Since the events of 9/11, particularly following the creation of the Department of Homeland Security, much attention has been paid to the use of probabilistic or quantitative risk analysis methods for the purposes of informing security investment decisions.  The debate on the appropriateness of these techniques was quite intense for awhile (say 2003-2006), and to some extent I think there was no clear winner (though I think we are finally coming to grips with what “risk-informed decisions” really means, which in a sense weakens the need for this debate).  Among the fighting and debating, I often found myself wondering what the late Prof. Norm Rasmussen would say about the value of QRA for security.  Now, a number of well-respected scholars have spent quite a deal of time and effort writing on the issue (e.g., Apostolakis, Cox, Bier, Ayyub, Haimes, Kunreuther, Slovic, Pate-Cornell, Diesler, Lave, etc.).  But nowhere could I find even a comment from Rasmussen on the issue.

[NOTE: Norman C. Rasmussen was the director of the famous 1975 Reactor Safety Study, or WASH-1400.  Because of its extreme significance in those days, the report was nicknamed "The Rasmussen Report." I hope to have a copy of the WASH-1400 report posted to this site sometime really soon - oddly enough I can't find it anywhere online]

Then there was my visit to Sandia.  I was priviledged to sit in on a presentation delivered by a scientist at Sandia National Labs that walked through the history of Security Risk Analysis from the Sandia perspective.  On one of the slides there was a quote about the appropriateness of QRA for security attributed to Professor Rasmussen himself!  I was truly taken aback!  I asked whether there was citation I could use for this quote, and low-and-behold there was.  Thanks to the Sandia people, I was able to obtain a copy of this paper and post it here via Scribd:

The citation information is as follows:

• Rasmussen, N. C. (1976). “Probabilistic Risk Assessment: Its Possible Use in Safeguards Problems.” Presented at the Institute for Nuclear Materials Management meeting, Fall 1976, pp. 66-88.

Note the timing… this commentary was made just after the 1975 release of the WASH-1400 report.  My understanding was that many believed PRA/QRA could be applied to problems outside the domain of nuclear safety, perhaps to include nuclear safeguards.  Prof Rasmussen believed then that QRA methods, as outlined in WASH-1400, are NOT appropriate for quantifying safeguards risks (though he says nothing about their usefulness in empowering analysts with knowledge to better inform decision makers).

Just to quickly layout the outline for this paper, Prof Rasmussen begins by offering an overview of all three levels of QRA then comments on the differences between security and safety problems, the most clear being that terrorists are not random and that there is some deliberate attempt to maximize consequences.  Rasmussen also points out that the only practical conservative value to assume in security is one, which given the tendency for terrorists to maximize consequences, almost always results in an unacceptable quantitative risk.  His solution – “make the unauthorized access to special nuclear material very difficult,” that is, make the probability of access so small that even if all the other probabilities are unity, the benefit of having nuclear power still outweighs the risk of malicious terrorist use of nuclear material.  Basically, this amounts to a focus on vulnerability reduction, but only those aspects of vulnerability pertaining to the unauthorized access to special nuclear material (not egress, use, response, recovery, etc. dimensions).  The paper concludes with a short question and answer exchange between Prof. Rasmussen and several audience members, some of which is quite interesting (and clearly dated before the existence of the Design Basis Threat).

In the end, I believe this talk is where the idea of “assuming probability of attack is one” came from, though I could be wrong.

Send article as PDF to

A few weeks ago I came across an excellent book from 1977 entitled An Anatomy of Risk by William Rowe, Sr. (ISBN: 0471019941).  This book provides a thorough technical summary of the state of the art in risk analysis through the mid-1970s.  This includes some of the ground breaking work on risk perception, risk assessment for nuclear power, risk communication, etc.  I believe that this book is one of the first authoritative texts on quantitative risk analysis ever published.  However, since the book was written at a time when risk analysis was a relatively new academic discipline, it was not intended for undergraduate audiences looking to learn the basics of risk.  For me, I intend to use this text as my gateway to the classic research works on risk analysis.

An Anatomy of Risk was previously reviewed by a number of scholars as cited below.  Note that in most cases you must have a subscription to view the actual review.  I also noted the tone of the review on a five-tier scale (SCATHING, UNFAVORABLE, NEUTRAL, FAVORABLE, PRAISING).

• A PRAISING review by P. K. M’Pherson in Cybernetics and Systems, Vol. 8, Nos. 3 & 4, pp. 352-354 (1977) (permalink)
• A FAVORABLE review by L. E.Hill in Technology and Culture, Vol. 19, No. 4, pp. 788-790 (1978) (permalink)
• A PRAISING review by A. R. Unwin in The Journal of the Operational Research Society, Vol. 29, No. 8, pp. 825-826 (1978) (permalink)
• A FAVORABLE review in ACM SIGSIM Simulation Digest, Vol. 10, No. 4, p. 70 (1979) (permalink)
• A SCATHING review by R. G. Easterling in Technometrics, Vol. 22, No. 2, pp. 278-279 (1980) (permalink)
• A FAVORABLE review by M. L. Randolph in Ecology, Vol. 62, No. 4, pp. 1133-1134 (1981) (permalink)

On balance, I would say that the overall take on Dr. Rowe’s book was FAVORABLE++.  I personally recommend that all emerging risk researchers add this title to their Christmas book wish list.

An Anatomy of Risk is no longer available NEW, and can only be purchased used via a used book outlet such as Alibris.com (see here).

Send article as PDF to

Recently, I came across two very good blogs that touch on areas of security risk analysis that overlap with my current interests.  They are as follows:

• BlogInfoSec.com: An Information Security Magazine in Blog Format.  This blog is authored by a team of nearly a dozen seasoned information security professionals.  A recent series of posts I found particularly interesting were authored by Jeff Lowder (Director of Information Security and Risk Management at Disney Interactive Media Group, a branch of The Walt Disney Company) that centered on the Qualitative vs. Quantitative Risk Analysis debate (see Part I and Part II; Part III is forthcoming).  In fact, in part I of this three part series, Mr. Lowder offered a fourth question to the risk analysis triplet: how much uncertainty is present in the analysis? (basically, a question centered on what level of confidence should be afforded by a decision maker to the analysis, data and methodology considered).
• Schneier on Security.  This blog provides a medium for Bruce Schneier (a.k.a. the “rock star” of security) to post his thoughts on security issues, link to articles he has authored and interviews he participated in, and to advertise his collection of best-selling security books.  This guy has a lot of interesting things to say – in fact, after reading some of his posts, I felt personally inspired to purchase the complete set of all his books (I will share my thoughts on these books after I get through with them).

On the topic of recommendations, I highly recommend the pair of books written by Kevin Mitnick and coauthor William Simon.  These books are The Art of Deception: Controlling the Human Element of Security (ISBN: 0471237124) and The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers (ISBN: 0764569597).  The first book is all about the role of social engineering in breaking into security systems, and the latter is an anthology of stories that collectively describe how and why hackers hack.  Both of these books are excellent, and I highly recommend them for any student of security risk analysis.  In fact, I plan to introduce The Art of Intrusion to my SRA 311 class tomorrow, and reserve The Art of Deception as required reading for my planned special topics course in Deception and Security.  The Art of Intrusion was particularly enlightening in that it debunked my (suspected) misconceptions on how hackers go about hacking… I will save this discussion for a future post.

Send article as PDF to