Note: Article updated on 17 Jan 2010

In 1981, Kaplan and Garrick published a paper entitled “On the Quantitative Definition of Risk” that defined risk as the set of all ordered triplets comprised of answers to the following triplet of questions (Kaplan and Garrick 1981):

• What can go wrong?
• How likely is it to go wrong?
• What are the consequences?

These three questions set the stage for what most risk professionals consider to be the fundamental questions of risk assessment. In recent years, more questions have been suggested, including:

• How much uncertainty is present in the analysis? (Lowder 2008)
• Over what time frame? (Haimes 2009)
• Are these risks tolerable?

In 1991, Professor Yacov Haimes offered a second set of three questions focused on the practice of risk management (Haimes 1991):

• What can be done?
• What options are available and what are the benefits and costs of each?
• What impact do these options have on future options?

Mr. Bob Ross offered a few more interesting risk questions, including several for establishing the risk context (Ross 2009):

• What are my risk management responsibilities?
• What outcomes and objectives am I expected to achieve?
• How are risks perceived by those to whom I am answerable?

Ross also offered a few more for risk management (labeled risk response or more generally risk treatment):

• What could I do about it? (the “options” part of the second Haimes risk management question)
• What should I do about it?
• What will I do about it?

And a few more on risk management effectiveness:

• How well is my chosen course of action working?
• Has anything changed that requires altering my existing risk management measures?
• Are there current trends and/or potential future developments that could require altering my existing risk management measures?

At a high level, Dr. Tony Cox summarizes all of risk analysis in terms of four high-level questions as follows (Cox 2009):

• How bad is it? (Risk Assessment)
• What to say about it? (Risk Communication)
• What to do about it? (Risk Management)
• Who to blame for it? (Risk Attribution)

Seeing how the ultimate goal of studying risk in general is to communicate risk knowledge to people that can then use it to make better (i.e., risk informed or risk supported) decisions. Risk communication, then, must consider the following lower-level questions that would help analysts decide on what to say about risk (Morgan et al. 2002; Apgar 2006):

• What does the intended recipient think or know?
• What does the recipient need to know?
• How should it be told?

Mr. Bob Ross offered the following additional questions for risk communication:

• Between whom does it need to be communicated?
• How can the necessary risk information be most effectively communicated?

Of course, there is always the risk that a communication goes south, thus we should also entertain the questions:

• How likely is it that the communication will work?
• How bad would it be if it doesn’t?

If you look carefully at these questions, you might find some overlap among them and also find that they may be interpreted in different ways by different people. In fact, we could consolidate all of these questions into a triplet of risk analysis triplets. These are summarized as follows.  Given a clearly and precisely specified situational context (e.g., security context), risk analysis centers on the following nine broad questions:

Risk Assessment Triplet

1. What can happen? Answer: scenarios characterized by the pairing of cause and outcome, where associated with outcome is the time frame
2. How likely is it? Answer: product of probability of cause and probability of outcome given cause; uncertainy in the answers is captured using imprecise probabilities
3. How bad would it be? Answer: severity of the cause/outcome pair

Risk Communication Triplet

1. What does the recipient presently think, know and perceive? Answer: the recipient’s mental model and lens for interpreting and integrating new information
2. What does the recipient need to know? Answer: key messages to improve the recipient’s understanding
3. How should it be told? Answer: in what form must the information be communicated and who should communicate it, this includes all risks associated with communications

Risk Negotiation Triplet*

1. What can be done? Answer: the types of changes that can be made in the time frame of interest
2. What options are available? Answer: Answer: real feasible options that are available with assessed benefits and costs of each, where benefits and costs include impact on future options, and all assessments include uncertainty
3. What should be done? Answer: compares benefits, costs and risks of each option in addition to other factors with a variety of non risk-related alternatives including the “do-nothing” option

*Note: In this context, Risk Negotiation refers to an organization’s discussions and deliberations around a variety of risk treatments relative to the organization’s attitude and tolerance for risk.

Risk management revisits this triplet of triplets over and over again in perpetuity. With time, we learn how well our choices fared through continuous analysis and reanalysis of our systems and their environments. With every action we take, the systems we protect respond with new or modified risks with updated probabilities and severities, and new options and considerations emerge while others become infeasible or irrelevant. And of course, with time and change comes new uncertainties and misunderstandings, both of which require the dedicated attention of risk professionals to study and resolve.

