I just received a lead on a neat tutorial on risk concepts for personal surveillance protection from my friend at Mercyhurst College, Kris Wheaton.  Check it out at this link.  I also posted this and what follows as a discussion topic on the SARMA group on LinkedIn.

Notice the manner in which this tutorial defines the term “threat” – a threat is defined as the undesired consequence of an attacker’s actions, not the nature of the actions themselves.  Accordingly, risk is then the probability of the threat, which is consistent with accepted practice.  Moreover, labeling an outcome a threat implicitly assigns a “value” to the outcome, which in this simple case is simply described as “undesirable.”  But isn’t that the nature of security – to lessen the probably of undesirable events, or in this case, threats?

Now this is different from the DHS definition of threat, which puts it as the intent and capability of an attacker.  DHS defines threat as the cause, the document linked to above defines it as the consequence all causes considered.  Which do you prefer?

But of course, one can argue that intentions and capabilities when directed against a valued asset may result in undesired outcomes.  So, does it really matter?  That is, if bomb attack = damage, isn’t it equivalent to call both “damage” and “bomb attack” threats?  Well, perhaps not if one seeks to define the term risk in terms of threat.  In general, risk is defined as a probability distribution on outcomes with associated values.  If we equate threat to cause, then threat is just one aspect of the problem.  If we equate threat to undesired outcome, then risk is the probability of threat.  So which should we use?

To answer this, I appeal to you.  What does a threat assessment product typically answer?  The ones I participated in sought to define the spectrum of harms (undesired event) of interest to the decision maker, and from these harms backout those potential causes of harm within my problem set.  For a terrorist threat assessment considering the nuclear power industry, my threat assessment would identify what can go wrong and how it can happen.  No valuation is attached to either outcome (what can go wrong) or cause, either in terms of probability or severity.  That is, a threat assessment is purely descriptive.

From this, threat is both – cause and outcome – minus the valuation.  I define the pairing of cause and outcome as a “scenario,” and if that scenario is undesirable either in cause or outcome, then it is a threat.

Vulnerability assessment, too, is descriptive in my mind.  A vulnerability assessment seeks to identify the weakness that enable different causes to result in different undesired outcomes.  Thus, a threat assessment provides a frame with which to do vulnerability assessment.  However, vulnerability assessment also provides insights to help identify previously unknown undesired outcomes and causes.  I would argue that neither precedes the other, but both should happen concurrently.  But of course you got to start somewhere… which would you start with?

Now where does risk analysis fit in?  In my view, risk analysis synthesizes the knowledge generated from the threat assessment and vulnerability assessment efforts to prioritize concerns for decision maker attention and providing guidance on what to do about it (i.e., actionable risk analysis).  In so doing, risk analysis:

• Attempts to describe the likeliness of cause from our knowledge of adversary capabilities and historical record (among other things)
• Attempts to describe the likeliness of outcome given cause from our knowledge of system weaknesses, and
• Attempts to place value on the outcome beyond just undesirable or not undesirable.

Note how I use the word “describe” and not “quantify.”  I did this deliberately – quantification is useful for structuring thought, but perhaps not so much as providing a basis for decision making (particularly in security settings).

Send article as PDF to

I came across an interesting article written by Associated Press Special Correspondent Walter R. Mears entitled “Hazards in a Half-Century of Presidential Debates” (Sep 20, 2008, linked through http://ap.google.com/).  Mr. Mears is a Pulitzer Prize-winning journalist (now retired) known for his coverage of presidential campaigns from 1964 through 2000 (ref in Editor’s note of this article), and is widely recognized as a leader in his field.  With 10 presidential elections under his belt, Mr. Mears has the experience necessary to make credible statements of the types of things that could occur during a presidential debate that may compromise a candidate’s support.

