(This is the first post containing a Nasrudin tale related to risk…)

Nasrudin was throwing handfulls of crumbs around his house.

‘What are you doing?’ someone asked him.

‘Keeping the tigers away.’

‘But there are no tigers in these parts.’

‘That’s right.  Effective, isn’t it?’ (Shah 4)

From a risk management point of view, Nasrudin asserts that because of his actions (i.e., throwing handfulls of crumbs around his house), all risks associated with the presence of tigers has been mitigated.  That is, Nasrudin believes that his actions reduced the probability of tiger presence to zero, thus bringing risk to zero.  And because no tigers have appeared, Nasrudin suggests that his strategy is “effective.”

Anyone have a good modern analogy to this sillyness?

References

Shah, I. (1983). The Exploits of the Incomparable Mulla Nasrudin.

Send article as PDF to

I found this image (shown below) illustrating the dynamics of home accidents as published in the 1973 editorial by W. G. Johnson entitled “Sequences in Accident Causation” (Journal of Safety Research, Vol. 5, No. 2, pp. 54-57):

I interpret the “Point of No Return” as “BOOM” on the accident-loss timeline.

Send article as PDF to

I never knew this, but the Weather Channel website provides a nice service that estimates the probability of a white christmas at different places across the United States.  A snapshot of the most up-to-date (I wish I could embed) National White Christmas Probability Map is shown below (19 Dec 08, 1344 EST).  The Weather Channel defines a “White Christmas” as one where there is at least 1-inch of snow on the ground on Christmas morning.

From the looks of it, the Weather Channel estimates the chances of a white Christmas in State College, PA to be 50-75%.  Well, unless someone does some heavy duty shoveling around my house AND it warms up quite a bit before next Wednesday, I would have to say that the probability of a white State College Christmas is near one, especially given the imminence of yet another winter weather system hitting Pennsylvania.

Rather than estimate the probability of white Christmas (which is largely for consumers of novelty information), what I think would be more interesting is for the Weather Channel to estimate white Christmas risk, or the chances that snow will dampen a person’s Christmas experience.  The idea of a white Christmas conjures up nostalgic thoughts of holiday cheer, but think about all the work that must happen to clean up the snowy mess enough to maintain transit routes, minimize snow-related accidents, and basically keep public inconvenience to a minimum.  The question at issue here would be to estimate the number of people (% per region, count per square mile normalized by population density, etc.) whose Christmas experience would be disrupted by the White Christmas snow.  At a macro-level,  I see such risk being a function of:

• number of travel disruptions affecting local resident (delayed/canceled departures and arrivals)
• whether the snow is fresh from a new system or leftover from a storm that has already passed (i.e., whether clean-up effort is required)
• whether subsequent weather forecasts insist that the snow be clean-up (e.g., expected high winds, sudden thaw followed by deep freeze)
• whether the expected snow loading poses a disruption threat to local infrastructure (e.g., power)
• whether the affected region has the capacity and will to respond
• the severity of the temperature relative to normal conditions
• and so on

And as we have all been led to believe over and over again in various holiday movies, there might be something to the spirit of Christmas as a risk mitigator.  For example, does holiday cheer increase a person’s risk tolerance or perhaps people’s ability to cope with challenges they face on Christmas day?  Maybe someone did a study on this, but I haven’t checked.

One way to start thinking about such an analysis would be to check out a really old, yet very good, 1967 paper written by Professor J. F. Rooney entitled “The Urban Snow Hazard in the United States: An Appraisal of Disruption” (Geographical Review, Vol. 57, No. 4, pp. 538-559, permalink) or the 1976 paper by Howe and Cochran entitled “A Decision Model for Adjusting to Natural Events with Application to Urban Snow Storms” (Review of Economics and Statistics, Vol. 58, No. 1, pp. 50-58, permalink) or even the OR-oriented 1976 paper by Cook and Alprin entitled “Snow and Ice Removal in an Urban Environment” (Management Science, Vol. 23, No. 3, pp. 227-234, permalink).  For example, Rooney outlines a framework for thinking about the urban snow hazard highlights that snow can impact a variety of activities such as is shown below.

And for grins, below is a process diagram for salt truck operations describe by Cook and Alprin (I include it because it is interesting):

I think next semester or perhaps the year after I will try to recruit a few students to do a White Christmas risk assessment.

Send article as PDF to

The authors of a book I read recently spoke of the “three D’s” of security: “denial,” “detection,” and “deterrence” (the latter being my personal favorite).  These “three Ds” brought to mind another set of “Ds” I came across while on an ASME Fellowship to the Department of Homeland Security in 2003-2004: “detect,” “delay,” “defend,” and “devalue.”  This post talks about these two different sets of security “D” words, and the extent to which one is or is not better than the other.