References

Apgar, D. (2006). Risk Intelligence: How to Manage What You Don’t Know. Harvard Business School Press (ISBN 1591399548).

Coles-Kemp, L. (2009). “The Effect of Organisational Structure and Culture on Information Security Risk Processes.” Risk Research Symposium (link here).

Cox, L. A. (2009). “Traditional and Current Risk Analysis.” Presented at the MORS 2009 Workshop, April 2009 (link here).

Haimes, Y. Y. (1991). “Total Risk Management.” Risk Analysis, Vol. 11, No. 2, pp. 169-171 (doi link).

Haimes, Y. Y. (2009). “On the Complex Definition of Risk: A Systems-Based Approach.” Risk Analysis, Vol. 29, No. 12, pp. 1647-1654 (doi link).

Kaplan, S. and Garrick, B. J. (1981). “On the Quantitative Definition of Risk.” Risk Analysis, Vol. 1, No. 1, pp. 11-27 (doi link).

Lowder, J. (2008). “The Difference Between Quantitative and Qualitative Risk Analysis and Why it Matters (Part 1).” BlogInfoSec.org (link here).

Morgan, M. G., Fischhoff, B., Bostrom, A. and Atman, C. (2002). Risk Communication: A Mental Models Approach. Cambridge University Press (ISBN 0521002567).

Ross, R. G. (2009). “Total Risk Management Revisited.” Working Paper.

Send article as PDF to

• Might Could is an awesome band… http://bit.ly/8d2tJq … their albums are available on iTunes… good for late night risk analysis… #
• Why do I always get stuck working on a short-fused project during the holiday season? It seems I will be working up until my flight to Italy #

Powered by Twitter Tools

Send article as PDF to

I typically come across a few excellent quotes that really resonate with what I am presently thinking about whenever I go on a paper reading binge.  Here are some interesting ones that I found recently:

Every year (or, perhaps, every day), some new industry or institution discovers that it, too, has a risk problem.  It can, if it wishes, repeat the learning process that its predecessors have undergone.  Or, it can attempt to short-circuit that process, and start with its product, namely the best available approaches to risk communication. – Baruch Fischhoff (1995)

Contemporary approaches to disaster reduction need to become more concerned with human-to-human relations, such as conflict resolution and consensus building among people, rather than human-to-nature relations. – Katsuya Yamori (2008)

References

Fischhoff, G. (1995). “Risk Perception and Communication Unplugged: Twenty Years of Process.” Risk Analysis, Vol. 15, No. 2, pp. 137-145 (doi link).

Yamori, K. (2008). “Narrative Mode of Thought in Disaster Reduction: A Crossroad for Narrative and Gaming Approaches.” in Sugiman, T., Gergen, K. J., Wagner, W. and Yamada, Y. eds. Meaning in Action: Constructions, Narratives and Representations.  Springer, pp. 241-252 (doi link).

Send article as PDF to

I just received a lead on a neat tutorial on risk concepts for personal surveillance protection from my friend at Mercyhurst College, Kris Wheaton.  Check it out at this link.  I also posted this and what follows as a discussion topic on the SARMA group on LinkedIn.

Notice the manner in which this tutorial defines the term “threat” – a threat is defined as the undesired consequence of an attacker’s actions, not the nature of the actions themselves.  Accordingly, risk is then the probability of the threat, which is consistent with accepted practice.  Moreover, labeling an outcome a threat implicitly assigns a “value” to the outcome, which in this simple case is simply described as “undesirable.”  But isn’t that the nature of security – to lessen the probably of undesirable events, or in this case, threats?

Now this is different from the DHS definition of threat, which puts it as the intent and capability of an attacker.  DHS defines threat as the cause, the document linked to above defines it as the consequence all causes considered.  Which do you prefer?

But of course, one can argue that intentions and capabilities when directed against a valued asset may result in undesired outcomes.  So, does it really matter?  That is, if bomb attack = damage, isn’t it equivalent to call both “damage” and “bomb attack” threats?  Well, perhaps not if one seeks to define the term risk in terms of threat.  In general, risk is defined as a probability distribution on outcomes with associated values.  If we equate threat to cause, then threat is just one aspect of the problem.  If we equate threat to undesired outcome, then risk is the probability of threat.  So which should we use?

