This lecture marked the start of the third and final segment of SRA 311 (Risk Management: Assessment and Mitigation) for the Fall 2008 semester.  The subject of Part III is risk management, which according to this semester’s scheme includes discussions on risk perception, risk acceptance, and strategies for treating risk and communicating actionable risk information.

So here I was all set to begin Part III with a discussion on risk perception, to include how people’s perceptions are shaped according to whether the risk is ordinary or novel, voluntary or involuntary, frequent or rare, etc.  A very important lecture indeed!  But alas, this lecture was set to take place on Election Day (4 Nov 08), and as the responsible faculty member that I am, I arranged for my students to complete an online lesson in lieu of a formal lecture to accommodate their voting plans.

The online lesson for the day was simple – watch an 87-minute video (75-minutes for class + 12 minutes extra for doing it at home) and prepare for me a one-page (or less) single-spaced summary of the video, to include a short bio of the presenter and summary of a few of the points made during his presentation.  The video was entitled “Quantitative Risk Communication: Explaining the Data” and delivered by Peter Sandman (available for free online viewing at Peter Sandman’s personal website).  Thus, Part III began with a discussion on communication, but from the standpoint of communicating the technical results of a risk assessment (i.e., the “hazard” part of the “Risk = Hazard + Outrage” formula; see a June 2008 post I made on the subject).

I highly recommend this video for all people interested in effective strategies for communicating the technical aspects of a risk assessment, or even for people interested in effective communication in general.  This presentation was fairly well-received by many of my students, though I must admit that a few found it to be “terrible” (I don’t see why they would say this – to me this video was on par with any other motivational video I have seen in recent years, including those by Zig Ziglar and Steven Covey).  I leave it to readers to check out the video for themselves, but to highlight some of its features it includes as discussion on:

• Ten ways to simplify language and information
• Six points to remember about simplifying graphics
• Nine approaches to orient your audience
• Thirteen ways to explain uncertainty
• Seven checkpoints – “Is this a good risk comparison?”

After having enjoyed this video, I am strongly tempted to purchase the remaining three of Peter Sandman’s videos on risk communication, but unfortunately they are quite expensive.  These videos are:

• Risk = Hazard + Outrage: A Formula for Effective Risk Communication (includes a discussion on the seven conclusions about hazard and outrage, four stages of risk communication within organizations, and new insights into the complexities of risk communication) [VHS, 111 minutes, $280]
• Implementing Risk Communication: Overcoming the Barriers (includes a discussion on the four keys to successful risk communication, ten cognitive barriers to risk communication to avoid, and ten approaches to overcoming organizational barriers to risk communication) [VHS, 75 minutes, $235]
• Crisis Communication: Guidelines for Action: Planning What to Say When Terrorists, Epidemics, or Other Emergencies Strike (recommendations include don’t over reassure, be willing to speculate, don’t overplan for panic, acknowledge uncertainty, and give people things to do) Handouts for this video are included here [DVD, $315]

Dr. Sandman also mentions a software product named OUTRAGE Prediction & Management Software and provides some demo presentations of this software on his website.  The focus of this software is on reputation management.  In particuar, its features include processes for breaking “reputation management down to bite-size pieces” and an “outrage meter” that answers the question “how are we doing?”  Unfortunately, as Dr. Sandman puts it, the software is out of date and may (or may not) be updated to modern generation computing platforms.  Fortunately, Dr. Sandman suggested that he might make the software available as shareware (citing that it is still useful despite being several computer-generations old).  I, personally, look forward to this.

Finally, Dr. Sandman has a book entitled Responding to Outrage: Strategies for Effective Risk Communication (1993, ISBN: 978-0-932627-51-3). For a softbound 123-page book (and small pages at that), this book is very expensive at $91 per copy.  Nonetheless, it is a good book on the subject (I do happen to own a copy, though I admit I was tempted to return it to Amazon once I saw how thin it was for the price).

I must conclude this post by making clear that Dr. Sandman is not the only authority on the subject of risk communication.  For those interested readers, I must again suggest (as I did in a previous post) looking at the following books:

• Risk Communication: A Mental Models Approach by M. Granger Morgan, Baruch Fischoff, Ann Bostrom, and Cynthia Atman (2001, ISBN: 0521002567)
• Strategies for Risk Communication: Evolution, Evidence, Experience by Troy Tucker, Scott Ferson, Adam Finkel, and Thomas Long (2008, ISBN: 978-1573316811)

The authors of these two books have some of the biggest names in the risk business.

Send article as PDF to

In January 1957, a man by the name William L. McGill authored an article entitled “How a State Prepares for Disaster” that appeared in the Annals of the American Academy of Political and Social Science, Vol. 309, pp. 89-97 (peramlink).  According to the footnote on the first page of this article, Mr. McGill was the Texas State Coordinator of Defense and Disaster Relief and past President of the National Association of State and Territorial Civil Defense Directors.  The abstract of this paper is as follows:

The State of Texas leads the other states of the nation in the number of major disasters: it is first in tornadoes and devestating floods and second in hurricanes.  This article describes how Texas, under its Civil Protection Act of 1951, without setting up an independent state agency, has gone about mobilizing and utilizing the resources of the state in time of major disaster.  The “Texas Plan” is discussed in detail and attention paid in particular to its cost and financing, the planning of disaster relief, preparedness, and training.

