In Spring 2009, I anticipate having 65 students (or more) enrolled in my SRA 311 (Risk Management: Assessment and Mitigation) course.   SRA 311 is the last required core course for the Security Risk Analysis undergraduate major at Penn State University.  Most students in this course will be second-semester juniors or first-semester seniors interested in a career in security risk analysis or intelligence analysis.

All SRA 311 students are required to contribute to a final course project that seeks to perform a risk study for a real problem of real interest to real decision makers.  I anticipate 5-person teams, and with 65 students this means I should have about 13 teams.  This also means I need at least 13 final course project ideas to choose from.

To meet my needs, I am currently seeking course project ideas for my SRA 311 students.  If you have any risk analysis project ideas that would lend itself to student participation, please send me an email or leave a comment to this post.  Ideas from last semester include:

• Self-assessment methodology for social network participation risk
• Risk analysis self-assessment methodology for campus lab theft
• Press release preparedness methodology
• many others…

Some of the ideas I have for Spring 2009 include:

• User risk assessment for an online social/collaborative environment (PSU Home, Second Life, etc.)
• Research lab security assessment methodology
• Methodology for hazard preparedness (each group focused on a different hazard)
• Technology transfer risk assessment methodology
• Structure and content of a regional threat and vulnerability forecast
• Risk assessment methodology for organizational surprise

What I would really like are some information security-oriented risk analysis project ideas, a few homeland security ones, maybe one or two methods geared toward the national security or business intelligence communities, etc.

Unlike in Fall 2008, many Spring 2009 projects will be focused on building simple decision support tools that implement the methodology, complemented by a media presentation (You Tube video, website, poster, NO POWERPOINT).  Of course, for those niche studies, the project will be dominated by a paper.

Send article as PDF to

Hot off the press is the latest issue of the International Association for Intelligence Education (IAFIE) newsletter.  In it I contributed an article describing my strategy for, and experiences thus far, teaching my security risk analysis course at Penn State.  The title of the article is “A New Approach to Teaching Security Risk Analysis,” and can be viewed by going to the IAFIE web page, newsletter section.  At the time of writing of this post, the newsletter is not yet available via the website, but I suspect it will be available really soon. So, see below for the full version of the article in the form I submitted it (which may differ from the final version as I did give the editor free-reign to make changes):

A New Approach to Teaching Security Risk Analysis

Interest in risk analysis has increased in the homeland security and intelligence communities in recent years.  The homeland security community uses elements of risk analysis to help decide how to buy-down the potential for loss due to naturally-occurring and anthropic events.  The intelligence community thinks about different aspects of risk issues in most, if not all, strategic assessments.  Private industry, too, leverages risk analysis in both the traditional economic sense (financial risk, insurance) as well as for security (physical, information) and to inform strategic and operational decisions (project risk, political risk).  Unfortunately, while the need for risk analysts is great and perhaps increasing, few educational programs educate students in what risk is and how to go about assessing risk in a manner that best informs the decision making process.

In Fall 2006, the College of Information Sciences and Technology at The Pennsylvania State University established a first-of-its-kind undergraduate major in Security Risk Analysis (SRA).  The goal of the SRA degree program is to educate future security professionals on the threats that challenge society, how decision makers think, and how to properly assess, communicate, and make suggestions on ways to manage risk.  Accordingly, among the many courses students must take include SRA-specific courses in the threat environment, information security, decision analysis, risk management, visual analytics, human-computer interaction, and so on.

As part of my role as a new assistant professor at Penn State, I was asked to develop and instruct the junior level course in risk management (SRA 311).  If one takes a moment to survey the literature on security risk analysis, there is no established pedagogy for teaching risk management at the undergraduate level save for a discussion on the subject that might occur in an course on probability and statistics or industrial engineering.  Textbooks on security risk analysis tend to focus their attention on the technical details of physical or cyber security, often leaving only a chapter-length (e.g., marginal) treatment of risk analysis.  These same books present risk analysis as a tool to order scenarios (e.g., risk analysis = risk matrices) much like the way ACH is treated as a tool to facilitate reasoning.  The one thing I can say with confidence is that risk analysis is not a tool – it is a way of thinking about problems that applies to security, intelligence, and just about every other discipline where critical decisions must be made.

So here I was – a new professor tasked with teaching a course that has never been offered before and with no textbook to guide its development.  Fortunately, the philosophy of risk and risk analysis is really not that hard to explain.  In its most generic form, risk “measures” the potential for gain or loss associated with future events.  The process of doing risk analysis comes down to providing defensible answers to the following three of questions (i.e., the “risk triplet”):

• What can happen?
• How likely is it to happen?
• What are the consequences if it does?

In my experience doing risk analysis, the challenge isn’t understanding what risk analysis is – after all, it often only takes one chapter in a book or a few lectures to explain the fundamentals of risk.  The real difficulties lie in producing analysis that carefully reasons from available evidence to a statement of risk, is mindful of alternative plausible events and outcomes, is free of undue and harmful bias, is critical of the competence and credibility of information sources, and communicates risk in a manner that is informative yet non-judgmental regarding its acceptability. After much thinking about this, it occurred to me that the same things taught to basic analysts in the IC are equally applicable to emerging risk professionals and for the same reasons.  As it turns out, the pedagogy for teaching risk analysis the “right” way was already there, but not where I expected.