To answer this, I appeal to you.  What does a threat assessment product typically answer?  The ones I participated in sought to define the spectrum of harms (undesired event) of interest to the decision maker, and from these harms backout those potential causes of harm within my problem set.  For a terrorist threat assessment considering the nuclear power industry, my threat assessment would identify what can go wrong and how it can happen.  No valuation is attached to either outcome (what can go wrong) or cause, either in terms of probability or severity.  That is, a threat assessment is purely descriptive.

From this, threat is both – cause and outcome – minus the valuation.  I define the pairing of cause and outcome as a “scenario,” and if that scenario is undesirable either in cause or outcome, then it is a threat.

Vulnerability assessment, too, is descriptive in my mind.  A vulnerability assessment seeks to identify the weakness that enable different causes to result in different undesired outcomes.  Thus, a threat assessment provides a frame with which to do vulnerability assessment.  However, vulnerability assessment also provides insights to help identify previously unknown undesired outcomes and causes.  I would argue that neither precedes the other, but both should happen concurrently.  But of course you got to start somewhere… which would you start with?

Now where does risk analysis fit in?  In my view, risk analysis synthesizes the knowledge generated from the threat assessment and vulnerability assessment efforts to prioritize concerns for decision maker attention and providing guidance on what to do about it (i.e., actionable risk analysis).  In so doing, risk analysis:

• Attempts to describe the likeliness of cause from our knowledge of adversary capabilities and historical record (among other things)
• Attempts to describe the likeliness of outcome given cause from our knowledge of system weaknesses, and
• Attempts to place value on the outcome beyond just undesirable or not undesirable.

Note how I use the word “describe” and not “quantify.”  I did this deliberately – quantification is useful for structuring thought, but perhaps not so much as providing a basis for decision making (particularly in security settings).

Send article as PDF to

Lecture 5 was one of my favorites.  The topic was structured brainstorming, in particular the divergent/convergent thinking technique described in both the CIA and DIA analytic tradecracft primers (both of which are unclassified, and can be obtained by joining IAFIE, contacting the public relations offices of the respective agencies, etc.).  I teach structured brainstorming in my risk analysis course because, as often cited by risk scholars, the first step in any risk analysis is to imagine (read “brainstorm”) answers to the question “what can go wrong?”

But before we got into the meat of lecture 5, we began class with a short quiz and a discussion of the day’s reading.  The paper for today was entitled “The Case for ‘Risk Awareness’” by Stevyn Gibson (Security Journal, Volume 16, pp. 55-64, doi: 10.1057/palgrave.sj.8340140).  As one might tell from the title and my preface to this post, the theme for the week is combating ignorance-induced vulnerability (which I argue is one of the biggest contributors to a person’s risk exposure).  The quiz asked for the purpose of Gibson’s article (“purpose” being one of the eight elements of though) and sought answers to five multiple choice questions focused on relevant aspects from set theory (e.g., what the word “possible means,” Venn diagrams, conditional exhaustiveness, and the distinction between open and closed-world assumptions). 

Moreover, consistent with this week’s theme of creating risk awareness, I showed off an “interesting” book that took the idea of creating risk awareness to the extreme.  The title of the book was An Introduction to Planetary Defense: A Study of Modern Warfare Applied to Extra-Terrestrial Invasion by Travis S. Taylor (a.k.a. “Doc” Travis) and collaborators (2006, ISBN: 978-1581124477).  An interesting book, indeed, though it is not without its flaws (some small, one or two VERY big – check out the one-star reviews on Amazon.com to see what I mean).

Now onto the meat of the lecture.  The focus of lecture 5 was on a generic building security risk analysis question adapted from problem 8E of Philip P. Purpura’s text Security and Loss Prevention, 5th edition (2007, ISBN: 978-0123725257 ).  The problem is shown in the SCRIBD window below. 

Building on the materials from lecture 4, the aim of this class was to apply structured brainstorming to identify a complete set of security events that might take advantage of one or more observed facility weaknesses.  The only technology we used for this in-class exercise was sticky notes (Office Depot brand) and empty wall space, window space, or an unused chalkboard.  My strategy for this exercise was to allow 20 minutes or so for unassisted team divergence, followed by me and my teaching intern walking around the room with our own pads of sticky notes interjecting random ideas to help spark creative thinking.  The activity finished with 10-15 minutes of convergence where each group was advised to settle on 5-6 broad classes of initiating security events.Of course, the event sets that the students came up with was by no means complete.  However, as I advised, this is ok so long as the students articulate what events they are leaving out and for what reasons.  This is the essence of a conditionally exhaustive set.