So how did Texas prepare for disaster from naturally occurring event, accidents, or enemy action?  By a combination of warning, agility, cooperative alliances (horizontally and vertically, mitigation through cooperation), and lots and lots of education and training.  In my view, this is a well-rounded risk management strategy.  Most interestingly, Mr. McGill emphasizes the importance of self-reliance during a disaster as it is “a basic tenet of our system of government that all people should help themselves to the fullest possible extent” (p. 91).  Well said!  When people can’t help themselves, then neighbors, towns, districts, the State, and only when resources run out, the Federal government will step in to lend a hand.

I can’t say why I am particularly interested in this paper.  Is it because it is relevant to my work?  Perhaps.  Is it because the author and I share the same name?  More likely.  The real answer is “yes” to both questions.  Here are some other links to materials associated with Mr. (or rather, the Honorable) William L. McGill:

• Opinion S-135 dated 15 Jul 1954 by Texas Attorney General John Ben Shepperd Re: Authority of the State Disaster Officials to Spray Private Residences in the Rio Grande Flood Area
• A little bit of Texas state history describing William L. McGill’s role as Texas’ first state coordinator of defense and disaster relief, a position he held for 8 years.  In this role, Mr. McGill reported directly to the governor on matters pertaining to civil protection (inspired by the Cold War, no doubt).
• A story about how Mr. McGill was relieved of his duties in Texas to support the WWII war effort

Send article as PDF to

In the course of my searching for good examples for use in my SRA 311 (Risk Management: Assessment and Mitigation) course, I came across the following examples and resources that proved helpful:

• Security and Loss Prevention: An Introduction, 5th Edition (by Philip Purpura, 2007, ISBN: 978-0123725257):  This book, while not my favorite textbook in the world, is one of the few books on security that actually has exercise problems (case problems) at the end of each of its nineteen chapters.

• Practical Risk Analysis: An Approach Through Case Histories (by David Hertz and Howard Thomas, 1984, ISBN: 978-0471101444): Chapter 7 of this book had an excellent case study focused on how an underwriter performed a first-order risk assessment of a company’s computer information systems.  This case study provided a springboard for talking about risk attitudes, the role of insurance, ruin, and so on.  Unfortunately, this book is very out of print, so you will have to order it from a used bookseller to read the case study I am talking about (and all others in the book).

• Risk Management for Security Professionals (by Carl Roper, 1999, ISBN: 978-0750671132): Appendix A of this book offers a near complete security risk analysis exercise through a series of five vignettes (asset ID, threat analysis, vulnerability assessment, risk assessment, and benefit-cost analysis).  But be warned – this case study takes a long time for students to complete, and should be something that extends throughout an entire semester (not a week like I did – yikes!).  The book itself is ok, but like most other security risk management books, it lacks end of chapter exercises.  But at least the case study is good.

Now keep in mind that I sifted through twenty or more books over the course of four hours one very late Monday evening/Tuesday morning on risk analysis, security management, and so on, looking for good examples and case studies to use in my SRA 311 class.  The above three resources are all that I found in this time.  This is not to say I didn’t miss anything – I am sure there are a number of in-chapter worked-out exercises that I could adapt to meet the needs of my class.  But I did do what I thought was a pretty good job looking through these books.  I will spend some time over Christmas break looking through these items again.

Meanwhile, if you are a reader that does security risk analysis, please feel free to suggest sources of problems, exercises, and case studies.  For one, I plan to mine Certified Information Systems Security Professional (CISSP), Certified Protection Professional (CPP), Physical Security Professional (PSP), and Society of Actuaries Exam P exam reference materials for questions.  One goal I have for my class is to ensure that successful students will be able to correctly answer all risk-relevant questions on the CISSP, CPP, PSP, and SOA Exam P exams, or at least be able to take their newly acquired intuition to reason toward the correct answer.

Send article as PDF to

An 2004 paper by Paul Slovic et al. entitled “Risk As Analysis and Risk As Feelings: Some Thoughts about Affect, Reason, Risk and Rationality” published in the journal Risk Analysis, Vol. 24, No. 2, pp. 311-322 (DOI: 10.1111/j.0272-4332.2004.00433.x) reprinted an excellent Doonesbury strip (by Gary Trudeau) from 1994 entitled “Street Calculus”:

I am not the type (like many other professors and office professionals) to print out comic strips and tack them to my door, leaving them in full view for my visitors to read for years on end as they slowly fade and deteriorate.  But I am the type to post such strips to my blog as it highlights what could very well be going on inside peoples’ heads as they size up different risk situations.

Basically, this comic shows two individuals each using their own mental model for sizing up the risks associated with a completely unknown person passing him or her by in the street.  Each mental model identifies a set of cues that enable the individual to associate the current circumstances with those patterns derived from past experience.  Based on how each individual sizes up the situation, in this case with respect to “risk factors” and “mitigation factors” separately, the individual then runs a mental simulation of a variety of perceived plausible futures to assign a score to RF and MF, where an MF greater than RF means the risk is acceptable.  (Note that pattern recognition and mental simulation are the two sources of power described by Gary Klein’s book of the same name).  Perhaps in reality, though, each individual unconsciously sizes up the situation in a holistic matter, where the resulting level of fear or comfort (consider these two factors opposite feelings along a single continuum) determines perceived acceptability of proceeding along the planned travel path (vice making a course correction to mitigate perceived risk).

