Since the events of 9/11, particularly following the creation of the Department of Homeland Security, much attention has been paid to the use of probabilistic or quantitative risk analysis methods for the purposes of informing security investment decisions.  The debate on the appropriateness of these techniques was quite intense for awhile (say 2003-2006), and to some extent I think there was no clear winner (though I think we are finally coming to grips with what “risk-informed decisions” really means, which in a sense weakens the need for this debate).  Among the fighting and debating, I often found myself wondering what the late Prof. Norm Rasmussen would say about the value of QRA for security.  Now, a number of well-respected scholars have spent quite a deal of time and effort writing on the issue (e.g., Apostolakis, Cox, Bier, Ayyub, Haimes, Kunreuther, Slovic, Pate-Cornell, Diesler, Lave, etc.).  But nowhere could I find even a comment from Rasmussen on the issue.

[NOTE: Norman C. Rasmussen was the director of the famous 1975 Reactor Safety Study, or WASH-1400.  Because of its extreme significance in those days, the report was nicknamed "The Rasmussen Report." I hope to have a copy of the WASH-1400 report posted to this site sometime really soon - oddly enough I can't find it anywhere online]

Then there was my visit to Sandia.  I was priviledged to sit in on a presentation delivered by a scientist at Sandia National Labs that walked through the history of Security Risk Analysis from the Sandia perspective.  On one of the slides there was a quote about the appropriateness of QRA for security attributed to Professor Rasmussen himself!  I was truly taken aback!  I asked whether there was citation I could use for this quote, and low-and-behold there was.  Thanks to the Sandia people, I was able to obtain a copy of this paper and post it here via Scribd:

The citation information is as follows:

• Rasmussen, N. C. (1976). “Probabilistic Risk Assessment: Its Possible Use in Safeguards Problems.” Presented at the Institute for Nuclear Materials Management meeting, Fall 1976, pp. 66-88.

Note the timing… this commentary was made just after the 1975 release of the WASH-1400 report.  My understanding was that many believed PRA/QRA could be applied to problems outside the domain of nuclear safety, perhaps to include nuclear safeguards.  Prof Rasmussen believed then that QRA methods, as outlined in WASH-1400, are NOT appropriate for quantifying safeguards risks (though he says nothing about their usefulness in empowering analysts with knowledge to better inform decision makers).

Just to quickly layout the outline for this paper, Prof Rasmussen begins by offering an overview of all three levels of QRA then comments on the differences between security and safety problems, the most clear being that terrorists are not random and that there is some deliberate attempt to maximize consequences.  Rasmussen also points out that the only practical conservative value to assume in security is one, which given the tendency for terrorists to maximize consequences, almost always results in an unacceptable quantitative risk.  His solution – “make the unauthorized access to special nuclear material very difficult,” that is, make the probability of access so small that even if all the other probabilities are unity, the benefit of having nuclear power still outweighs the risk of malicious terrorist use of nuclear material.  Basically, this amounts to a focus on vulnerability reduction, but only those aspects of vulnerability pertaining to the unauthorized access to special nuclear material (not egress, use, response, recovery, etc. dimensions).  The paper concludes with a short question and answer exchange between Prof. Rasmussen and several audience members, some of which is quite interesting (and clearly dated before the existence of the Design Basis Threat).

In the end, I believe this talk is where the idea of “assuming probability of attack is one” came from, though I could be wrong.

Send article as PDF to

I recently came across a hard-copy of an email I sent to a colleague sometime back in 2004 while I was an ASME Federal Fellow to the Department of Homeland Security.  If my memory serves me correctly, I sent this email in January 2004, or about midway through my tenure in DHS’s Information Analysis and Infrastructure Protection (IAIP) directorate.  Basically, the question was not how to estimate the psychological impact associated with a terrorist attack, but rather what psychological impact means.  After all, definitions precede measurement.  As a reminder, this note was written over 4 years ago when I was less enlightened, or rather, just 6 months after leaving my job as an aerospace structural engineer focused solely on designing the structural subsystems for scientific, non-defense-related spacecraft.  Nonetheless, I felt that posting it here might inspire similar thoughts entertained by others or perhaps even prompt discussion.

A recent lecture in my Political Analysis course [PUAF 620 at the University of Maryland] inspired me to think about “psychological impact” as a form of consequences.  The lecture was on special interest groups, their causes, and the consequences of their existence.  One theory is that special interest groups are created to protect and preserve the rights of its constituency (either natural rights or rights/benefits bestowed on the group from previous legislation).  A special interest group will form (or mobilize) to protect its interests if it feels its rights are being threatened.

Based on what I learned during this lecture, I propose the following definition for psychological impact: “psychological impact is the degree to which an individual or group of individuals perceive they have been deprived of their rights.”

Let’s think about this – if several department stores scattered across the nation are targeted for a coordinated attack [a very common scenario that has provided the basis for numerous thought experiments], following an attack people will feel that their freedom to shop a department stores has been taken away from them.  Similarly, in the wake of September 11, many Americans felt deprived of their freedom to travel by air.  One can come up with a host of other examples.