Before I examine this article in terms of the Eight Elements of Thought, let me define a hazard as a source of risk to a particular individual or group of individuals.  In the context of (vice-) presidential debate risk, the customer of such an analysis is the (vice-) presidential candidate, and the outcome of concern to this decision maker is a post-debate net decrease in popular support from the electorate with respect to the support afforded to his or her rivals.  Accordingly, this article, at first glance, suggests a focus on sources of (vice-) presidential debate risk as evidenced from the collective experiences of over a half-century of debates.

The purpose of Mr. Mears’ article is to highlight the subtleties of debate performance that could influence public perception of candidate performance and appeal.  The question at issue is as follows: what factors of debate performance have the potential to negatively impact net support for a candidate (outside of littoral debate responses)? A thorough reading of the article reveals the author’s point of view – the slightest gaffe in appearance and speech can lose an election.  An alternative point of view might be that such gaffes have no bearing on the eventual outcome of an election.  The author assumes that the public weighs performance very heavily and that the opposing candidates will maximally exploit any and all gaffes to the offender’s detriment (both being almost unobjectionable assumptions these days).  Taking heed of public perceptions of appropriate presidential style, current events and public sentiment, and the purpose for having debates in the first place (three concepts), the candidates are undoubtedly reviewing historical debates and their aftermath in pursuit of a debate posture that creates the appearance of being better suited for the job as (vice-) president than the opposition.  Mr. Mears cites several performance blunders as evidence of missteps affecting a candidate’s support:

• President Ford as a “man of missteps” when he claimed that “there is no Soviet domination of Eastern Europe” (this was 1976!!!);
• Democratic presidential candidate Michael Dukakis (1988) and his dispassionate response to a TV panelist’s question of whether he would still oppose capital punishment if his wife was raped and murdered;
• Vice-President Al Gore’s impatience with then-Republican candidate George W. Bush’s debate responses (2000);
• and ironically President George W. Bush’s impatience with then Democratic candidate John Kerry (2004).

While not all of these incidents (as well as others cited and not cited) guaranteed a loss, Mr. Mears does insist that in the event of a debate gaffe (whether subtle or blatantly obvious), one can infer (or rather expect) that the opposition, or perhaps the public via the media, will respond unfavorably to such gaffes.  If this negative response is sustained and perhaps reinforced by either related or irrelevant factoids and sound bites, then popular support could continue to decline unless compensated by equally “damaging” attacks or some strategy to nullify our counteract the response (e.g., witty retort, refocus on what really matters, etc.).  The implications of this article are quite clear – if you are going to debate in an election, be prepared to speak clearly and accurately, minimize off-handed comments, and act presidential less you might find yourself wasting precious post-debate time in damage-control mode.  But if the author is mistaken in his view, then the gullible candidate might find themselves spending too much time on appearance instead of developing strong positions on issues that matter.

So what are the risk factors to pay attention to?  While the following is by no means a complete list of all that could go wrong (i.e., bad decisions and misbehavior) for a candidate, the candidate should pay special attention to:

• Looking clean and sharp;
• Appearing dignified, respectful, patient, and in good spirits;
• Offering a clear and concise, accurate, precise, relevant, significant, and logical answer to the question at hand that displays adequate breadth and depth of understanding and is fair to alternative points of view;
• Minimizing extemporaneousness; and
• No making any off-handed comments save for a strategic witty quip or two in response to an unnecessary off-handed comment made by his or her opponent

I am *very* eager to see how the candidates (both presidential and vice presidential) will perform.  And I really hope this time around (unlike in 2004) that candidate responses for a particular question remain focused on the question asked (and not to return to a question already asked or one that is outside the scope of the debate).  While I acknowledge that each candidate can use the time however which way they want to, nothing is more frustrating than hearing a response focused on domestic policy issues when the question asked about US policy overseas.

You know, I think the candidates should consult Elder and Paul’s online critical thinking tool for a review of the intellectual standards prior to the debates…  these standards come in handy in all matters where sound reasoning is paramount.