Do people actually entertain such checklists in their mind?  I suppose that the speed at which the situation depicted in the comic is unfolding insists that the bearers of risk leverage simple heuristics (again, derived from experience) to make their decision.  I highly doubt that the situation permitted enough time to be systematic in their analysis, but rather Gerd Gigerenzer’s fast and frugal heuristics concept applies.  That is not to say that such heuristics are bad, only that using them produces less transparent decisions that may be prone to the influence of harmful biases or misperceptions.

The topic of risk acceptance will be a large part of the next SRA 311 lecture scheduled for Thursday, 6 Nov 2008.  I think I will flash this comic as part of the discussion.

Send article as PDF to

Last week’s SRA 311 (Risk Management: Assessment and Mitigation) lectures focused on all things vulnerability.  As defined in a much earlier lecture, the general qualitative (albeit probabilistic) expression for risk, R, is as follows:

R = {<e,p,o>}  (1)

where e is one of among many types of initiating events, o is one of many outcomes of concern, and the probability p is the joint probability of both e and o occurring, or:

p = Pr(e,o) = Pr(e)Pr(o|e)  (2a)

= Pr(o)Pr(e|o)  (2b)

where Pr(e) is the probability of event and Pr(o|e) is the vulnerability to realizing outcome o given e has occurred.  The use of the curly braces “{” and “}” in Eq. 1 implies that risk is the complete set of triplets for all possible combinations of e and o for a given situation (i.e., cross product of E and O, where E and O are the sets of all events and outcomes, respectively).  And it must be kept in mind that the scope of the risk analysis constrains how e, o, and p are assessed.

Common, but Apparently Different, Expressions for Risk. Now, the experienced risk practitioner might question why Eqs. 1 and 2 look so dramatically different than the prototypical formula for risk:

Risk = Threat × Vulnerability × Consequence (3)

As it turns out, the “colloquial” expression for risk in Eq. 3 is identical to the expression I put forward in Eq. 1.  To see this, let’s examine what Eq. 3 actually says.  The “colloquial” expression for risk states that risk is the combination of threat and vulnerability and consequence, that is, the “×” denotes the cartesian product and not the more restrictive arithmetic product.  Equation 1 says the same thing, namely that risk is the combination of all pairings of initiating events (e.g., threats), outcomes (e.g., consequences), and the probability that binds them.  This probability, according to Eq. 2a, is largely a function of the system states that enable event e to result in outcome o (e.g., vulnerabilities).  Again, Eqs. 1 and 3 are essentially the same, although I must admit that it is much easier to explain Eq. 3 to decision makers than it is to even come close to explaining Eq. 1.

So what about the commonly accepted definition of risk as “probability times consequence?”  This simplification of risk is actually equivalent to Eq. 2a under certain assumptions.  Equation 2a provides a means for expressing the full probability distribution over the space of potential outcomes.  If the outcomes o are expressed on a cardinal or ratio scale, then one can find the expected value of the vulnerability term, where the expected value is actually the expected loss given occurrence of an event (see any basic textbook on probability and statistics to see how this is done).  With vulnerability expressed as expected loss, Eq. 2a reduces to a probability times a consequence.  Alternatively, one can decompose the vulnerability term into two distinct probabilities as follows:

Pr(o|e) = Pr(o|e,s)Pr(s|e)  (4)

where Pr(s|e) is the probability of adversary success given attack (obviously this value is one when natural events are considered) the Pr(o|e,s) is the probability of an outcome given a successful attack.  Here, one can find the expected value of the outcome probability Pr(o|e,s) to arrive at a value for expected loss given a successful attack.  Again, Eq. 2a reduces to a probability times a consequence, albeit this time the probability is the product Pr(e)Pr(s|e) and the consequence is the expected loss given adversary success.  In fact, this is the form of Eq. 2a that is most often used in probabilistic security risk methods.  But it is important to note that Eq. 4 is just one version of Eq. 2a, and that there are many others that are simpler or more complex depending on the needs of the decision maker.  But in the end, Eq. 2 (both a and b) is the most general conceptual expression for risk.

Vulnerability As Notion and Vulnerability as Measure. As a notion, Professor Yacov Haimes at the University of Virginia defined vulnerability as “the manifestation of the inherent states of a system that can be exploited to adversely affect that system” (see “On the Definition of Vulnerabilities in Measuring Risks to Infrastructures” by Yacov Haimes, Risk Analysis, Vol. 26, No. 2, pp. 293-296 (2006), doi:10.1111/j.1539-6924.2006.00755.x).  According to this definition, a system is said to be vulnerable if there exists a combination of system states that renders it susceptible to adverse effects (outcomes) arising from a particular exploit (initiating event).  Consistent with this definition is the measure of vulnerability according to the term Pr(o|e).  This vulnerability term can be read as follows: “vulnerability is expressed as the probability of a given outcome following the occurrence of a specified event.” This probability is shaped by the performance of the system under the stress imposed on it by the initiating event, where higher values of this probability for a given combination of (e,o) indicate a greater susceptibility to harm of loss.