To begin this discussion, let’s first consider a logical expression for security vulnerability, which is usually expressed in terms of the probability of adversary success given attempt:

Pr(S) = 1 – Pr(“Detect”)·Pr(“Engage”)·Pr(“Neutralize”)

In words, this equation states that adversary non-success (defender success) requires that the defender detect, engage (which consists of delay and response) then neutralize the adversary (in sequence) – failure to do any one of these will result in adversary success (barring any random things outside the protector’s control that might thwart the adversary’s attempt).

From the point of view of the equation above, DHS is dead on and more.  The equivalence of detection is evident.  In order to engage an adversary, one must respond to the adversary prior to him executing an attack.  Delaying an adversary long enough to respond enables engagement – the longer the delay, the greater likeliness that the defenders will respond in time to do something to stop him.  Defense is essentially equivalent to neutralization in that the objective is to thwart the attacker once engaged.  So, the first three “Ds” of the DHS security quartet correspond to the three parameters of the security vulnerability equation.

But where does devalue fit in?  I must admit that I never heard anyone use the word “devalue” in the context of security prior to my days at DHS.  The focus on devalue is not on improving security, but on improving the resilience or hardness of a system to withstand an attack.  That is, a “devalued” target is one that has been modified in such a way that would result in less loss to the defender (and hence less gain to the adversary) in the event of an attack.  In this sense, devalue seeks to influence adversary target selection by making it intrinsically difficult to achieve the desired gain even when the security system fails.  For example, without doing anything to improve security, the switch to using bleach instead of chlorine in a water treatment facility in effect devalues such a target since bleach is much less harmful to humans in the event of its deliberate release.  Adversaries bent on exploiting infrastructure to harm adjacent communities might be less interested in attack a water treatment plant that made such a shift.

Now consider the security triplet described by Fuqua and Wilson (see my recent post on their 1977 book) in light of the above equation for security vulnerability (i.e., deny, detect, deter).  Fuqua and Wilson essentially looked at the security problem from the point of view of an asset owner (e.g., the “executive”).  Again, the equivalence in the detection term is evident.  “Denial” considers the combination of both engagement and neutralization following detection (such as by a local police force), as well as simple barriers that can’t realistically be overcome (e.g,, 12-foot walls followed by several layers of fences covered in razor-wire), distance or terrain with deadly animals (e.g., attack dogs, flocks of scary geese, alligators in moats), etc.  The focus with denial, though, is more broadly focused on denying success in whichever way possible; detection need not occur for an adversary to be denied opportunity. The combination of detection measures and denial measures (including those that require detection and those that do not) cover the same elements as the equation posed at the beginning of this post, but in a slightly different way as follows:

Pr(S) = 1 – Pr(“Denial”|”Detection”)Pr(“Detection”) – Pr(“Denial”|”No Detection”)Pr(“No Detection”)

(the astute reader might notice that this equation above equates the event “denial” with “adversary failure,” or rather “failure to deny” is the same as “adversary success”).  Obviously, this equation is more general than the one posed initially as the defender still stands a chance at denying the adversary success through non-detection-dependent denial measures.

“Deterrence” (again, my personal favorite) touches on those measures that influence the perceptions of adversaries.  Arguably, all visible security measures have some deterrence value as they shape the adversary’s perceived probability of success.  Measures taken to devalue a target also act as a deterrent in the sense that it lessens the adversary’s perceived gain from success.  Even deceptive measures such as decoys that have no intrinsic “aggressor resistance” have at least a little deterrence value so long as the adversary remains fooled.  If the adversary feels that success is less likely than failure, and that the gain from success is less than desired, the overall likeliness of an event is lower than is success seemed likely and the gain was sufficient.  So, unlike all the other “D” words talked about so far, deterrence is the only term that specifically targets the likeliness of event portion of the risk equation.

So which set of “D” words is better?  It really is hard to say.  Fuqua and Wilson offer a term (“deterrence”) that relates to likeliness of event, while the DHS approach (“devalue”) offers a term that relates to the physical vulnerability portion of the risk equation.  Otherwise, the two sets of “D” words are the same, more or less.  In the end, all these “D” words (as well as words that start with letters other than “D”) are important since they assist security practitioners in thinking through problems.

With all this talk about “D” words, I find myself tempted to write a security-related song about the letter “D” in the spirit of Cookie Monster’s song about the letter “C”.   I call it “D’s are for Security” or the “Security Song:”

D is for denial, to stop you from harming me

D is for detection, to catch my enemies

D is for deterrence, to scare you away from me

Oh, security is all about “Ds.”

