will be required - two for the book reviews (see above) and one newer version of a book covering the Eight Elements of Thought.  However, this semester I will also insist on using a variety of online soft-copy materials that will all be posted to the PSU course management system (i.e., ANGEL).

Office Hours: Despite having official office hours posted, either no one comes or they try to schedule a different time with me.  So, my intentions this year are to have office hours by appointment only.  But I also plan to do it in different environments, such as Second Life, PS3 Home, Skype, etc.  It is high time I become more IST-ized.

No TA, But One Grader and One TI: Unfortunately, next semester I will not have a TA to help me along with my class.  Instead I will have one undergraduate grader working for SRA 311 10 hours per week, and one teaching intern who will take part in class activities and maybe an occasional afternoon or evening event.  I, personally, don’t know how I will function without a TA, but I suspose things should be ok if my grader and TI are good (which I suspect they will be).

Better Class Time and Better Room: I am by no means a morning person.  This is why I am happy about having a class that begins at 11:15am instead of 9:45am.  On top of that, I am pleased to find that I am moving my class from the worst room in the IST building (IST 205 with annoying tabletop Macintosh computers) to the best room in the building (IST 206 with PC laptops).  I suppose that, in some may, the later class time and better room make up for the college taking away my teaching assistant.

My Blog About the Class: Next semester I intend to make more efficient use of my blog for recapping course content.  The way I am going to do this, though, is to point to relevant reference materials to support learning instead of writing lecture notes from scratch after each class session (my tendency to write a lot about each lecture acted more as a deterrent to writing than I intended).  I will also start to tweet about the class and integrate some other types of web communication technology (RSS feeds?).

Future Challenges

Two Sections of SRA 311: In Spring 2009, there will be two offerings of SRA 311.  One of these (the larger one) will be taught by me on Tuesday/Thursday mornings.  A smaller section of SRA 311 will be taught Tuesday/Thursday afternoons by Professor Dave Mudgett of IST 230-fame.  What this means is that we have to coordinate our class schedules, or at least align the learning objectives for our courses.

Cybertorium in Fall 2009: Beginning Fall 2009, my understanding is that SRA 311 will be moving to the infamous IST Cybertorium, a 150+ person computer-ridden ampitheatre not at all designed for fTf (face to face).  Fortunately (and by my request) the schedule should be such that the class will meet twice per week for 50-minutes in the Cybertorium, and one more time per week in smaller groups at a location somewhere away from the IST building.  The astute reader will see here that I am making lecture more of just that - a lecture.  My intent is to move all in-class activities to the recitation sections where students can spend an entire hour applying the things they learned in the lessons prior.  To accomodate this move to the cybertorium, I will be, in a small way, treating my Spring 2008 course as a cybertorium class, focusing mostly on lectures with fewer in-class exercises.  But when in-class exercises do occur, they will be extensive.

Guest Speakers: For some reason, I feel some pressure to recruit a guest speaker or two this semester.  A challenge for me is to identify who would be a good speaker that can (a) entertain the students, (b) convey useful real-world insights, and (c) align his message with the learning objectives I would otherwise have to address were I giving the lecture.  Any thoughts?

Epilogue

I invite interested readers to make suggestions regarding what to include, what to stress, what to omit, and what to test.  I will be posting a revised syllabus to this blog within the next two weeks.  Note that I reserve the right to add more to this post (either directly or via comment) as I things come to mind.

Send post as PDF to

In January 1957, a man by the name William L. McGill authored an article entitled “How a State Prepares for Disaster” that appeared in the Annals of the American Academy of Political and Social Science, Vol. 309, pp. 89-97 (peramlink).  According to the footnote on the first page of this article, Mr. McGill was the Texas State Coordinator of Defense and Disaster Relief and past President of the National Association of State and Territorial Civil Defense Directors.  The abstract of this paper is as follows:

The State of Texas leads the other states of the nation in the number of major disasters: it is first in tornadoes and devestating floods and second in hurricanes.  This article describes how Texas, under its Civil Protection Act of 1951, without setting up an independent state agency, has gone about mobilizing and utilizing the resources of the state in time of major disaster.  The “Texas Plan” is discussed in detail and attention paid in particular to its cost and financing, the planning of disaster relief, preparedness, and training.