A more generic definition for vulnerability was offered in the paper “Vulnerability and Risk: Some Thoughts from a Political and Policy Perspective” by Sarewitz et al and published in Risk Analysis, Vol. 23, No. 4, pp. 805-810 (2003) (required reading for a large fraction of the class): “vulnerability is the inherent characteristics of a system that create the potential for loss.”  While similar to the definition posited by Haimes in the context of protecting infrastructures against acts of terrorism, the Sarewitz definition is more generic in that it asserts that vulnerability creates risk (where risk is defined as, in the more restrictive sense of security, as the potential for harm).  In fact, Sarewitz et al. emphasizes that “understanding and reducing vulnerabilities does not demand accurate predictions of the incidence of’ events.  This statement is 100% consistent with Eq. 2 in that vulnerability reduction yields a reduction in risk even in the probability of event remains unchanged.  For security managers this point is particularly important given the fact that it is insanely difficult to express likeliness of adversary actions in quantitative form.  Perhaps it is no surprise that vulnerability assessment is the prime focus of a security professional’s career, where the meager threat assessment (i.e., event likeliness assessments) are then used to help prioritize vulnerabilities for management attention.  Risk management, then, examines the actions taken by security practitioners to reduce the vulnerability for those event/outcome pairs that make management most nervous.

Extreme Events. Sarewitz et al. also made another point I think is very important: “extreme events are created by context.”  I wrote at length about this point in a previous post on natural perils, natural hazards, and natural disasters.  In themselves, events are not disasters; for example, a hurricane is not labeled a disaster until it has affected some system.  Before then, a hurricane is simply an event that one might label as a peril or hazard.  The label “disaster” is assigned only to events that have occurred and wrought a significant toll on the interests of an individual or group of individuals.  An extreme event is a game changer event, and much like a disaster is one that disturbs the affected system enough to change its configuration with respect to its pre-event state (e.g., population redistribution, new reactive policies, etc.).  It makes no sense to assess the vulnerability with respect to disastrous events because the mere label of disaster implies significant vulnerability.  Whether or not an event becomes a disaster depends on the magnitude of the vulnerability to outcomes one labels as disastrous given an event has occurred.  That is, the context of the matter determines which outcomes are disastrous and which are not, and the vulnerability assessment then can produce insights into the potential for disaster in the face of a triggering event.

How Vulnerability Assessment Is Done. Unlike previous lectures where I was able to provide guidance on constructing complete sets of events and outcomes, I could not offer my students similar tools for doing vulnerability assessment.  Why?  Because vulnerability assessments fall under the category of messy problems.  While it may be straightforward to articulate potential causes of harm and define a set of undesirable consequences, it is not a trivial matter to make defensible statements about the probability that an event will lead to a particular outcome.  Such statements insist that the analyst possess intimate knowledge of all aspects of the system under study, to include its security system, structural configuration, and response and recovery capabilities.  Even if you reduce the vulnerability problem into separable components (e.g., protection vulnerability and response vulnerability such as is described in a paper I coauthored), the level of knowledge required to do a vulnerability analysis is quite extensive.  Yet, people manage to do vulnerability assessment anyway.  How do they do it?

Well, if one appeals to the science of Naturalistic Decision Making, meaningful vulnerability assessments insist that that the vulnerability assessor has command over the two major sources of power: pattern recognition and mental simulation (I wrote something about this in a recent post on the (very tentative) McGill descriptive vulnerability assessment model).  Pattern recognition, a power that arrives at only through experience, enables an individual to quickly pick out the most significant environmental cues relevant for a given problem and use these cues to assess the degree to which the environment is similar to other situations from his experience.  In the event of a match (the likeliness of which increases with more personal experience), an individual uses his or her mental simulation power to quickly conduct thought experiments that “challenge” the environment and predict how it will respond to different initiating events.  (notice my use of the word “quickly”: have you ever seen a former special forces solider do a vulnerability assessment?  The more experienced the soldier is, the more quickly he or she can do a vulnerability assessment that means something).  I suspect that this simulation process for vulnerability assessment is iterative in that one starts with an outcome, backs out plausible events that might yield that outcome, reappraise vulnerability with respect to each identified initiating event, and so on.  But in the end the breadth and depth of the assessment is highly sensitive to the experience, objectivity, and biases held by the assessor.

But here is my challenge – I must teach vulnerability assessment to individuals with a minimum amount of background knowledge.  How can I do this?  The solution lies in the simple fact that when under pressure to produce answers, the lack of knowledge to render a defensible judgment is typically compensated for by bias, gut feel, and guesses.  One way to enable defensible analyses is to provide students with a wide array of structured analytic techniques aimed at alleviating all those aspects of reasoning that are detrimental to the end product (much like the way the intelligence community does it).  This is my focus of Part II (risk assessment) of my course – to provide a suite of techniques to help less experienced risk assessors properly structure their thinking so as to make sense of a particular situation and explicitly identify all uncertainties.

An Exercise on Vulnerability Assessment. To highlight the difficulties in actually doing a vulnerability assessment, I had my students spend 30 minutes of the second lecture assessing the vulnerability of Penn State campus (University Park) to disaster (note that much like most questions encountered in practice, I deliberately kept the question vague).  This exercise insisted on brainstorming what types of events would be considered disastrous, then identifying a spectrum of different causes for each type of disaster.  I provided no techniques for doing this in attempt to see how my students would reason through the problem.  The responses were mixed – what constituted a disaster varied among student groups, as well what types of events could causes disaster.  Perhaps this is because not a single group put themselves in the shoes of a campus decision maker; rather, each group adopted a personal view of disasters and their causes.  As I emphasized in class, analysis done in this manner imposes the personal biases of the analyst on a problem whose answers would inform a decision maker that might have a different opinion of what a disaster is.  The first step in any risk analysis is to know your customer well enough so as to properly frame the associated questions.  Overall the exercise went well, and provided me with good insight into how to proceed with part II of the course.