Now that I am most of the way through my first offering of SRA 311, I found that many of the same topics discussed in intelligence training courses have been very helpful in getting my students to think carefully about each question of the risk triplet.  Besides covering the basic philosophy of risk and all the components of traditional security risk analysis (e.g., threat, vulnerability, consequence), we discussed the cognitive aspects of analysis from the point of view of descriptive models and empirical evidence, the mechanics of variety of structured analytic methods aimed at assisting reasoning (e.g., problem restatement, divergent/convergent thinking, event/possibility/decision trees), source analysis and analytic confidence (DNI intellectual standards), and risk communication.  We used a variety of in-class examples to give students practice doing risk analysis, to include information security (e.g., benefits/risks of cell phones in SCIFs), physical security (e.g., terrorist attacks, theft/pilferage), and intelligence case studies (e.g., embassy threat analysis).  Finally, I stress over and over again Elder and Paul’s Eight Elements of Thought and Intellectual Standards as an approach to thinking critically about everything we do, whether it be in the form of critical article reviews, methodology/analysis appraisals, and as guidelines for completing the final course project.

Of course, at present I have no real basis for saying whether my approach to teaching risk analysis is any better than an alternative approach I have not conceived.  After all, this is my first time teaching such a course on risk analysis and have no baseline with which to make a comparison.  But having seen real risk professionals in action and knowing what they do and what they need to do better, combined with experiencing first hand the marked improvement in analytic quality of those intelligence professionals that received formal schooling on structured analysis, I assign a high degree of subjective confidence that this approach will serve the security risk analysis community well.  While my educational strategy is not new in the context of intelligence analysis, it is truly a new approach to teaching security risk analysis.

Now it is time to write some journal articles, so I suspect I will not be authoring any more newsletter articles for a few months…

Send article as PDF to

Everyone says that structured analytic techniques are good things to have as part of a “Thinkers Toolkit.”  In the security risk analysis degree program at Penn State, several of my colleagues and I make every attempt to instruct our students in the proper application of and value added of using structured analytic techniques to enhance one’s ability to think clearly, carefully and rigorously through complex problems.  Unfortunately, our situations suffer from a significant setback – most of our students lack “real world” experience doing analysis for problems in the security and intelligence communities (or perhaps doing any real analysis at all for any community).  Accordingly, we often find ourselves searching for carefully constructed case studies that provide the right balance of realism and accessibility to students that may not have sufficient domain knowledge to speak credibly on any particular issue.  We desire case studies that contain enough information to allow students to define the problem, articulate alternative hypotheses, leverage evidence to establish probability distributions over a set of future alternatives and degrees of confidence in analytic judgments, do source analysis, and so on.

To date we have come across several case studies used in the intelligence community, such as those developed by Professor Francis Hughes at the National Defense Intelligence College and several of the cases authored by Thomas Shreeve as part of the Intelligence Community Case Method Program.  And fortunately for us, these case studies have proven to be moderately successful when used as part of our classes.  However, we are still in search of more case studies that walk students through a problem, asking them to apply different structured analytic techniques to enable them to draw defensible inferences from data, make judgments of risk and choose from among alternative strategies for mitigating risk, explore how different ways of communicating analytic results might influence the decision maker, and so on.  And of course, we are also interested in case studies that have a variety of alternative endings, mainly to highlight that the results of the analysis and the way its communicated does have an affect on the outcomes of a situation as well as setting the stage for later analysis.

In my pursuit of fun books to read to my kids before bedtime, I recently came across the Choose Your Own Adventure series of books that many of us enjoyed during our more youthful years.  I tried to recall my experiences reading these books, such as navigating through all the alternative storylines one can follow based on the choices made during the book (one CYOA fan actually took the time to actually develop a map of The Mystery of Chimney Rock by Edward Packard; I must admit that I was tempted to do the same).  Then a thought hit me – would it be possible to develop a CYOA book that resembled a storyline that one might encounter in a professional security or intelligence position?  In addition to providing a compelling story, such a book would, of course, provide greater depth to a problem, provide evidence, and try to be as real as possible so that readers can draw on external resources to aid them in their analysis.  Now here is the kicker – each analysis or decision node would insist that the reader apply a specific structured analytic technique to arrive at the best possible answer or decision.  Once the answer is chosen, the story will then continue.  Some decision nodes would be critical to preserving national security, whereas some others might be less so or even irrelevant to the outcome.  When used as part of a course, the analyst would then prepare written reports along the way outlining the steps they took to arrive at a judgment or decision.

As an attempt to appeal to those individuals having read and enjoyed CYOA books in the past, I decided to label this idea as “Choose Your Own Analytic Adventure” or CYOAA.  See the prototype cover I prepared for the first such book in the series shown above.  I imagine that the analytic training community could create an entire series of such analytic books spanning all aspects of interest, to include terrorism, resource allocation, HUMINT targeting and collection, counter-deception, counter-proliferation, risk analysis, post-blast investigation, cyber security, communicating to decision makers, etc.  What we would need to do this are good writers, good ideas, good researchers, and of course, good artists capable of drawing pretty maps, figures, and sketches (and perhaps permission from the CYOA people to model our books after their likeness).  Just imagine it – we could hand these books out as part of class, and not only would they provide a basis for practicing analysis, but they would also make for a good addition to one’s professional library.  And if they are truly written well, then perhaps they might also make for good recreational reading.

Send article as PDF to