And just for reference (since it is very difficult to find this information out via a simple web search), the schedule for the 2008 presidential and vice-presidential debates is as follows:

• Friday, 09/26/08 (9:00PM EST): First Presidential Debate, University of Mississippi, moderated by Jim Lehrer.  Topic: foreign policy and national security.
• Thursday, 10/02/08 (9:00PM EST): Vice-Presidential Debate, Washington University in St. Louis, moderated by Gwen Ifill.  Topic: everything.
• Tuesday, 10/07/08 (9:00PM EST): Second Presidential Debate, Belmont University, moderated by Tom Brokaw.  Topic: town hall-style (everything on the table).
• Wednesday, 10/15/08 (9:00PM EST): Third Presidential Debate, Hofstra University, moderated by Bob Schieffer.  Topic: domestic policy.

As has been the case since the 1988, the Commission on Presidential Debates is the sponsor for these major debates.  All debates should be televised by the major broadcast networks (ABC, NBC, CBS, …) but my personal preference is to watch the debates on CSPAN.org as viewers are priveledged to pre-debate dialog between the moderator and audience, the random activities of the stage crew, and post-debate spin-doctor commentary.

Send article as PDF to

To follow up on my previous post regarding the work of Peter Sandman, I can’t help but advertise his short, yet important article entitled “Risk Words You Can’t Use” published in the August 2005 issue of The Synergist.  While this article is a quick read, I will distill it down further and caveat some with my personal experience:

• Conservative: To risk people, conservative means an overestimate of risk.  To laypeople, a “conservative” estimate is a low estimate.  So whereas a risk person would use conservative to overstate the risk, a layperson (or perhaps decision maker) may interpret the message to be an understatement of risk, and thereby think that the risk could be much worse.  Now, engineers and scientists understand what is meant by the word “conservative,” as in my “conservative analysis still shows the structure will not fail.”  And fortunately for me, when I described my idea of conservative discounting of expert opinions (to be explained in a later post that I will link to when it is available) I was speaking to an audience of security engineers.  I will keep Sandman’s advice to not use the word conservative when speaking to non-technical audiences, and instead opt for the word “overestimate.”
• Significant/Insignificant:To risk people and statisticians, a significant finding is one that is non-random.  To laypeople, whether an issue is significant depends on their emotions and value structure.  So, to tell people that the terrorism risk is insignificant might not communicate well.  It is true (right now based on our current understanding and situation) that a person’s individual risk to terrorism is very, VERY low, but the outrage is high, and thus the public’s emotional response might label terrorism as a significant threat.
• Positive/Negative: To risk people, a positive relationship means that when one variable goes up, so does the other.  To laypeople, a “positive” relationship is favorable from the point of view of risk.  The same can be said of negative relationships.
• Bias: Bias to a risk person means non random.  Bias to a layperson spells deceit.
• Anecdotal: Anecdotal evidence to a risk person means the evidence is just one sample from a much larger sample space.  Anecdotal to a layperson suggests the evidence is an amusing story.  This word might not bode well when talking about anecdotal evidence on poor public response following a catastrophic event.
• Risk [my personal favorite]: To risk people, the risk associated with a situation describes its probability and the corresponding consequences.  To laypeople, risk usually refers only to the probability component.  In fact, when lecturing on the use of “uncertainty phrases,” I often emphasize that the word “likely” is not an adverb tied to any particular notion, but one that can be used to qualify likeliness, confidence, and risk.  Of course, people probability consider how they feel about a hazard when judging whether the probability, or rather risk to them, is acceptable.  Others, particularly when speaking about finances, use risk to describe uncertainty – the higher the risk, the more uncertain the outcome.  The philosopher Frank Knight sides with these interpretations in his description of “risk proper,” or measurable uncertainty, described in Risk, Uncertainty, and Profit. Most people argue that the only measure of uncertainty, at least when it comes to gambling situations, is probability, so what Knight is suggesting is that assessing “risk proper” is equivalent to a probability assessment.  But Peter Sandman suggests that what people really mean by risk is how outraged they feel about the situation.
• Safe: To risk people, safety is the judgment of risk tolerance.  If we are safe, then the risk does not exceed some threshold value (whether implicit or explicit).  To laypeople, “safe” = “no risk,” that is they treat it as a binary concept – you are either safe or you are not.  Or rather, there is risk or there is not.  I suppose the same reasoning can be extended to the word secure: to risk people, if we are secure, then the residual adversary risk is low enough for us to accept; to laypeople, “secure” = “no harm will come to them” in the event of an attempt.  Relative statements about safety and security are unambiguous though – to say something is more or less safe or secure than another thing is perfectly acceptable.
• Prepared:To be prepared means that we possess the capabilities and vigilance necessary to deal with a hazardous situation when it arises.  To risk people, preparedness is tied to risk acceptability – if we are prepared, then we have the capabilities needed to keep risk overall at an acceptable level.  To laypeople, prepared, like safe and secure, is taken to mean no (or perhaps minimal) harm will come to them.
• Confident: To say to someone else that you are confident when you are merely hopeful is not okay.  In the eyes of laypeople, confident = surety, though perhaps not so much anymore if the word has lost its meaning in the eyes of risk communication consumers.