My Take on the Lecture

As a whole, I think I could have done better with this week of lectures.  For one, I assumed that the students had more background knowledge in probability than they really had.  In hindsight, I should have incorporated basic concepts from probability theory throughout the discussion of vulnerability.  I will definitely try this approach in next semester’s offering of SRA 311.  However, since vulnerability is a conditional probability, I am now forced to restructure the syllabus to start with a discussion on basic probability before getting into Bayes’ rule.  Essentially, this means I need to start with event likeliness (the topic of lecture 9) before lecturing on vulnerability.

A second thing I noticed was that I really talk too much, particularly on the topic of vulnerability assessment.  While this isn’t always a problem, the topic of vulnerability assessment is dry as a bone unless one already has some experience doing it.  In attempt to liven the discussion up, I intend next semester to incorporate more in-class exercises to flex students’ neural muscles on the topic.  Some ideas I have in mind include online worksheets that ask students to make general statements of vulnerability for a variety of high-level scenarios, another case study pegged to some current event (the recent bombing in Pakistan, as horrible as it was, would have made for a good case study focused on what makes a system vulnerable), and so on.  Feel free to share your thoughts or ideas, if you have any.

Send article as PDF to

Today’s SRA 311 (Risk Management: Assessment and Mitigation) lecture focused on the topic of “Decision Advantage” and what a risk analysis does to empower decision making (I tend to prefer the phrase “decision empowerment,” but alas Prof. Jennifer Sims’ phrase “decision advantage” is more catchy as evidenced by its adoption in DNI Vision 2015 and its use in caption for an past and upcoming conferences such as that held by DNI and INSA).

My goal for today’s lecture was to get students thinking about what a risk analysis is used for and how to go about establishing the scope of a risk analysis.  I assigned two papers as required reading:

• Aven, T., and Korte, J. (2003). “On the Use of Risk and Decision Analysis to Support Decision Making.” Reliability Engineering & System Safety, Vol. 79, No. 3, pp. 289-299.  doi:10.1016/S0951-8320(02)00203-X. (note: this article served as a basis for the daily critical article review assignment)
• Pate-Cornell, E. (2007). “Probabilistic Risk Analysis versus Decision Analysis: Similarities, Differences and Illustrations.” in Abdellaoui, M. et al. Uncertainty and Risk: Mental, Formal, and Experimental Representations, pp. 223-242.  doi:10.1007/978-3-540-48935-1_13.

The lecture proceeded as follows.  First, I spent some time making announcements (boring, but necessary), then proceeded to review the Eight Elements of Thought and Intellectual Standards and the main ideas from Lecture 2.  The concepts I stressed were as follows:

• Security context (e.g., S=f(P,T,A)Si from Giovanni Manunta’s paper Defining Security), where a security a context only exists if there is a Protector, a Threat, and an Asset (or object of contention) tied together via a Situation.  I made sure that the student’s understood that security risk management is only useful within a security context, and is pointless to do risk management outside a security context.  Accordingly, I urged all students, as their very first step toward their final course projects, to articulate in words the security context that defines their project.  That is, tell me who the Protectors are (there may be more than one) and describe for me their interests, identify the Threats to the Protector’s interests from outside agressors, and identify assets at issue (whether physical, informational, emotional, etc.).
• The SRA 311 working definition of risk as follows:  Risk = Uncertainty about future events of interest.  I added the underlined words to emphasize that events only pose a risk (whether pure or speculative) if the events are of interest to the customers of analysis.  Basically, the inclusion of these words offered a nice segue into the question at issue for the day: “what is the role of risk analysis in the decision making process?”

As I reviewed the second bulleted topic above, I made an interesting observation.  The students in my class knew what a normal distribution was when I drew it, but they were less confident in the meaning of the phrase “expected value.”  One of the assumptions I made explicit at the beginning of the course was that students should be knowledgable in basic statistics as taught in their STAT 200 (Elementary Statistics) course.  I presumed that the idea of “expectation” and “expected value” would be taught.  Well, perhaps it was.  But like most other math-professor-taught math classes, how much does a student really learn in a mathematics course that doesn’t put the material into the context of what the student’s care about?  Expected value, as one might recall, is another way of saying average value, and can be obtained by multiplying the probability of a specified outcome by the valuation of that outcome, then adding up all such products for all outcomes in an mutually exclusive (distinct) and collectively exhaustive (complete) set.  Anyway, I find myself now faced with a challenge – how do I educate my students on the basic idea of risk as expected value (though admittedly, risk is way more than this) when they have a hard time understanding what an expected value is in the first place.  My solution:  hire a knowledgable undergraduate to host several extra-curricular math seminars to go over the basic principles of probability and expected value.  As soon as I devise the curriculum for this seminar, I share it on this blog.

Back to the risk discussion.  As a corollary to my definition of risk, I offered the following point: risk does not exist without uncertainty.  In fact, some people set these two concepts equal.  Frank Knight (the economist/philosopher), however, clearly distinguished between the two in his dissertation Risk, Uncertainty and Profit, though he admitted that the word “risk” in the colloquial sense accomodates both the risk (as he defines in) and uncertainty.