Send article as PDF to

For those readers following the current financial crisis, one can come up with a number of seemingly good reasons for and against the US government’s proposed bailout package.  I admit that I am very ignorant of the inner workings of the extremely complex system we call “the economy” as it is (as most people are, whether they realize it or not, economists included).  Because of this, I am in no position to assess the benefits (which may, in general, be negative) and risks associated with a bailout.  The only information I have is the direct cost of action (up to $700,000,000,000 or more) and direct cost of inaction ($0).

Due to my extreme ignorance of the economy, all I can estimate are three possible futures given that the US government proceeds with the bailout (mutually exclusive and collectively exhaustive; event labels shown in parentheses following scenario narratives):

• The bailout will hurt the economy relative to inaction (“-”|B)
• The action taken will not change anything about the economy relative to inaction (N|B)
• The bailout will improve the economy relative to inaction (“+”|B)

Following LaPlace’s principle of indifference, I am forced to assign a probability of [0,1] to each of these three scenarios since I have minimal understanding of the economy.  In “precisiated” form (to use the term coined by Professor Lotfi Zadeh), this means that the probability of each scenario above is equal at 0.333… or 1/3.

If the bailout does not happen (“Not B” ior “~B”), then there are three possible outcomes:

• The economy is worse in X years than it is now (“Worse”|~B)
• The economy is the same in X years as it is now (“Same”|~B)
• The economy is better in X years than it is now (“Better”|~B)

Let’s assume X = 5.  Again, following principle of indifference, I am forced to assign a probability of [0,1] to each of these three scenarios.  In “precisiated” form, this means that the probability of each ~B scenario above is equal at 0.333… or 1/3.

Just for sake of argument, lets express the state of the economy in terms of an overall “utility” value labeled U.  For the three ~B scenarios above, we then have the following utility values where a value of 0 corresponds to the current (i.e., today’s) state:

• U(“Worse”|~B) = -a
• U(“Same”|~B) = 0
• U(“Better”|~B) = b

Obviously, -a ≤ 0 ≤ b, or rather “a” and “b” provide magnitudes and the signs preceding these variables specify whether this magnitude is good or bad.  Now let’s examine the expected utility associated with each option “Not Bailout” or “Bailout.”  For the ~B option, we have (not including cost to implement):

U(~B) = U(“Worse”|~B)·Pr(“Worse”|~B)+U(“Better”|~B)·Pr(“Better”|~B) = (-a+b)/3

For the B (bailout) option, we have (not including the cost to implement):

U(B) = Pr(“-”|B)·[(-a-c)/3+(b-d)/3+(0-e)/3]+Pr(N|B)·[(-a+b)/3]+Pr(“+”|B)·[(-a+f)/3+(b+g)/3+(0+h)/3]

or

U(B) = [(-a-c+b-d-e)/9]+[(-a+b)/9]+[(-a+f+b+g+h)/9]

or

U(B) = (-a+b)/3 + (f+g+h-c-d-e)/9

In the above, “c” is the magnitude of “Δbad” with respect to the non-bailout possibility of “-a”; “d” is the magnitude of “Δbad” with respect to the non-bailout possibility of “b”; “e” is the magnitude of “Δbad” with respect to the non-bailout possibility of “0″; “f” is the magnitude of “Δgood” with respect to the non-bailout possibility of “-a”; “g” is the magnitude of “Δgood” with respect to the non-bailout possibility of “b”; and “h” is the magnitude of “Δgood” with respect to the non-bailout possibility of “b.”

The expected five-year benefit of the bailout action is the difference between the expected utility of bailout and the expected utility of no bailout, or:

Benefit(B) = U(B) – U(~B) = (f+g+h-c-d-e)/9

The question now is whether expected benefit exceeds the cost of implementing the bailout plan, or does Benefit(B) ≥ $7·10¹¹?  In terms of the benefit above, is (f+g+h-c-d-e) ±Y ≥ $6.3·10¹² ± Z? (note that I added the “Y” and “Z” to account for costs, benefits, and risk outside the immediate scope of my reasoning). Well, I cannot answer this question of judgment given my personal knowledge of “the economy.”  And again, I doubt there is more than perhaps just a few people out there that could state with any appreciable degree of confidence that this inequality will be true in five years time.  The only reliable way to work toward an answer to this question is to debate various positions.  Admittedly, this is what congress is doing right now.  But for a problem as big as the media and president claims it to be, I doubt sufficient debate can occur in the perceived window of opportunity for action (regardless of whether this perception is accurate).

Now why did I go through all of that only to say that I have no idea whether or not this equality is true?  The reason is simple – when it comes down to strict economic terms, the real question is whether (f+g+h-c-d-e) ≥ $6.3·10¹².  Basically, this is the explicit form of the otherwise vague question “do the benefits of the bailout meet or exceed its costs?”  To date, answers have been as vague as the question they are working with.