So how did Texas prepare for disaster from naturally occurring event, accidents, or enemy action?  By a combination of warning, agility, cooperative alliances (horizontally and vertically, mitigation through cooperation), and lots and lots of education and training.  In my view, this is a well-rounded risk management strategy.  Most interestingly, Mr. McGill emphasizes the importance of self-reliance during a disaster as it is “a basic tenet of our system of government that all people should help themselves to the fullest possible extent” (p. 91).  Well said!  When people can’t help themselves, then neighbors, towns, districts, the State, and only when resources run out, the Federal government will step in to lend a hand.

I can’t say why I am particularly interested in this paper.  Is it because it is relevant to my work?  Perhaps.  Is it because the author and I share the same name?  More likely.  The real answer is “yes” to both questions.  Here are some other links to materials associated with Mr. (or rather, the Honorable) William L. McGill:

• Opinion S-135 dated 15 Jul 1954 by Texas Attorney General John Ben Shepperd Re: Authority of the State Disaster Officials to Spray Private Residences in the Rio Grande Flood Area
• A little bit of Texas state history describing William L. McGill’s role as Texas’ first state coordinator of defense and disaster relief, a position he held for 8 years.  In this role, Mr. McGill reported directly to the governor on matters pertaining to civil protection (inspired by the Cold War, no doubt).
• A story about how Mr. McGill was relieved of his duties in Texas to support the WWII war effort

Send post as PDF to

In the course of my searching for good examples for use in my SRA 311 (Risk Management: Assessment and Mitigation) course, I came across the following examples and resources that proved helpful:

• Security and Loss Prevention: An Introduction, 5th Edition (by Philip Purpura, 2007, ISBN: 978-0123725257):  This book, while not my favorite textbook in the world, is one of the few books on security that actually has exercise problems (case problems) at the end of each of its nineteen chapters.

• Practical Risk Analysis: An Approach Through Case Histories (by David Hertz and Howard Thomas, 1984, ISBN: 978-0471101444): Chapter 7 of this book had an excellent case study focused on how an underwriter performed a first-order risk assessment of a company’s computer information systems.  This case study provided a springboard for talking about risk attitudes, the role of insurance, ruin, and so on.  Unfortunately, this book is very out of print, so you will have to order it from a used bookseller to read the case study I am talking about (and all others in the book).

• Risk Management for Security Professionals (by Carl Roper, 1999, ISBN: 978-0750671132): Appendix A of this book offers a near complete security risk analysis exercise through a series of five vignettes (asset ID, threat analysis, vulnerability assessment, risk assessment, and benefit-cost analysis).  But be warned - this case study takes a long time for students to complete, and should be something that extends throughout an entire semester (not a week like I did - yikes!).  The book itself is ok, but like most other security risk management books, it lacks end of chapter exercises.  But at least the case study is good.

Now keep in mind that I sifted through twenty or more books over the course of four hours one very late Monday evening/Tuesday morning on risk analysis, security management, and so on, looking for good examples and case studies to use in my SRA 311 class.  The above three resources are all that I found in this time.  This is not to say I didn’t miss anything - I am sure there are a number of in-chapter worked-out exercises that I could adapt to meet the needs of my class.  But I did do what I thought was a pretty good job looking through these books.  I will spend some time over Christmas break looking through these items again.

Meanwhile, if you are a reader that does security risk analysis, please feel free to suggest sources of problems, exercises, and case studies.  For one, I plan to mine Certified Information Systems Security Professional (CISSP), Certified Protection Professional (CPP), Physical Security Professional (PSP), and Society of Actuaries Exam P exam reference materials for questions.  One goal I have for my class is to ensure that successful students will be able to correctly answer all risk-relevant questions on the CISSP, CPP, PSP, and SOA Exam P exams, or at least be able to take their newly acquired intuition to reason toward the correct answer.