From my experience, I have five types of phrases to add:

• [Low/Moderate/High] Confidence:Philosophically speaking, to the analyst, anything said with a non-zero degree of confidence implies some degree greater than even odds of being correct.  This means that both “low confidence” and “high confidence” judgments are believed to be the right answer vice any alternative, but “low confidence” statements are afforded less commitment and as such are pegged to a representative probability value closer to 0.5 than a “high confidence” judgment.  To the decision maker, however, the scale may be expanded from a half probability scale to a full probability scale, where the words “low,” “moderate,” and “high” span the entire range.  So when the analyst says something with “moderate” confidence to indicate, say, a 75% chance of being correct, the decision maker might see it as a 50/50 judgment.  I would love to experiment with this to see whether or not what I just described is true.
• “In General”: When mathematicians use the phrase “in general,” they mean what they say applies to all cases.  When lay people use the phrase in general, they mean that what they say is believed to apply to a simple majority of cases.
• Likely, Probable [and other uncertainty phrases]:  To risk people, the word likely conveys some degree of likeliness that exceeds 50%.  To laypeople, likely may communicate likeliness or risk.  In the latter, one might find that something deemed “likely” to a layperson may have an objectively low probability of happening, yet a high enough impact if it does to warrant use of the term in their non-probabilistic minds.  But whoever said words like “likely” and “probable” can only be used in the context of probability theory?  After all, what came first – the word “probable” or the “theory of probability?”
• Likelihood versus Likeliness: To mathematicians, “likelihood” means something very specific.  The likelihood of something in the context of Bayes theorem is the functional expression Pr(B|A) (read as “the probability of B given A) whose input argument is “A.”  That is, the “likelihood” is the hypothetical probability distribution constructed over a space of events conditioned on the occurrence of “A.”  The “likelihood function” or simply “likelihood” L(A|B) is proportional to Pr(B|A).  To non-mathematicians, including most (if not all) dictionaries, “likelihood” describes the notion of chance, where probability is one such measure of likelihood for an event.  According to WordReference.com, the word “likeliness” is an equivalent word for “likelihood,” but doesn’t carry with it all the mathematical baggage that might confuse a mathematician.  This is why I always use the word “likeliness” to characterize the notion of chance instead of “likelihood.”
• Possible: To mathematicians and risk people, a “possible” event is one that carries with it a non-zero probability.  More specifically, a possible event is one that is admitted into the set of alternatives (sample space) for a given question.  To non-mathematicians and laypeople, the word “possible” may be used to describe degree of chance or even risk.  How often have you heard people use possible to convey the likeliness of an event?  I read a study published by Sarah Lichtenstein and J. Robert Newman in 1967 (Psychonomic Science, Vol. 9, No. 10, pp. 563-564) showed that a group of 177 people, when individually asked to place numbers on words that convey uncertainty, could not agree on a probability value for the word “possible.”  The results showed a range of responses spanning probabilities of 0.01 to 0.99, with a median at 0.49.  What does this say?  To me this study makes my point – possible means that the probability is greater than 0, but we don’t know where.  But it also says that, at a micro level, possible might actually assign a value to possible.  Fortunately, the word “impossible” does not suffer the same ambiguity.