I have my own suspicions as to why the bailout is being given serious consideration, and it is simpler than the reasons offered in the media.  Basically, decision makers are averse to increased ontological uncertainty.  Ontological uncertainty, as explained by Professor DG Elms at the University of Canterbury in his paper “Structural Safety – Issues and Progress” published in the journal Progress in Structural Engineering Materials, Vol. 6, No. 2, pp. 116-126 (2004), doi:10.1002/pse.176, has to with the unknown and unexpected, or uncertainty due to our lack of understanding of what really exists (I personally do not see much difference, conceptually, between ontological uncertainty and epistemic uncertainty, as both are reducible forms of uncertainty having to do with lack of knowledge). Let’s view the bailout as a measure aimed at mitigating increasing ontological uncertainty.  Currently, decision makers and their advisers across government and academia have some understanding of how this complex system we call “the economy” works as it was a few days, weeks, or months ago (as meager this understanding is).  Unfortunately, the extremeness of recent events is forcing a structural change within this complex economic system. When the dust settles say, one, two, or three years hence, we will be left with a new economy that, while functional, has the potential to be radically different from the economy we have come to understand.  The bailout, thus, can be viewed as a strategy aimed at trying to keep the economy as it was AND to not let it self-correct.  If the economy stays as it was, then our collective understanding of how it works remains relevant.

But no one can deny that, regardless of whether the bailout passes, change is-a-happenin.  Several structural changes have occurred already, e.g., less lending, government intervention with AIG, Bank of America purchasing Washington Mutual, Citigroup wanting to purchase Wachovia, etc.  How does the economy work now relative before when Washingto Mutual and Wachovia existed?  And with any intervention, while it may preserve what is left of “the economy” as we knew it, it is bound to set precedent for future government intervention both here and abroad, may adjust investor attitudes toward risky propositions, sour public sentiment, and so on.  That is, while the bailout might quell change in the economic system, it may also significantly impact the socio-political system that the economy relies on to function.  At this point, I suspect the total amount of structural change that will occur, bailout or not, will leave our experts more in the dark about how our system works than they were not too long ago.  That is, ontological uncertainy is increasing regardless of whether action is taken.  Then again, were we in the dark to start with?  If so, this might explain why we find ourselves in this mess.

Send article as PDF to

In their really, REALLY good paper entitled “Assessing the Competence and Credibility of Human Sources of Intelligence Evidence: Contributions from Law and Probability” published in the journal Law Probability and Risk, Vol 6, pp. 247-274 (doi:10.1093/lpr/mgm025), authors David A. Schum (of George Mason University) and Jon R. Morris (of CIA DS&T) identified a set of twenty-five (25) questions whose answers bear on the question of whether a human source of information is competent and credible.  The twenty-five questions are as follows divided into four categories: competence, veracity, objectivity, and observational sensitivity.

Competence (or is the source qualified to provide the information?)

Leveraging all relevant existing evidence, for each of the five (5) questions below, respond with one of the following four answers: (a) the evidence on this question favors this source’s competence; (b) the evidence on this question disfavors this source’s competence; (c) I cannot decide whether the evidence on this question favors or disfavors the source’s competence; or (d) there is no available evidence bearing on this question.

1. Did this source actually make the observation being claimed or have access to the information reported?
2. Does this source have an understanding of what was observed or any knowledge or expertise regarding this observation?
3. Is this source generally a capable observer?
4. Has this source been consistent in his/her motivation to provide us with information?
5. Has this source been responsive to inquiries we have made of him/her?

Veracity (or does the source believe what he/she is saying?)

Leveraging all relevant existing evidence, for each of the ten (10) questions below, respond with one of the following four answers: (a) the evidence on this question favors this source’s veracity; (b) the evidence on this question disfavors this source’s veracity; (c) I cannot decide whether the evidence on this question favors or disfavors the source’s veracity; or (d) there is no available evidence bearing on this question.

1. Has the source told us anything that is inconsistent with what this source has just reported to us?
2. Is this source subject to any outside influences?
3. Could this source have been exploited in any way in this report to us?
4. Is there any other evidence from other sources that contradicts or conflicts with what this source has just reported?
5. Is there any evidence from other sources that corroborates or confirms with what this source has just reported?
6. What evidence do we have about this source’s character and honesty?
7. What does this source’s reporting track record show about the source’s honesty in reporting to us?
8. Is there evidence that this source tailored this report in a way that this source believes will capture our attention?
9. Are there collateral details in this report that reflect the possibility of this source’s dishonesty?
10. Evidence regarding the demeanor and bearing of this source during the interview?

Objectivity (or was the source’s belief based on the evidence obtained by the source?)