Send post as PDF to

A few weeks ago I came across an excellent book from 1977 entitled An Anatomy of Risk by William Rowe, Sr. (ISBN: 0471019941).  This book provides a thorough technical summary of the state of the art in risk analysis through the mid-1970s.  This includes some of the ground breaking work on risk perception, risk assessment for nuclear power, risk communication, etc.  I believe that this book is one of the first authoritative texts on quantitative risk analysis ever published.  However, since the book was written at a time when risk analysis was a relatively new academic discipline, it was not intended for undergraduate audiences looking to learn the basics of risk.  For me, I intend to use this text as my gateway to the classic research works on risk analysis.

An Anatomy of Risk was previously reviewed by a number of scholars as cited below.  Note that in most cases you must have a subscription to view the actual review.  I also noted the tone of the review on a five-tier scale (SCATHING, UNFAVORABLE, NEUTRAL, FAVORABLE, PRAISING).

• A PRAISING review by P. K. M’Pherson in Cybernetics and Systems, Vol. 8, Nos. 3 & 4, pp. 352-354 (1977) (permalink)
• A FAVORABLE review by L. E.Hill in Technology and Culture, Vol. 19, No. 4, pp. 788-790 (1978) (permalink)
• A PRAISING review by A. R. Unwin in The Journal of the Operational Research Society, Vol. 29, No. 8, pp. 825-826 (1978) (permalink)
• A FAVORABLE review in ACM SIGSIM Simulation Digest, Vol. 10, No. 4, p. 70 (1979) (permalink)
• A SCATHING review by R. G. Easterling in Technometrics, Vol. 22, No. 2, pp. 278-279 (1980) (permalink)
• A FAVORABLE review by M. L. Randolph in Ecology, Vol. 62, No. 4, pp. 1133-1134 (1981) (permalink)

On balance, I would say that the overall take on Dr. Rowe’s book was FAVORABLE++.  I personally recommend that all emerging risk researchers add this title to their Christmas book wish list.

An Anatomy of Risk is no longer available NEW, and can only be purchased used via a used book outlet such as Alibris.com (see here).

Send post as PDF to

Siambabala Bernard Manyena’s 2006 paper entitled “The Concept of Resilience Revisited” (Disasters, Vol. 30, No. 4, pp. 433-450, doi:10.1111/j.0361-3666.2006.00331.x) provided a nice summary of alternative definitions for the word “resilience” gleaned from a variety of academic publications (copied below; see original paper for citations).  The number of definitions are fewer than that for the word vulnerability as talked about in my previous post.

• Wildavsky (1991) Resilience is the capacity to cope with unanticipated dangers after they have become manifest, learning to bounce back.
• Holling et al., (1995) It is the buffer capacity or the ability of a system to absorb perturbation, or the magnitude of disturbance that can be absorbed before a system changes its structure by changing the variables.
• Horne and Orr (1998) Resilience is a fundamental quality of individuals, groups and organisations, and systems as a whole to respond productively to significant change that disrupts the expected pattern of events without engaging in an extended period of regressive behaviour.
• Mallak (1998) Resilience is the ability of an individual or organisation to expeditiously design and implement positive adaptive behaviours matched to the immediate situation, while enduring minimal stress.
• Miletti (1999) Local resiliency with regard to disasters means that a locale is able to withstand an extreme natural event without suffering devastating losses, damage, diminished productivity, or quality of life without a large amount of assistance from outside the community.
• Comfort (1999) The capacity to adapt existing resources and skills to new systems and operating conditions.
• Paton, Smith and Violanti (2000) Resilience describes an active process of self-righting, learned resourcefulness and growth—the ability to function psychologically at a level far greater than expected given the individual’s
  capabilities and previous experiences.
• Kendra and Wachtendorf (2003) The ability to respond to singular or unique events.
• Cardona (2003) The capacity of the damaged ecosystem or community to absorb negative impacts and recover from these.
• Pelling (2003) The ability of an actor to cope with or adapt to hazard stress.
• Resilience Alliance (2005) Ecosystem resilience is the capacity of an ecosystem to tolerate disturbance without collapsing into a qualitatively different state that is controlled by a different set of processes. A resilient ecosystem can withstand shocks and rebuild itself when necessary. Resilience in social systems has the added capacity of humans to anticipate and plan for the future.
• UNISDR (2005) The capacity of a system, community or society potentially exposed to hazards to adapt, by resisting or changing in order to reach and maintain an acceptable level of functioning and structure. This is determined by the degree to which the social system is capable of organising itself to increase this capacity for learning from past disasters for better future protection and to improve risk reduction measures.