The only bad thing about this lecture was that it was the first lecture I gave at Penn State where I did not have my tablet PC available.  Unfortunately, I spilled hot coffee on my tablet, and now it doesn’t work at all.  The warranty doesn’t cover such damages either.  This “black swan” event totally forced me to reshape how I can go about delivering future lectures.  I suppose I have to use the white board and black boards more often now!

Send article as PDF to

Each semester when the schedule of classes are posted, I often find myself perusing the listing to pick out those courses offered at the University Park campus of Penn State that seem like they would be helpful for improving my understanding of  risk and risk analysis.  I don’t actually plan on taking any of these.  But so far I picked out the following from the undergraduate (and graduate) course catalog:

• B A 497: Risk and Decisions (3): Conceptualizing decisions involving risk, analyzing choices, estimating the risk, and communicating the analysis
• CMPSC 443 Introduction to Computer and Network Security (3): Introduction to theory and practice of computer security with an emphasis on Internet and operating system applications [Sp09, TR 1615-1730]
• EARTH 101: Natural Disasters: Hollywood vs. Reality (3): Analysis of the causes and consequences of natural disasters; comparison of popular media portrayal of disasters with perspective from scientific research [Sp09, TR 945-1100]
• ENNEC 473: Risk Management in Energy Industries (3): Analysis of strategies for mitigating business risk from market, atmospheric, geophysical uncertainties including the use of energy/mineral commodity futures/options, weather derivatives, and insurance [Sp09, TR 945-1100]
• FIN 413: Risk Management and Financial Institutions (3): Measuring and managing risk faced by financial institutions.
• GEOSC 402Y: Natural Hazards (3): Case studies of the causes and consequences of natural disasters; analysis of disaster impact in different economic, cultural, and social conditions [Sp09, MWF 1010-1100]
• HLS 410: Public Health Preparedness for Disaster and Terrorist Emergencies (3): Analyzes the history of terrorism and explores the preparation and response to specific terrorist threats, natural disasters, and conventional catastrophes.
• I E 454: Applied Decision Analysis (3): Theory and practice of decision analysis applied to engineering problems.
• I H S 470: Analytical Methods for System Safety (3): Quantitative and qualitative methods of system safety of analysis are covered; issues in risk assessment, acceptance, analysis, and communication, as well as accident cost analysis and cost-benefit analysis are included.
• INS 301: Risk and Insurance (3): Introduction to the principles and methods of handling business and personal risks; emphasis on insurance techniques.
• INS 405: Corporate Risk Management (3): Insurance management for corporate organizations; self-insurance, risk transfer, and other alternatives to insurance.
• INS 575: Risk Management (2): Develop an understanding of the risks facing corporations and the methods available to deal with those risks.
• IST 564: Crisis, Disaster and Risk Management (3): Examines the fundamental elements of crisis, disaster, risk and emergency management. Emphasis is placed on the use of analytic methods and information technologies to prepare for, protect against, respond to, and recover from the effects of naturally-occurring (e.g., earthquakes, hurricanes, diseases) and anthropic hazards (e.g., industrial accidents, malicious attacks).
• M E 446: Reliability and Risk Concepts in Design (3): Introduction to reliability mathematics. Failure data collection and analysis. Components and systems reliability prediction. Effects of maintenance on reliability. Risk Analysis. Case studies in engineering applications.
• METEO 460: Weather Risk and Financial Markets (3): This course will introduce the role that weather plays as a source of financial and operational risk for businesses, market and other institutions [Sp09, TH 1115-1230]
• METEO 476: Atmospheric Natural Disasters Seminar (3): Survey of naturally occurring, catastrophic meteorological events, including severe thunderstorms, tornadoes, aviation hazards, floods, and severe winter storms.
• P ADM 401: Introduction to Homeland Security (3): This course provides foundational knowledge about homeland security, including policy, organization, and legal issues in the American context.
• P ADM 404: Homeland Security and Defense in Practice (3): This course analyzes, evaluates, and critiques homeland security plans in practice.
• SCM 456: Supply Chain Risk Analysis (3): Business processes are modeled as a network of queues using discrete-event simulation and analyzed model outcomes using statistical methods.
• SRA 311: Risk Management: Assessment and Mitigation (3): Assessment and mitigation of security vulnerabilities for people, organizations, industry sectors, and the nation.