Leveraging all relevant existing evidence, for each of the five (5) questions below, respond with one of the following four answers: (a) the evidence on this question favors this source’s objectivity; (b) the evidence on this question disfavors this source’s objectivity; (c) I cannot decide whether the evidence on this question favors or disfavors the source’s objectivity; or (d) there is no available evidence bearing on this question.

1. Is there evidence about what this source expected to observe during the reported observation?
2. Is there evidence about what this source wished to observe during the reported observation?
3. Was this source concerned about the consequences of what this source believed during the observation?
4. Is there any evidence concerning possible defects in the source’s memory? Also, how long ago did this source’s observation take place?
5. Is there any other evidence from other sources that contradicts or conflicts with what this source has just reported?

Observational Sensitivity (or how good was the evidence obtained by the source?)

Leveraging all relevant existing evidence, for each of the five (5) questions below, respond with one of the following four answers: (a) the evidence on this question favors this source’s observational sensitivity; (b) the evidence on this question disfavors this source’s observational sensitivity; (c) I cannot decide whether the evidence on this question favors or disfavors the source’s observational sensitivity; or (d) there is no available evidence bearing on this question.

1. The source’s sensory capacity at the time of observation?
2. The conditions under which the observation took place?
3. The source’s track record of accuracy in previous reports?
4. Is there any other evidence from other sources that contradicts or conflicts with what this source has just reported?
5. Are there collateral details in this report that reflect the possibility of this source’s inaccuracy?

Using the Questions

According to the authors, the twenty-five questions above have been implemented in a system called MACE (or Method for Assessing the Credibility of Evidence) that apparently has been under development for some time (I wonder if MACE was fully funded by CIA; if so, do I hear FOIA request?).  The remainder of the paper describes the MACE system and how it works.  For the purposes of this post, it is sufficient to point out that MACE is an evidence marshalling tool.  That is, MACE provides a structured set of questions that enables the analyst to make sense of the evidence bearing on a particular source’s competence and credibility.

In addition to providing an answer to each of the twenty-five questions, MACE insists that the analyst judge the relative importance of each question involving a particular situation and a particular report.  Morever, MACE asks the following two questions:

1. On balance, does the evidence favor or disfavor the source’s competence, veracity, objectivity, and observational sensitivity, keeping in mind the number of questions that remain unanswered?
2. On balance, how strongly does the accumulated evidence favor or disfavor our believing of the report this source has just given us, keeping in mind the number of questions that remain unanswered?

Why Care?

According to the standards for analytic tradecraft articulated in Intelligence Community Directive 203 (ICD 203), all intelligence products must “properly describe the quality and reliability of underlying sources” (section D.4.e.(1)).  [Note that the standard in section D.4.e.(2) is also very important, that is, "properly caveats and expresses uncertainties or confidence in analytic judgments."  But I will defer this discussion until a bit later.]  What Schum and Morris provide is a means for arriving at meaningful statements of source competence and credibility that simply were not available in a documented form prior to publication of this paper.

And why do I, as a risk (not necessarily intelligence, though I can play the part) professional think this is important?  Well, most (if not all) security risk analyses rely mostly on the opinions of subject matter experts, organizational representatives, etc. (i.e., humans) for the information needed to make a judgment about threat, vulnerability, and risk.  Much like in intelligence analysis, risk analysts must carefully appraise the information used to support analysis in terms of both its content and its source so as to ensure that the product is free of unintended bias and influence.

Send article as PDF to

Many, if not most, upper-level undergraduate and first-year graduate engineering students are familiar with the famous text entitled Advanced Engineering Mathematics by Erwin Kreyszig (now in its ninth edition).  If you are not familiar with this book and you desire a single source for the body of practical mathematical concepts that enable engineering analysis, then I strongly advise that you become acquainted with “Kreyszig.”  This book covers the practical elements of calculus, differential equations, linear algebra, numerical analysis, optimization, and probability and statistics, all in 1248 pages!  I will forever keep this book handy.

Recently I encountered a book that, in my mind, rivals Kreyszig in terms of comprehensiveness and thoroughness.  The title is Actuarial Mathematics by Bowers, Gerber, Hickman, Jones, and Nesbitt (second edition, ISBN: 0938959468).  But unlike the Kreyszig text, Actuarial Mathematics is all about the mathematics of risk.  Topics covered in this book include probability models, survivorship functions, insurance pricing, regression, and so on.  Though the title may sound dry, this book is sufficiently lively in tone to keep my mind occupied during an otherwise boring meeting.  This book is absolutely amazing, and for that reason I call it the “Kreyszig of Risk.”  But I would argue that the text advocates mathematical practice that, despite being the accepted standard of practice in the world of professional actuaries, is primitive relative to modern uncertainty modeling approaches (e.g., probability boxes).  I think there is potential for quite a lot of research work focused on applying modern mathematical theory to actuarial problems.