It is also interesting to consider the collateral economic impacts.  Perhaps coordinated attacks on several department stores will prevent people from shopping anywhere such stores are located.  One might argue that the downstream impact of this behavior could propagate throughout the entire retail industry.  On the flip side, the inability (and unwillingness) to travel by air following 9/11 attacks did not impact the entire transportation industry.  Rather, people who would otherwise fly opted to travel by trains and automobiles.

So how does one assess psychological impact?  For any attack scenario, one must identify how a successful attack might threaten perceived rights and freedoms.  To do this, we must first understand what rights the public thinks it has.  In the two examples above, the focus was on either freedom to shop and freedom to travel.  To prioritize scenarios based on potential psychological impact, we must order all these freedoms according to their perceived importance to the affected public.  This can be done at the national, regional, state, local, sector, etc. level.  Doing so will facilitate cost-benefit tradeoffs (in the descriptive sense).  Proposed countermeasures must demonstrate a tradeoff between the freedoms such policies protect versus the rights they appear to take away.  In the case of the Patriot Act, freedom to live without terrorism is enhanced in exchange for a weakened right to privacy [was there a positive ROI here?].

It would also be interesting to explore how the economy might respond to any perceived loss of freedom.  For example, a perceived loss of freedom to shop will keep people from spending money.  [how does percieved deprivations of freedom correspond to economic impact?]

Now that I had four years to sit on this, I still think that the proposed definition for psychological impact has merit despite the fact that it essentially equates psychology to perceptions, and does not consider such things as PTSD.  But before I or anyone else accepts this definition, more thought is needed on whether it is complete and all encompassing, whether it precisely articulates what we care about, to what degree such a measure is redundant with respect to other measures of loss (economic impact is a function of societal behaviors), and how such impact can be assessed with confidence.   Even now, 5 years after DHS opened its doors, I am sure any answer to the question of measuring psychological impact would be of interest to DHS risk analysts.

I can finally throw the hard-copy of this email out now that it is posted to my blog.  Just another step toward a purely paperless life…

Send article as PDF to

The authors of a book I read recently spoke of the “three D’s” of security: “denial,” “detection,” and “deterrence” (the latter being my personal favorite).  These “three Ds” brought to mind another set of “Ds” I came across while on an ASME Fellowship to the Department of Homeland Security in 2003-2004: “detect,” “delay,” “defend,” and “devalue.”  This post talks about these two different sets of security “D” words, and the extent to which one is or is not better than the other.

To begin this discussion, let’s first consider a logical expression for security vulnerability, which is usually expressed in terms of the probability of adversary success given attempt:

Pr(S) = 1 – Pr(“Detect”)·Pr(“Engage”)·Pr(“Neutralize”)

In words, this equation states that adversary non-success (defender success) requires that the defender detect, engage (which consists of delay and response) then neutralize the adversary (in sequence) – failure to do any one of these will result in adversary success (barring any random things outside the protector’s control that might thwart the adversary’s attempt).

From the point of view of the equation above, DHS is dead on and more.  The equivalence of detection is evident.  In order to engage an adversary, one must respond to the adversary prior to him executing an attack.  Delaying an adversary long enough to respond enables engagement – the longer the delay, the greater likeliness that the defenders will respond in time to do something to stop him.  Defense is essentially equivalent to neutralization in that the objective is to thwart the attacker once engaged.  So, the first three “Ds” of the DHS security quartet correspond to the three parameters of the security vulnerability equation.

But where does devalue fit in?  I must admit that I never heard anyone use the word “devalue” in the context of security prior to my days at DHS.  The focus on devalue is not on improving security, but on improving the resilience or hardness of a system to withstand an attack.  That is, a “devalued” target is one that has been modified in such a way that would result in less loss to the defender (and hence less gain to the adversary) in the event of an attack.  In this sense, devalue seeks to influence adversary target selection by making it intrinsically difficult to achieve the desired gain even when the security system fails.  For example, without doing anything to improve security, the switch to using bleach instead of chlorine in a water treatment facility in effect devalues such a target since bleach is much less harmful to humans in the event of its deliberate release.  Adversaries bent on exploiting infrastructure to harm adjacent communities might be less interested in attack a water treatment plant that made such a shift.