Note that I included IST and SRA courses for completeness.  Of course there are plenty other courses of interest to me, such as a pair on creative problem solving in the systems engineering program, one on biological networks in the physics department (PHYS 597B), one on game theory in the economics department, and a host of others.

Send article as PDF to

In my search for good books on risk management and intelligence, I came across the edited volume entitled Managing Strategic Surprise: Lessons from Risk Management and Risk Assessment (edited by Professor Paul Bracken of Yale University, Dr. Ian Bremmer of the Eurasia Group, and Dr. David Gordon and the US State Department and former deputy director of the National Intelligence Council, ISBN: 9780521709606).  What a great book!  I haven’t quite finished it yet, but I must highlight that the first two substantive chapters – chapters two and three – really speak to some important issues.

For example, Paul Bracken’s article “How to Build a Warning System” (pp. 16-42) emphasizes that warning is only one piece of an organization’s overall risk management program.  Professor Bracken highlights six general strategies for risk management (the first time I have seen this): [1] isolating uncertainty (e.g., protection), [2] smoothing of uncertainty (e.g., diversification), [3] warning systems, [4] agility (e.g., rapid response), [5] alliances, and [6] environmental shaping.  Professor Bracken highlights warning systems’ role in providing advanced notice of emerging threats while emphasizing that warning can also inform decision makers of emerging opportunities.  Moreover, Professor Bracken emphasizes that there are two dimensions to warning analysis – the analytic component and the organizational component.  Warning analysis can be either informal (as it is most often the case), or highly structured (as national-level warning systems); but in general every individual and organization has some warning analysis capability.  The organizational component is absolutely essential in that without a structure in place to annunciate warning messages, warning is useless (a point emphasized in many intelligence analysis courses).  Professor Bracken suggests a contingency theory for warning:  “there is no one best way to build a warning system; it depends on the dangers” (p. 26).  The nature of the strategic environment and the capacities of an organization to collect, process, and distribute warning shape how any particular warning system functions.  Even within a single organization, multiple warning systems may be necessary to accommodate multitudes of hazards and threats.

The chapter written by former Director of Intelligence for the Israeli Mossad, Professor Uzi Arad’s article “Intelligence Management as Risk Management: The Case of Surprise Attack” (pp. 43-77) generalizes Prof. Brackens claim by suggesting the intelligence analysis is a risk management function.  He defines intelligence as a “national risk management mechanism built to cope with the risk of violent attack” (p. 45).  It should be noted that DNI’s Vision 2015 says that “intelligence helps reduce the degree of uncertainty and risk when critical choices are made” (Ch. 2).  Granted this view is rather limited by its suggestion that an intelligence organization only looks at downside risks.  But I must admit this definition, as intuitive as it is, adds another dimension to the debate over what “intelligence means” (subscribe to the IAFIE listserv to see what I mean).  More interesting is the idea that the intelligence community, perhaps unlike other types of organizations, must actually consider both environmental risks (dominated by external factors) and operational risks (dominated by internal factors) holisitcally rather than separately: external threats seek to exploit the vulnerabilities of an organization’s internal processes to prevent them from properly assessing environmental risks, thus decreasing the target organization’s decision advantage.  I believe this idea is what justifies the existence of counterintelligence and counterdeception analysis – to help mitigate an organization’s vulnerability to surprise.  This begs the question – what is the probability of a surprise afflicting an organization in its particular strategic environment?  Thinking back to Prof. Bracken’s article, an answer to this question requires us to think carefully about the nature of the strategic environment, capabilities of the adversaries, the organization’s internal processes and culture, and so on.  What I would like to see is a generic approach for assessing the risk of strategic surprise.  The remainder of the paper examines each element of the standard intelligence cycle in terms of the factors that contribute to probability of surprise.  This is good stuff.

While I haven’t read them yet, I look forward to reading the remaining chapters.  These include:

• “Nuclear Proliferation Epidemiology: Uncertainty, Surprise and Risk Management” by Ambassador Lewis A. Dunn (DTRA analysts should find this paper interesting)
• “Precaution Against Terrorism” by Dr. Jessica Stern of Harvard’s Kennedy School of Government and Professor Jonathan B. Wiener of the Duke University Law School and current president of the Society for Risk Analysis
• “Defense Planning and Risk Management in the Presence of Deep Uncertainty” by Professor Paul K. Davis of the Pardee RAND Graduate School
  