At this point I reviewed three non-taxonomic categories of risk: speculative risk, pure risk, and objective risk.  Speculative risk considers the case of an uncertain future whose context admits both favorable and unfavorable outcomes.  For example, gambling is a risky venture, and is a case of speculative risk since one gambles to attain fortune at the cost of exposing oneself to the possibility of ruin.  Pure risk takes a one-sided view of the problem and only looks at an incertain future whose context only admits non-favorable outcomes.  For example, security risk analysis considers to general classes of future event: a security event happens (=bad, but to different degrees depending on the nature of the event), and a security event does not happen.  Objective risk was a much harder concept to discuss in the absence of strong class footing on the meaning of expected value.  Basically, objective risk is the dispersion about the mean of a loss distribution, where wider dispersions (i.e., higher variance) corresponds to higher objective risk.  Fortunately, we won’t be leveraging too much of this concept in SRA 311; but had we decided to delve more into insurance (or rather, risk transfer) as a risk treatment option, then objective risk would play a much larger role.

Here we are, 30-45 minutes into class, and I was starting to get the feeling that my students were dozing off, focusing on other things, or what have you.  I can’t blame them too much – to me this stuff is fascinating, wheras to them the topics must seem dry and heavy, particularly if I am asking them to recall details from an inadequately-taught subject (STAT 200) in order to make sense of what I’m saying.  Well, I told them on the first day that my number one goal was to help them build “risk intuition”; from my experience the only way to do this is by immersing them in the nitty-gritty details of risk analysis activities.  I will continue to do this, and I suspect that in the end the students will be better off for it.

To get the juices flowing again, I decided to have my students move around a bit in their seats by running a few search terms in Google (you see, much to my chagrin, each student has a computer at their seat in my classroom).  The three search terms I provided were “DNI Vision 2015,” “Jennifer Sims,” and “Decision Advantage.”  My goal was for the students to locate DNI Vision 2015, pull out the tone box on the first page of chapter 2, and read aloud for me what Jennifer Sims has to say about “decision advantage”:

… the key to intelligence-driven victories may not be the collection of objective ‘truth’ so much as the gaining of an information edge or competitive advantage over an adversary. Such an advantage can dissolve a decision-maker’s quandary and allow him to act. This ability to lubricate choice is the real objective of intelligence.

There you have it, intelligence lubricates choice.  Similarly, risk analysis lubricates choice by providing knowledge to the decision maker on the sources of uncertainty present in a given problem (a discussion topic for lecture 11) and how they contribute to our understanding of the nature of future events of interest.  This is our goal as risk analysts: provide the best possible analysis about a system (technological, political, social, economic, etc.), how we think it works, and how it may behave in the future as a function of the decisions we make or do not make.  Risk analysis informs decision making by providing actionable insight on how to improve the chances for desirable outcomes and decrease the chances for undesirable outcomes in light of our admittedly incomplete and uncertain understanding of our system.  Again, if there was no uncertainty, then we would know how the systems we operate in work and how they will behave in the future.  Thus, we would have no risk.  But, in reality we are uncertain about everything, including our knowledge of how systems work, what events can plausibly occur in the future, our descriptions of the plausible events we know about, and the relative likeliness of them all.

There were a couple of other points I wanted to make to the class, but for whatever reason I felt that by making them I would give the appearance of beating a poor horse to death.  Well, these points were really excerpts from the required reading, and for sake of completeness (and future reference) I will pull them out here:

• “Risk analysis is always part of a decision context, whether it is an explicit analytic activity or not” (Aven and Korte).  My comment: All people examine the risks attributed to the actions they decide or decided to take or not take, or the situations they find themselves in or not in.  Formal analysis offers the advantage over intuitive impressions of risk as they lay bare all assumptions, sources of uncertainty, etc. to provide the clearest (and most objective) picture possible of the strategic landscape.
• “For risk related to organizational [or national security, political, etc.] decisions, presentations of consequence and uncertainties [derived] from the risk analysis should be highlighted, rather than synthesized measures of utility gains and losses” (Aven and Korte).  My comment: I, personally, would take this the next step by saying that a well reasoned narrative that explains the spectrum of plausible future events and their relative likeliness is often superior to numbers in terms of providing useful knowledge to decision makers.  The numbers are typically secondary, regardless of what mechanistic approach they come from, and serve only as a decision aid that complements decision maker review, judgment, and negotiations with other stakeholders.
• “In addition to satisfying philosophical and methodological requirements, the analysis must be seen as useful by decision makers.” (Aven and Korte).  My comment: I would add that for the analysis to be accepted by the consume (i.e., decision maker), a level of trust must be established between the judge and the advisor.  This can be done a number of ways, such as producing analysis that subscribes to an acceptable standard of practice, presenting the analysis in a manner that is clear and understandable to the consumer, or simply having the analysis come from the mouth of a trusted advisor (the last one being a bit more dangerous, in my mind).  As one reknown safety researcher once said, in order for risk information to be accepted by a decision maker, it must follow from an accepted process for producing such information.  Decision advantage only happens when the consumer takes in what the analyst has to say, which thus requires the consumer to find such analysis useful and derived from trusthworthy sources and practices.
• “Decision making is a process with formal risk and decision analysis to provide decision support, followed by an informal managerial judgment and review process resulting in a decision.” (Aven and Korte)  My comment: again, this comment echoes the main point that risk (and decision) analysis informs the decision making process.  It does not prescribe decisions for the decision maker.
• “Risk analysis, contrary to decision analysis, is not supposed to include preferences for scenario outcomes, neither explicitly or implicitly.” (Pate-Cornell).  My comment:  While risk analysis must have some understanding of the scope of the outcomes of concern to a decision maker as well as which variables are within the decision maker’s ability to control, the risk analyst shall not attempt to impose personal values and preferences (in the sense of utility) atop of plausible outcomes.  However, when providing actionable recommendations on what can be done to improve the risk situation, the risk analyst must be cognitive of the favored directionality of the relevant consequence dimensions, fewer than more number of lives and dollars lost being an example.
• “Do not perform a [risk] analysis for an organization or individual who is not willing to use the results for decision support, but only to justify decisions already made.” (Pate-Cornell).  My comment: If one does analysis for the sake of justifying already-made decisions, then the analysis isn’t really offering any decision advantage.  Rather, this tactic is used to legitimize a decision that may be the wrong decision or perhaps the right one for the wrong reasons.  The problem is even more acute when the decision maker pressures the analyst to produce results that are consistent with the desired decision and incompatible with alternative options.  Perhaps this is why Prof. Pate-Cornell urges risk analysts to not engage in any analytic activity for the purposes of legitimizing a decision – by avoiding such situations, you are also denying the decision maker any opportunity to influence your results one way or another.
• “[The role of the risk analyst] is to present as exactly as possible the state of knowledge, i.e., the assumptions of the model, the sources of information and the processing of data, in order for future decision makers to exercise their own judgments when using the results.” (Pate-Cornell).  My comment: Again, risk analysis informs decision making.  Note that if you are starting to think the Prof. Pate-Cornell is starting to sound like an intelligence studies scholar, you wouldn’t be too far off the mark.  In fact, Prof. Pate-Cornell has been (and perhaps is still) a member of the President’s Foreign Intelligence Advisory Board, or PFIAB.

Now that the students understand the role of the risk analyst in the decision making context, I decided to end the lecture with an interesting template for articulating the scope of a risk assessment.  Given a security context (again, this is a course for security risk analysis major), one can follow the STEM-V approach to guide their thinking as the scope a particular problem (note that the STEM acronym without the “V” was first presented by the respected risk research Louis Anthony “Tony” Cox, Jr. in his book entitled Risk Analyisis: Foundations, Models and Methods, ISBN: 0792376153):

• Sources of risk
• Targets affected by these sources (i.e., assets in the S=f(P,T,A)Si model)
• Effects of concern
• Mechanism that yield effects from the source via target
• Variables that can be controlled to influence risk one way or the other

Note that I am still in need of an mnemonic for STEM-V to aid in memorization.  Together, the idea of a security context + STEM-V provide good guidance to aid in problem statement and purpose construction.  This is a good place for the students to be in at the end of the second week of the semester.  Unfortunately, I ran out of time this lecture to try STEM-V out as a class exercise, but I will be sure to make it up in Lecture 4.

Send article as PDF to

Today I gave a lecture to my risk management class at Penn State (SRA 311, Risk Management: Assessment and Mitigation) focused on the words of risk analysis (lecture 2 of 31).  As anyone who provides services to any type of client knows, one of the first things you have to do on day one is ensure a common understanding of key words and phrases.  This was part one of my lecture, that is, explaining that people don’t necessarily assign the same meanings to certain words as others, even if they are in the same field.  The remaining parts focused on two words in particular – “security” and “risk” – and sought to explain what “risk” is and how it fits into security activities.  This lecture was fun for me to deliver, but in hindsight, it was probably a bit too densely packed with ideas for students with less background knowledge.  All in all, I think it went ok.

Class Summary

As a backdrop for discussion, I had my students read two articles.  The first article was entitled “Same Words, Different Meanings: The Need for Uniformity of Language and Lexicon in Security Analysis and Management” by Andrew Harter (a good friend of mine) published by the Critical Infrastructure Protection Program of the George Mason University School of Law in the monograph entitled Critical Infrastructure Protection: Elements of Risk (prepared by Liz Jackson, another good friend of mine).  Basically, this article is a call to action in the security analysis and risk management community for establishing a common lexicon through voluntary consensus standards.  For those unfamiliar with this issue, Mr. Harter’s article addresses the question “why is a common lexicon needed?” and “what can be done to make progress toward this goal?”   Though one might argue that alternative viewpoints (e.g., a common lexicon is not needed) were not addressed in this article (which is a “hit” on fairness), the point surely rings true to anyone who plays the security risk analysis game.  Imagine how difficult it is to communicate on risk matters when your definition of risk (e.g., potential for harm) doesn’t match well with mine (e.g, loss following an event).  I’ve experienced hours of time wasted due to a simple misinterpretation of language, and nothing is worse than arguing semantics when other more important issues have yet to be resolved.