Now consider the security triplet described by Fuqua and Wilson (see my recent post on their 1977 book) in light of the above equation for security vulnerability (i.e., deny, detect, deter).  Fuqua and Wilson essentially looked at the security problem from the point of view of an asset owner (e.g., the “executive”).  Again, the equivalence in the detection term is evident.  “Denial” considers the combination of both engagement and neutralization following detection (such as by a local police force), as well as simple barriers that can’t realistically be overcome (e.g,, 12-foot walls followed by several layers of fences covered in razor-wire), distance or terrain with deadly animals (e.g., attack dogs, flocks of scary geese, alligators in moats), etc.  The focus with denial, though, is more broadly focused on denying success in whichever way possible; detection need not occur for an adversary to be denied opportunity. The combination of detection measures and denial measures (including those that require detection and those that do not) cover the same elements as the equation posed at the beginning of this post, but in a slightly different way as follows:

Pr(S) = 1 – Pr(“Denial”|”Detection”)Pr(“Detection”) – Pr(“Denial”|”No Detection”)Pr(“No Detection”)

(the astute reader might notice that this equation above equates the event “denial” with “adversary failure,” or rather “failure to deny” is the same as “adversary success”).  Obviously, this equation is more general than the one posed initially as the defender still stands a chance at denying the adversary success through non-detection-dependent denial measures.

“Deterrence” (again, my personal favorite) touches on those measures that influence the perceptions of adversaries.  Arguably, all visible security measures have some deterrence value as they shape the adversary’s perceived probability of success.  Measures taken to devalue a target also act as a deterrent in the sense that it lessens the adversary’s perceived gain from success.  Even deceptive measures such as decoys that have no intrinsic “aggressor resistance” have at least a little deterrence value so long as the adversary remains fooled.  If the adversary feels that success is less likely than failure, and that the gain from success is less than desired, the overall likeliness of an event is lower than is success seemed likely and the gain was sufficient.  So, unlike all the other “D” words talked about so far, deterrence is the only term that specifically targets the likeliness of event portion of the risk equation.

So which set of “D” words is better?  It really is hard to say.  Fuqua and Wilson offer a term (“deterrence”) that relates to likeliness of event, while the DHS approach (“devalue”) offers a term that relates to the physical vulnerability portion of the risk equation.  Otherwise, the two sets of “D” words are the same, more or less.  In the end, all these “D” words (as well as words that start with letters other than “D”) are important since they assist security practitioners in thinking through problems.

With all this talk about “D” words, I find myself tempted to write a security-related song about the letter “D” in the spirit of Cookie Monster’s song about the letter “C”.   I call it “D’s are for Security” or the “Security Song:”

D is for denial, to stop you from harming me

D is for detection, to catch my enemies

D is for deterrence, to scare you away from me

Oh, security is all about “Ds.”

Send article as PDF to

While perusing my files of long lost papers that never made it, I came across the following op-ed piece I submitted to some major newspaper on July 12, 2006  (I forget which newspaper it was, but I think it was the Washington Post given I lived in DC at the time).  Unfortunately, the piece, like many articles submitted to major newspapers, wasn’t included for publication.  Since I still largely believe what I wrote (though I could probably say it more clearly nowadays), I decided to post it here.  Blogs really do come in handy when it comes to offering a home for what would otherwise be an abandoned writing.

The recently released Department of Homeland Security grant allocation for 2006 has sparked wide protest. Numerous experts scoffed at the distribution, and many are calling for threat-based prioritization of homeland security money. As a student of risk analysis, to hear from these experts that resource allocation decisions should be “threat” based initially struck me the wrong way – my training has taught me that resource allocation decisions should always be risk-based. But after giving it some thought, I realized that what I was hearing was just another case of unstated assumptions.

Risk, as it is commonly referred to in the security domain, is the combination of threat, vulnerability, and consequence. The threat associated with a given target is a measure of its attractiveness to our adversaries. To focus on threat alone is to take the narrow-minded view of the risk problem – theoretically speaking, what is attractive to our adversaries might not be valuable from our perspective. Full consideration of all three dimensions is necessary to rationally allocate resources in such a way as to maximize risk reduction per dollar spent.

But is this always true? My answer is that it depends on your assumptions. If one assumes that the adversary has perfect knowledge of our nation’s weaknesses, then the most vulnerable and most consequential targets are in fact the most attractive from the adversary point of view. Threat follows vulnerability and consequence in this case, and thus higher risk means higher threat. However, if we assume that the adversary’s perceptions differ from our own, then threat might not necessarily follow risk, and allocating funds based on threat alone would result in suboptimal expenditures.

Of course, the situation is not either-or, but somewhere in between. It doesn’t take a rocket scientist to figure the weaknesses of our infrastructure, but we also shouldn’t assume our adversaries know that places like Wisconsin exist. And as research has shown time and time again, protection in one area shifts adversary attention toward a softer target; perhaps as New York becomes more resilient and less vulnerable, adversary attention might gradually shift toward softer, less protected regions.

At the end of the day, we really shouldn’t assume that we know what all our adversaries think. Rather, we should accept that our adversaries are dynamic, constantly learning, and always looking for opportunities to achieve surprise. The best we really can do is focus our attention on what is truly our most valuable assets, and assume that our adversaries won’t waste their energy on targets of lesser value. Under this assumption, threat-based allocation is in fact risk-based, and arguments over semantics really don’t change the decision process. But like in all other decision situations, we really should make clear what our assumptions are to allay any further confusion.

Send article as PDF to