Now despite its mathematical allure, Actuarial Mathematics does not help security risk professionals do their job any better given their inherent relucatance to quantify things without supporting data.  But this did not stop me from buying the book and enjoying every minute of it.  Actually, I believe (as of late) that there is much for a security risk professional to learn from other disciplines where risk analysis is routinely used (e.g., political risk assessment, actuarial science).  So picking this book up for me was my first attempt at understanding the requisite mathematical body of knowledge to become an actuary (see the American Academy of Actuaries website for more information on what an actuary does and what it takes to become one).

Send article as PDF to

According to a model for homeland security risk analysis that is currently under consideration for use in supporting resource allocation decisions, the formula for the risk associated with a specified scenario is as follows:

Risk = C * L(S|A) * L(A)  (Equation 1)

where L(A) is the likelihood of an attack being attempted, L(S|A) is the likelihood of adversary success given attack, C is the consequences following a successful attack, and the total risk is obtained by summing the results of Equation 1 for all relevant scenarios.  At first glance, it would appear to the casual reader that this model is simply an implementation of risk measured in terms of expected loss, with the exception of the non-standard representation of L(.) for expressing the probability of the event contained within the parenthesis (I disagree with this notation, but let’s just go with it for now). Further elaboration of this model was presented at a recent workshop I attended, where it was noted that the consequence variable C corresponded to the “worst reasonable case” consequences given a successful attack.

Equation 1 is a valid representation of risk if and only if the consequence represents a conditional expected consequence, or rather mean value of consequence given adversary success. That is, Equation 1 works in the context of risk expressed as an expected loss, all things considered.  While admittedly I have no information that fully explains the intent of the qualifying phrase “worst reasonable case,” one can reasonably assume from this phrasing that such a value takes on a value well above the mean, and perhaps positioned somewhere in the upper tail of the corresponding probability distribution on loss.

For sake of argument and without loss of generality, let’s assume that worst reasonable case corresponds to some percentile value above the median, say 90%. That is, the worst reasonable case loss according to this hypothetical interpretation is the value of loss that will not be exceeded in 9 out of 10 cases (or rather, will only be exceeded in 1 out 10, or 10% of attacks). Alternatively, worst reasonable case can be taken as the conditional average value of loss in some finite region of the upper tail, or any other percentile value above the median. Of course, the exact interpretation of “worst reasonable case” is vague, but assuming that it takes on any value other than the mean is equally valid in making the point in this critique.

One reasonable assumption in using the risk model in Equation 1 is that given inputs for consequence characterized as “worst reasonable case” for each scenario, the result from Equation 1 should be the “expected worst reasonable case” consequence in light of non-zero probabilities of adversary success and failure and non-zero probabilities for attack and no attack. As described in any textbook on risk analysis or decision theory, the use of an expected conditional loss given success in Equation 1 yields risk that is, in fact, in terms of an expected loss across all included scenarios. Now assuming that “worst reasonable case” preserves its interpretation in the context of both “worst reasonable case” consequence given success and “expected worst reasonable case” consequence (e.g., “worst reasonable case” always implies a percentile value of 0.9 or 90%), does Equation 1 adhere to this assumption? Only one single counterexample of how the translation does not hold is necessary to answer this question in the negative.

Example: Consider two scenarios, labeled “Scenario 1″ and “Scenario 2″ with conditional consequence distributions (given a successful attack) shown in Figure 1. From these distributions, the “worst reasonable case” (at 90%) is 12.6 and 6.3 for Scenarios 1 and 2, respectively. Now let’s assume that the probability of adversary success for Scenario 1 has been determined to be 0.8 (probability of adversary failure is 0.2), and the same parameter for Scenario 2 has been determined to be 0.7 (probability of adversary failure is 0.3). This gives conditional consequence distributions (given attack) for both scenarios as shown in Figure 2, where it is assumed that attack failure produces no consequence. From these conditional consequence distributions given adversary success, the “conditional worst reasonable case” consequences are 12.3 and 6.1 for Scenarios 1 and 2, respectively.

Now, let’s further assume that the probability of attack in a given time frame is 0.4, with 0.7 of this probability being allocated to Scenario 1 and the balance (0.3) being allocated to Scenario 2. From this extra information, the probability of attack for Scenarios 1 and 2 are 0.28 and 0.12, respectively (0.6 probability of no attack). The aggregate consequence distribution is shown in Figure 3. Recalling that we are setting “worst reasonable case” to the 90% percentile value on loss, the “worst reasonable case” consequence in light of the conditional consequences and probabilities for attack (and no-attack) and success (and failure) for each scenario is in the low 10’s (just read the consequence value off the chart that corresponds to a probability of 0.9 on the y-axis).