I am curious to hear your thoughts on these and other words that we should be careful about using in the context of risk communication, or “analytic communication” for that matter.

Send article as PDF to

For those unfamiliar with this description of risk, check out the website maintained by Peter Sandman.  Dr. Sandman is a scholar on risk communication and risk perception, and has made a name for himself via the concept “Risk = Hazard + Outrage.”  He has published some very interesting things, one of which can be found on my list of 100 books to review.  A selection of his works is available electronically on his curriculum vitae.

Back to the formula “Risk = Hazard + Outrage”…  This is not a mathematical formula in any strict sense of the word.  Rather it is conceptual in nature, where the “risk” is defined by the objective nature of the “hazard” and augmented by the “outrage” felt by the individuals exposed to it.  Through his many inquiries into how people perceive risk, Dr. Sandman put forward what I will call “Sandman’s First Law of Risk Communication” (though he states it may be the only law): Outrage, not hazard, drives reputation (I might prefer to replace the word “reputation” with “acceptability”).  Basically, regardless of whether the hazard is objectively high or low, the outrage felt by the public or decision maker is what drives the degree of risk attached to a hazardous phenomenon.  People tolerate objectively high hazard (e.g., driving) is the outrage is low, whereas people do not accept objectively low hazards (e.g., terrorism) if the outrage is high.  The reputation of a risk manager or decision maker charged with making decisions that affect risk is more by how well they manage outrage than how they manage hazard.  Based on this view, Dr. Sandman suggests ways for managing outrage.

Much of Dr. Sandman’s work emphasizes the point that the Society for Risk Analysis makes in their stated definition of risk:

Risk analysis is broadly defined to include risk assessment, risk characterization, risk communication, risk management, and policy relating to risk. Our interests include risks to human health and the environment, both built and natural. We consider threats from physical, chemical, and biological agents and from a variety of human activities as well as natural events. We analyze risks of concern to individuals, to public and private sector organizations, and to society at various geographic scales. Our membership is multidisciplinary and international.

That is, risk analysis includes risk assessment, risk management AND risk communication (among other topics).  Based on Sandman’s work, it seems that though a high risk hazard can be managed so as to bring the risk down to a level acceptable to the risk manager, the strategies used to mitigate risk may be inadequate or insufficient unless accompanied by strategies to manage the outrage felt by those affected by the hazard.  Sound risk policy must effectively manage risks assessed to be high, and must also manage the outrage felt by the targets of risk.  For a risk analysis to be complete, it must look at an issue from all angles.

Now I leave it to you (and myself) to check out the rest of Dr. Sandman’s work to better understand his philosophy on risk communication and risk perception.  This is interesting stuff, but keep in mind there is a lot more to read on this issue of risk communication and risk perception, in particular the following:

• Strategies for Risk Communication: Evolution, Evidence, Experience, edited by Troy Tucker, Scott Ferson, Adam Finkel, and David Slavin [ISBN: 1-57331-681-4].  This title is also availabe in PDF via Blackwell Publishing.  I hear that this volume has content that will revolutionize the field.
• Risk Communication: A Mental Models Approach, by M. Granger Morgan, Baruch Fischoff, Ann Bostrom, and Cynthia Atman [ISBN: 978-0521002561]
• The Perception of Risk, by Paul Slovic [ISBN: 1853835285]

Send article as PDF to