Send post as PDF to

An 2004 paper by Paul Slovic et al. entitled “Risk As Analysis and Risk As Feelings: Some Thoughts about Affect, Reason, Risk and Rationality” published in the journal Risk Analysis, Vol. 24, No. 2, pp. 311-322 (DOI: 10.1111/j.0272-4332.2004.00433.x) reprinted an excellent Doonesbury strip (by Gary Trudeau) from 1994 entitled “Street Calculus”:

I am not the type (like many other professors and office professionals) to print out comic strips and tack them to my door, leaving them in full view for my visitors to read for years on end as they slowly fade and deteriorate.  But I am the type to post such strips to my blog as it highlights what could very well be going on inside peoples’ heads as they size up different risk situations.

Basically, this comic shows two individuals each using their own mental model for sizing up the risks associated with a completely unknown person passing him or her by in the street.  Each mental model identifies a set of cues that enable the individual to associate the current circumstances with those patterns derived from past experience.  Based on how each individual sizes up the situation, in this case with respect to “risk factors” and “mitigation factors” separately, the individual then runs a mental simulation of a variety of perceived plausible futures to assign a score to RF and MF, where an MF greater than RF means the risk is acceptable.  (Note that pattern recognition and mental simulation are the two sources of power described by Gary Klein’s book of the same name).  Perhaps in reality, though, each individual unconsciously sizes up the situation in a holistic matter, where the resulting level of fear or comfort (consider these two factors opposite feelings along a single continuum) determines perceived acceptability of proceeding along the planned travel path (vice making a course correction to mitigate perceived risk).

Do people actually entertain such checklists in their mind?  I suppose that the speed at which the situation depicted in the comic is unfolding insists that the bearers of risk leverage simple heuristics (again, derived from experience) to make their decision.  I highly doubt that the situation permitted enough time to be systematic in their analysis, but rather Gerd Gigerenzer’s fast and frugal heuristics concept applies.  That is not to say that such heuristics are bad, only that using them produces less transparent decisions that may be prone to the influence of harmful biases or misperceptions.

The topic of risk acceptance will be a large part of the next SRA 311 lecture scheduled for Thursday, 6 Nov 2008.  I think I will flash this comic as part of the discussion.

Send post as PDF to

Everyone says that structured analytic techniques are good things to have as part of a “Thinkers Toolkit.”  In the security risk analysis degree program at Penn State, several of my colleagues and I make every attempt to instruct our students in the proper application of and value added of using structured analytic techniques to enhance one’s ability to think clearly, carefully and rigorously through complex problems.  Unfortunately, our situations suffer from a significant setback - most of our students lack “real world” experience doing analysis for problems in the security and intelligence communities (or perhaps doing any real analysis at all for any community).  Accordingly, we often find ourselves searching for carefully constructed case studies that provide the right balance of realism and accessibility to students that may not have sufficient domain knowledge to speak credibly on any particular issue.  We desire case studies that contain enough information to allow students to define the problem, articulate alternative hypotheses, leverage evidence to establish probability distributions over a set of future alternatives and degrees of confidence in analytic judgments, do source analysis, and so on.

To date we have come across several case studies used in the intelligence community, such as those developed by Professor Francis Hughes at the National Defense Intelligence College and several of the cases authored by Thomas Shreeve as part of the Intelligence Community Case Method Program.  And fortunately for us, these case studies have proven to be moderately successful when used as part of our classes.  However, we are still in search of more case studies that walk students through a problem, asking them to apply different structured analytic techniques to enable them to draw defensible inferences from data, make judgments of risk and choose from among alternative strategies for mitigating risk, explore how different ways of communicating analytic results might influence the decision maker, and so on.  And of course, we are also interested in case studies that have a variety of alternative endings, mainly to highlight that the results of the analysis and the way its communicated does have an affect on the outcomes of a situation as well as setting the stage for later analysis.