• “Manging Energy Security Risks in a Changing World” by Professor Coby van der Linde of the University of Groningen
• “What Markets Miss: Political Stability Frameworks and Country Risk” by Dr. Preston Keat of the Eurasia Group
• “The Risk of Failed-State Contagion” by Provost Jeffrey I. Herbst of Miami University of Ohio
• “Conclusion: Managing Strategic Surprise” by the book’s editors Bracken, Bremmer and Gordon

Just for reference, two interesting papers come to mind that are at least partly relevant to this book.  These include the paper “Using Risk Analysis to Inform Intelligence Analysis” (2008) by Dr. Henry H. Willis of RAND and “The Intelligence Cycle as a Model for Political Risk Assessment” (1985) [published in Political Risks in International Business edited by Thomas L. Brewer, ISBN: 0275900665] by Thomas W. Shreeve of the Intelligence Case Methods Program.  Both of these papers relate aspects of risk analysis to intelligence analysis, but neither really get to the heart of the issues as done in Managing Strategic Surprise.

Send article as PDF to

In a recent issue of my most favorite news magazine The Week, there was a short review on a book with the intruiging title Guesstimation (by Lawrence Weinstein and John Adams at Old Dominion University, ISBN 9780691129495).  In the engineering world, the best engineers are the ones skilled in “guesstimation,” or the art of quantitative approximation.  Unfortunately, few other communities cultivate professionals to become skilled guesstimators (save for actuaries, underwriters, traders, investors, and other people in the finance world).

This book is designed to teach, through example, people of all professions and backgrounds to become apprentice guesstimators (of course, you are not an expert guesstimator until you do it for problems that matter).  Moreover, this book attempts to illustrate the value of approximation.  In fact, this book does not insist at all on being accurate; rather, the book emphasizes that most practical problems require answers accurate only to within a factor of ten (read for yourself in Chapter 1).  More precision is often unnecessary, unhelpful, and frequently impossible to achieve in the amount of time and resources available to collect data and do analysis.

In my view, this book is a very good attempt to debunk misconceptions about quantification (and let me tell you, the Intelligence and Risk Analysis communities really need a few “mythbusters” to come in and rid these analytic worlds of their aversion to numbers).  In addition to teaching analysts how to employ structured analytic techniques, we should also improve their ability to guesstimate and to appreciate the value in doing so.  For one, the order of battle analysis community would benefit from improved guesstimation abilities.  My position has always been that numbers help with reasoning (such as in decision trees, event trees, etc.) even if they are only approximations or guesstimates.

What is missing from this book are many more examples that demonstrate the power of guesstimation in probabilistic analysis or risk analysis (the authors touch on four examples in their eleventh and final chapter).  For example, one could backcalculate the implicit subjective probability of occurrence for a particular threat based on the benefits and costs of a strategy aimed at, say, decreasing the risks due to a biological weapons attack (I have seen such an example in the past when I took a course on science and technology intelligence analysis, or S&TI, but can’t remember where).  We could also use guesstimation to estimate the maximum amount of money that could be spent to achieve a particular risk reduction objective in order to maintain a benefit-cost ratio of, say, one.  Perhaps this will be the goal of the authors’ second book (nudge nudge).  I will send them an email to put in such a request.

Send article as PDF to

Juergen Weichselgartner’s 2001 paper entitled “Disaster Mitigation: The Concept of Vulnerability Revisited” (Disaster Prevention and Management, Vol. 10, No. 2, pp. 85-94, doi:10.1108/09653560110388609) provided a nice summary of alternative definitions for the word “vulnerability” gleaned from a variety of academic publications (copied below; see original paper for citations).