Some might argue that definitions don’t matter so much.  After all, risk analysis is a decision support activity, and really all that matters is whether we have empowered the decision maker with “decision advantage.” [I borrow this phrase from the Jennifer Sims at Georgetown University as it is applicable to ALL areas where analysis is done, risk and intelligence in particular].  Accordingly, one might accept the definition of risk as “whatever is appropriate for the decision maker at the time.”  But as the author of my second paper, Giovanni Manunta, might argue, while such a vague definition might be useful in the client-analyst context, it is not helpful if one desires to treat risk as a science and methodically study all the different subtopics that fall under the heading of risk analysis (see the very first text block on the Society for Risk Analysis homepage for their definition of what “risk analysis” entails).  A common understanding of the various “words of risk analysis” is needed in order to speak sensibly about the subject within the community of educators, scholars, and practitioners.  (as an aside, see Professor Kristan Wheaton’s blog for an interesting and related discussion entitled “What is Intelligence?“)

The second paper discussed in my class was entitled “What is Security?” by Dr. Giovanni Manunta and published in the Security Journal, Volume 12, Issue 3, pp. 57-66 (http://dx.doi.org/10.1057/palgrave.sj.8340030).  I chose this paper for three reasons.  First, for me it was a great read and why not share with my students papers I find worthwhile.  In fact, many of Dr. Manunta’s monographs are really worth spending some time reading and absorbing if you are in the security profession.  Second, this paper is a nice complement to the first in that it goes into great depth as to why a commonly accepted conceptual definition for security is needed.  Third, this paper actually does a good job of describing the conceptual underpinnings of security by explaining in detail the three required elements of a security context – namely, a Protector (the entity that desires security), a Threat (the entity that challenges the protector’s security), and an Asset (the object of conflict).  The general formula for security, S, is then S=f(P,T,A)Si, where the Si outside of the parenthesis is a variable that accounts for the situational factors underlying the relationship between P, T, and A.  If any one of P, T, or A are absent in a given situation, you do not have a security context, and as such it makes no sense to speak about managing risks.

At this point I finished discussing (as socratically as I could in the time I had available) the two articles.  Throughout I attempted to elicit from students answers to questions centered on Elder and Paul’s Eight Elements of Thought and Intellectual Standards to encourage critical analysis of who the people writing such articles are, their purpose for writing, points of view, concepts, assumptions, etc.  However, I tried not to stretch this discussion out too long given that I already had my students complete a written assignment that systematically addresses the eight elements and intellectual standards.

The next portion of this lecture centered on how risk management fits within the world of security.  Borrowing from Manunta’s Diogenes Paper No. 1 (ISBN: 0-9501575-4-6), I sought to leverage assumed prerequisite knowledge of Venn Diagrams and Set Theory to explain the concepts of Security and Not Security, where Not Security includes Total Insecurity and all degrees between.  The degrees in-between represents a fuzzy-boundary between security and not security, that is, if one accepts that the state of security is actually a fuzzy set.  The Venn diagram I used is shown below, though in class I actually drew it on a Tablet PC.

The point I stressed is as follows: in a security context, a Protector has finite resources to make progress toward an unbounded objective.  This is where risk management comes in – risk management is used to maximize the efficiency of these resources by applying them in such a way that maximizes our progress toward a state of security.  The balance of risk between what we want to achieve and what we can achieve is known as the residual risk.  Ultimately, given the options available to us to reduce risk in light of available resources, we want to minimize the residual risk.  But as Manunta points out in “What is Security?,” security involves risk management, but managing risk doesn’t necessarily guarantee security.  That is, risk management and security are not the same thing.

I ended the lecture with a light hearted game of “Risk Mad Libs.”  First, I offered a generic definition of risk intended to guide us through our thinking in the rest of the course.  The definition is as follows:

Risk: The uncertainty around future events

We discussed what was meant by the word “uncertainty” in this definition, and examined the different types of uncertainty that we often encounter in risk analysis.  This includes the variability associated with one or another event occurring among a set of mutually exclusive (distinct) and collectively exhaustive (complete) alternatives, the incertitude associated with whether elements in our set are relevant or whether our set of alternative events is complete, and the inherent vagueness in what any particular element of the set really means.  Unfortunately, my extemporaneous nature kept me from explaining the remaining two words – “future” and “events,” but if I could go back in time I would stress that risk has to do with the uncertainty in what will happen and not what has already happened, where the future “events” can be described as a situational description (“mom will get sick”) or in terms of some measures (“1 morbidity” and “$10,000 in medical fees”).

Now that we had a definition of risk to work with, I asked students to break into groups and fill in the blank:

____________________ Risk

where the blank can represent practically any word.  My specific instructions were to select one “serious” word and one “silly” word, fill in the blank with each in turn, and in doing so characterize the nature of what is meant by the resulting phrase (i.e., who would care, what are some causes of concern and what are outcomes of concern).  I started with the serious word “information” to form the phrase “information risk.”  Then I moved onto the word “political” followed by the silly word “dog.”  For each we identified someone who might be considered a stakeholder in such a field (e.g., “dog owner” for “dog”), and brainstormed what events could occur (“dog runs away”) and the spectrum of ensuing outcomes (“dog gets hit by car,” “dog bites pedestrian,” “dog comes home”).  In the remaining 2 minutes of class following the exercise, we had some cool responses, including “computer mouse risk,” “environmental risk,” “body odor risk,” etc.   The basic idea here was to enable students to reason out what is meant when you see a phrase such as “financial risk,” and after this lecture I am confident the students can do this.

Next Up

The next lecture stands to be a fun one – the topic is “The Role of the Risk Analyst and Decision Advantage.”  This lecture is the second of 3 “Philosophy of Risk” analysis lectures; after these, we will be way more applied in the classroom setting (something I am sure the students would appreciate).

Send article as PDF to