Figure 1. Cumulative probability distribution functions for the simple conditional consequence distribution given adversary success for Scenarios 1 and 2

Figure 2. Cumulative probability distribution functions for the simple conditional consequence distribution given attack for Scenarios 1 and 2

Figure 3. Cumulative probability distribution functions for the aggregate consequence distribution

For Equation 1 to be mathematically valid, it must be coherent. That is, the “worst reasonable case” as read from the distribution in Figure 3 must equal that calculated from Equation 1. Let’s see if this is the case. For Scenario 1, the “worst reasonable case” consequence conditioned on adversary success is 12.6, with a probability of adversary success of 0.8 and a probability of attack of 0.28. Thus, the “expected worst reasonable case” consequence for Scenario 1 is (12.6)(0.8)(0.28)=2.8. For Scenario 2, the “worst reasonable case” consequence conditioned on adversary success is 6.3, with a probability of adversary success of 0.7 and a probability of attack of 0.12. Thus, the “expected worst reasonable case” consequence for Scenario 2 is (6.3)(0.7)(0.12)=0.5. Adding these two values together gives a “total expected worst reasonable case” consequence of (2.8)+(0.5)=3.3. This value for “expected worst reasonable case” is NOT equivalent to the value read from the plot in Figure 3. In fact, according to Figure 3.3, a consequence of 3.3 is about equal to the 70% percentile on aggregate loss. THIS VALUE IS MARKEDLY LESS THAN THE ACTUAL “WORST REASONABLE CASE VALUE”, which suggests that the value obtained from Equation 1 may SIGNIFICANTLY UNDERESTIMATE the worst reasonable aggregate consequence. This effect is even more exaggerated when considering many more than 2 scenarios.

Bottom Line: Unless “worst reasonable case” consequence is another way of saying “expected” consequence (which I doubt, otherwise the word “expected” would be used), there is no guarantee that Equation 1 produces results that are coherent with more rigorous calculations on the underlying probability distributions. Accordingly, Equation 1 is improper for use in the context of informing resource allocation decisions for homeland security.

Send article as PDF to

To follow up on my previous post regarding the work of Peter Sandman, I can’t help but advertise his short, yet important article entitled “Risk Words You Can’t Use” published in the August 2005 issue of The Synergist.  While this article is a quick read, I will distill it down further and caveat some with my personal experience:

• Conservative: To risk people, conservative means an overestimate of risk.  To laypeople, a “conservative” estimate is a low estimate.  So whereas a risk person would use conservative to overstate the risk, a layperson (or perhaps decision maker) may interpret the message to be an understatement of risk, and thereby think that the risk could be much worse.  Now, engineers and scientists understand what is meant by the word “conservative,” as in my “conservative analysis still shows the structure will not fail.”  And fortunately for me, when I described my idea of conservative discounting of expert opinions (to be explained in a later post that I will link to when it is available) I was speaking to an audience of security engineers.  I will keep Sandman’s advice to not use the word conservative when speaking to non-technical audiences, and instead opt for the word “overestimate.”
• Significant/Insignificant:To risk people and statisticians, a significant finding is one that is non-random.  To laypeople, whether an issue is significant depends on their emotions and value structure.  So, to tell people that the terrorism risk is insignificant might not communicate well.  It is true (right now based on our current understanding and situation) that a person’s individual risk to terrorism is very, VERY low, but the outrage is high, and thus the public’s emotional response might label terrorism as a significant threat.
• Positive/Negative: To risk people, a positive relationship means that when one variable goes up, so does the other.  To laypeople, a “positive” relationship is favorable from the point of view of risk.  The same can be said of negative relationships.
• Bias: Bias to a risk person means non random.  Bias to a layperson spells deceit.
• Anecdotal: Anecdotal evidence to a risk person means the evidence is just one sample from a much larger sample space.  Anecdotal to a layperson suggests the evidence is an amusing story.  This word might not bode well when talking about anecdotal evidence on poor public response following a catastrophic event.
• Risk [my personal favorite]: To risk people, the risk associated with a situation describes its probability and the corresponding consequences.  To laypeople, risk usually refers only to the probability component.  In fact, when lecturing on the use of “uncertainty phrases,” I often emphasize that the word “likely” is not an adverb tied to any particular notion, but one that can be used to qualify likeliness, confidence, and risk.  Of course, people probability consider how they feel about a hazard when judging whether the probability, or rather risk to them, is acceptable.  Others, particularly when speaking about finances, use risk to describe uncertainty – the higher the risk, the more uncertain the outcome.  The philosopher Frank Knight sides with these interpretations in his description of “risk proper,” or measurable uncertainty, described in Risk, Uncertainty, and Profit. Most people argue that the only measure of uncertainty, at least when it comes to gambling situations, is probability, so what Knight is suggesting is that assessing “risk proper” is equivalent to a probability assessment.  But Peter Sandman suggests that what people really mean by risk is how outraged they feel about the situation.
• Safe: To risk people, safety is the judgment of risk tolerance.  If we are safe, then the risk does not exceed some threshold value (whether implicit or explicit).  To laypeople, “safe” = “no risk,” that is they treat it as a binary concept – you are either safe or you are not.  Or rather, there is risk or there is not.  I suppose the same reasoning can be extended to the word secure: to risk people, if we are secure, then the residual adversary risk is low enough for us to accept; to laypeople, “secure” = “no harm will come to them” in the event of an attempt.  Relative statements about safety and security are unambiguous though – to say something is more or less safe or secure than another thing is perfectly acceptable.
• Prepared:To be prepared means that we possess the capabilities and vigilance necessary to deal with a hazardous situation when it arises.  To risk people, preparedness is tied to risk acceptability – if we are prepared, then we have the capabilities needed to keep risk overall at an acceptable level.  To laypeople, prepared, like safe and secure, is taken to mean no (or perhaps minimal) harm will come to them.
• Confident: To say to someone else that you are confident when you are merely hopeful is not okay.  In the eyes of laypeople, confident = surety, though perhaps not so much anymore if the word has lost its meaning in the eyes of risk communication consumers.