• Gabor and Griffith (1980) Vulnerability is the threat (to hazardous materials) to which people are exposed (including chemical agents and the ecological situation of the communities and their level of emergency preparedness). Vulnerability is the risk context.
• Timmerman (1981) Vulnerability is the degree to which a system acts adversely to the occurrence of a hazardous event. The degree and quality of the adverse reaction are conditioned by a system’s resilience (a measure of the system’s capacity to absorb and recover from the event)
• UNDRO (1982) Vulnerability is the degree of the loss to a given element or set of elements at risk resulting from the occurrence of a natural phenomenon of a given magnitude
• Petak and Atkisson (1982) The vulnerability element of the risk analysis involved the development of a computer-based exposure model for each hazard and appropriate damage algorithms related to various types of buildings
• Susman et al. (1983) Vulnerability is the degree to which different classes of society are differentially at risk
• Kates (1985) Vulnerability is the “capacity to suffer harm and react adversely”
• Pijawka and Radwan (1985) Vulnerability is the threat or interaction between risk and preparedness. It is the degree to which hazardous materials threaten a particular population (risk) and the capacity of the community to reduce the risk or adverse consequences of hazardous materials releases
• Bogard (1989) Vulnerability is operationally defined as the inability to take effective measures to insure against losses. When applied to individuals, vulnerability is a consequence of the impossibility or improbability of effective mitigation and is a function of our ability to detect hazards
• Mitchell (1989) Vulnerability is the potential for loss
• Liverman (1990) Distinguishes between vulnerability as a biophysical condition and vulnerability as defined by political, social and economic conditions of society. She argues for vulnerability in geographic space (where vulnerable people and places are located) and vulnerability in social space (who in that place is vulnerable)
• Downing (1991) Vulnerability has three connotations: it refers to a consequence (e.g. famine) rather than a cause (e.g. drought); it implies an adverse consequence (e.g., maize yields are sensitive to drought; households are vulnerable to hunger); and it is a relative term that differentiates among socioeconomic groups or regions, rather than an absolute measure or deprivation
• UNDRO (1991) Vulnerability is the degree of the loss to a given element or set of elements at risk resulting from the occurrence of a natural phenomenon of a given magnitude and expressed on a scale from 0 (no damage) to 1 (total loss). In lay terms, it means the degree to which individual, family, community, class or region is at risk from suffering a sudden and serious misfortune
  following an extreme natural event
• Dow (1992) Vulnerability is the differential capacity of groups and individuals to deal with hazards, based on their positions within physical and social worlds
• Smith (1992) Human sensitivity to environmental hazards represents a combination of physical exposure and human vulnerability ± the breadth of social and economic tolerance available at the same site
• Alexander (1993) Human vulnerability is function of the costs and benefits of inhabiting areas at risk from natural disaster
• Cutter (1993) Vulnerability is the likelihood that an individual or group will be exposed to and adversely affected by a hazard. It is the interaction of the hazard of place (risk and mitigation) with the social profile of communities
• Watts and Bohle (1993) Vulnerability is defined in terms of exposure, capacity and potentiality. Accordingly, the prescriptive and normative response to vulnerability is to reduce exposure, enhance coping capacity, strengthen recovery potential and bolster damage control (i.e., minimize destructive consequences) via private and public means
• Blaikie et al. (1994) By vulnerability we mean the characteristics of a person or a group in terms of their capacity to anticipate, cope with, resist and recover from the impact of a natural hazard. It involves a combination of factors that determine the degree to which someone’s life and livelihood are put at risk by a discrete and identifiable event in nature or in society
• Green et al. (1994) Vulnerability to flood disruption is a product of dependence (the degree to which an activity requires a particular good as an input to function normally), transferability (the ability of an activity to respond to a disruptive threat by overcoming dependence either by deferring the activity in time, or by relocation, or by using substitutes), and susceptibility (the probability and extent
  to which the physical presence of flood water will affect inputs or outputs of an activity)
• Bohle et al. (1994) Vulnerability is best defined as an aggregate measure of human welfare that integrates environmental, social, economic and political exposure to a range of potential harmful perturbations. Vulnerability is a multilayered and multidimensional social space defined by the determinate, political, economic and institutional capabilities of people in specific places at specific times
• Dow and Downing (1995) Vulnerability is the differential susceptibility of circumstances contributing to vulnerability. Biophysical, demographic, economic, social and technological factors such as population ages, economic dependency, racism and age of infrastructure are some factors which have been examined in association with natural hazard
• Gilard and Givone (1997) Vulnerability represents the sensitivity of land use to the hazard phenomenon
• Comfort, L. et al. (1999) Vulnerability are those circumstances that place people at risk while reducing their means of response or denying them available protection
• Weichselgartner and Bertens (2000) By vulnerability we mean the condition of a given area with respect to hazard, exposure, preparedness, prevention, and response characteristics to cope with specific natural hazards. It is a measure of capability of this set of elements to withstand events of a certain physical character

Of course, this list is by no means complete; in fact, the definitions from obvious sources such as Webster’s dictionary, Department of Defense doctrine, and a host of other papers were not included.  I leave it to the readers of this blog to discover alternative definitions that are most suited for his or her particular application.  But if one was looking for a really short definition of vulnerability to sum up everything above, consider the following two (my preferences):