In my pursuit of fun books to read to my kids before bedtime, I recently came across the Choose Your Own Adventure series of books that many of us enjoyed during our more youthful years.  I tried to recall my experiences reading these books, such as navigating through all the alternative storylines one can follow based on the choices made during the book (one CYOA fan actually took the time to actually develop a map of The Mystery of Chimney Rock by Edward Packard; I must admit that I was tempted to do the same).  Then a thought hit me - would it be possible to develop a CYOA book that resembled a storyline that one might encounter in a professional security or intelligence position?  In addition to providing a compelling story, such a book would, of course, provide greater depth to a problem, provide evidence, and try to be as real as possible so that readers can draw on external resources to aid them in their analysis.  Now here is the kicker - each analysis or decision node would insist that the reader apply a specific structured analytic technique to arrive at the best possible answer or decision.  Once the answer is chosen, the story will then continue.  Some decision nodes would be critical to preserving national security, whereas some others might be less so or even irrelevant to the outcome.  When used as part of a course, the analyst would then prepare written reports along the way outlining the steps they took to arrive at a judgment or decision.

As an attempt to appeal to those individuals having read and enjoyed CYOA books in the past, I decided to label this idea as “Choose Your Own Analytic Adventure” or CYOAA.  See the prototype cover I prepared for the first such book in the series shown above.  I imagine that the analytic training community could create an entire series of such analytic books spanning all aspects of interest, to include terrorism, resource allocation, HUMINT targeting and collection, counter-deception, counter-proliferation, risk analysis, post-blast investigation, cyber security, communicating to decision makers, etc.  What we would need to do this are good writers, good ideas, good researchers, and of course, good artists capable of drawing pretty maps, figures, and sketches (and perhaps permission from the CYOA people to model our books after their likeness).  Just imagine it - we could hand these books out as part of class, and not only would they provide a basis for practicing analysis, but they would also make for a good addition to one’s professional library.  And if they are truly written well, then perhaps they might also make for good recreational reading.

Send post as PDF to

Recently, I came across two very good blogs that touch on areas of security risk analysis that overlap with my current interests.  They are as follows:

• BlogInfoSec.com: An Information Security Magazine in Blog Format.  This blog is authored by a team of nearly a dozen seasoned information security professionals.  A recent series of posts I found particularly interesting were authored by Jeff Lowder (Director of Information Security and Risk Management at Disney Interactive Media Group, a branch of The Walt Disney Company) that centered on the Qualitative vs. Quantitative Risk Analysis debate (see Part I and Part II; Part III is forthcoming).  In fact, in part I of this three part series, Mr. Lowder offered a fourth question to the risk analysis triplet: how much uncertainty is present in the analysis? (basically, a question centered on what level of confidence should be afforded by a decision maker to the analysis, data and methodology considered).
• Schneier on Security.  This blog provides a medium for Bruce Schneier (a.k.a. the “rock star” of security) to post his thoughts on security issues, link to articles he has authored and interviews he participated in, and to advertise his collection of best-selling security books.  This guy has a lot of interesting things to say - in fact, after reading some of his posts, I felt personally inspired to purchase the complete set of all his books (I will share my thoughts on these books after I get through with them).

On the topic of recommendations, I highly recommend the pair of books written by Kevin Mitnick and coauthor William Simon.  These books are The Art of Deception: Controlling the Human Element of Security (ISBN: 0471237124) and The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers (ISBN: 0764569597).  The first book is all about the role of social engineering in breaking into security systems, and the latter is an anthology of stories that collectively describe how and why hackers hack.  Both of these books are excellent, and I highly recommend them for any student of security risk analysis.  In fact, I plan to introduce The Art of Intrusion to my SRA 311 class tomorrow, and reserve The Art of Deception as required reading for my planned special topics c