From my experience, I have five types of phrases to add:

• [Low/Moderate/High] Confidence:Philosophically speaking, to the analyst, anything said with a non-zero degree of confidence implies some degree greater than even odds of being correct.  This means that both “low confidence” and “high confidence” judgments are believed to be the right answer vice any alternative, but “low confidence” statements are afforded less commitment and as such are pegged to a representative probability value closer to 0.5 than a “high confidence” judgment.  To the decision maker, however, the scale may be expanded from a half probability scale to a full probability scale, where the words “low,” “moderate,” and “high” span the entire range.  So when the analyst says something with “moderate” confidence to indicate, say, a 75% chance of being correct, the decision maker might see it as a 50/50 judgment.  I would love to experiment with this to see whether or not what I just described is true.
• “In General”: When mathematicians use the phrase “in general,” they mean what they say applies to all cases.  When lay people use the phrase in general, they mean that what they say is believed to apply to a simple majority of cases.
• Likely, Probable [and other uncertainty phrases]:  To risk people, the word likely conveys some degree of likeliness that exceeds 50%.  To laypeople, likely may communicate likeliness or risk.  In the latter, one might find that something deemed “likely” to a layperson may have an objectively low probability of happening, yet a high enough impact if it does to warrant use of the term in their non-probabilistic minds.  But whoever said words like “likely” and “probable” can only be used in the context of probability theory?  After all, what came first – the word “probable” or the “theory of probability?”
• Likelihood versus Likeliness: To mathematicians, “likelihood” means something very specific.  The likelihood of something in the context of Bayes theorem is the functional expression Pr(B|A) (read as “the probability of B given A) whose input argument is “A.”  That is, the “likelihood” is the hypothetical probability distribution constructed over a space of events conditioned on the occurrence of “A.”  The “likelihood function” or simply “likelihood” L(A|B) is proportional to Pr(B|A).  To non-mathematicians, including most (if not all) dictionaries, “likelihood” describes the notion of chance, where probability is one such measure of likelihood for an event.  According to WordReference.com, the word “likeliness” is an equivalent word for “likelihood,” but doesn’t carry with it all the mathematical baggage that might confuse a mathematician.  This is why I always use the word “likeliness” to characterize the notion of chance instead of “likelihood.”
• Possible: To mathematicians and risk people, a “possible” event is one that carries with it a non-zero probability.  More specifically, a possible event is one that is admitted into the set of alternatives (sample space) for a given question.  To non-mathematicians and laypeople, the word “possible” may be used to describe degree of chance or even risk.  How often have you heard people use possible to convey the likeliness of an event?  I read a study published by Sarah Lichtenstein and J. Robert Newman in 1967 (Psychonomic Science, Vol. 9, No. 10, pp. 563-564) showed that a group of 177 people, when individually asked to place numbers on words that convey uncertainty, could not agree on a probability value for the word “possible.”  The results showed a range of responses spanning probabilities of 0.01 to 0.99, with a median at 0.49.  What does this say?  To me this study makes my point – possible means that the probability is greater than 0, but we don’t know where.  But it also says that, at a micro level, possible might actually assign a value to possible.  Fortunately, the word “impossible” does not suffer the same ambiguity.

I am curious to hear your thoughts on these and other words that we should be careful about using in the context of risk communication, or “analytic communication” for that matter.

Send article as PDF to