Vulnerability is the manifestation of the inherent states of a system that render is susceptible to harm or loss (a paraphrased definition of the notion of vulnerability offered by Prof. Yacov Haimes at the University of Virginia)

The vulnerability of an entity to realizing a specified adverse outcome following the occurrence of a particular triggering or initiating event is measured as the conditional probability of the outcome given the triggering event has occurred (an expanded version of the definition I offer in my SRA 311 class at Penn State)

Send article as PDF to

_{[[NOTE: I revised this post on 6 November 2008]]}

A few weeks ago I came across a post on Kris Wheaton’s blog Sources and Methods describing a master of science thesis by Mercyhurst graduate student Bradley E. Perry entitled “Fast and Frugal Conflict Early Warning in Sub-Saharan Africa: The Role of Intelligence Analysis.”  Since then I have been meaning to download the document and give it a careful read.  I am glad that I did – the literature review on early warning systems and risk assessment is very good.  In fact, it provided me with some incentive to read several of the books I purchased recently on the subject (e.g., Preventive Measures by Davies and Gurr (eds.)) and also pointed out some new references I will be sure to check out in the near future (e.g., “Conflict Prognostication” by Verstegen).  I highly recommend this literature review to those individuals working in the warning community – it is a relatively quick read that is well written and packed with good information.  I will be sure to advertise its existence whenever I speak to my colleagues on the subject of warning.

One thing that caught my attention was no reference to any citations that describe warning systems as a risk management tool.  We do warning to manage risk – the sooner we are made aware of an emerging situation, the sooner we can take action to ensure it doesn’t escalate in an unfavorable direction.  A good paper on this subject was written by M. Elisabeth Pate-Cornell in her 1986 article entitled “Warning Systems in Risk Management” published in the journal Risk Analysis, Vol. 6, No. 2, pp. 223-234 (DOI: 10.1111/j.1539-6924.1986.tb00210.x) [note that Professor Pate-Cornell is/was a member of the President’s Foreign Intelligence Advisory Board, the State Department International Security Advisory Board, as well as an active participant in many other very high-profile public service activities).

On the technical side, I am a bit confused with the idea of taking the highest and lowest possible values for the conflict score, 6.03 and 1.77 respectively, and assuming the middle value (3.9) as a cutoff point between conflict being likely and conflict being unlikely (see page 47).  The implication here is that the range of 1.77 to 6.03 is an unnormalized probability scale that, when normalized by subtracting the offset 1.77 and dividing by the resulting maximum 6.03-1.77, produces a scale on the range of 0 to 1.  The middle value in this case corresponds to 0.5, where values 0.5 or greater are taken as likely, and values less than 0.5 is taken as unlikely (check: (3.9-1.77)/(6.03-1.77) = 0.5).  Basically, the assumption here is that the “fast and frugal” model does produce a probability distribution on the finite frame covering the mutually exclusive and collectively exhaustive events “Violent Conflict” and “Not Violent Conflict.”  I am not convinced based on the arguments outlined in the thesis that this assumption is justified.  In fact, there appears to be no clear basis for selecting 3.9 other than it being the median value of possible score combinations (of which there are only 27).

In my original version of this post, I went on to get into the nitty-gritty of the regression, comparing the author’s analysis with that of one of his cited references.  Soon after I published the original post, I found myself delving into logistic regression and attempting to replicate the results of the cited references (which, by the way is less straightforward that one might think).  Then I realized I was getting too obsessed over work that was not my own and did not pay much attention to the bigger picture.  So I stepped back, took a deep breath, and after a careful re-examination of the thesis author’s work, I now think that the model is not bad (perhaps “good enough”, but definitely not without its flaws), is quick to use and does seem to produce reasonably good results.

My final question centers on how the particular model in this thesis informs decision making.  Some of the independent variables described in the thesis are not variables that can be changed easily, that is, they are well beyond any external actors’ ability to control.  For example, it is not that easy to change a country’s political system.  Nor is it straightforward to change the degree of ethnic homogeneity.  But perhaps something can be done to influence income inequity, such as bringing new industry to a country.  In the end I get the point – there very well might exist simple models that enable warning analysts to estimate likeliness of future events in a manner that is good enough.  The question, now, is how to develop such models that not only help predict, but do so in a manner that also offers actionable guidance into what can be feasibly influenced so as to inform strategies to decrease the potential for unfavorable futures.

Send article as PDF to