You have to hand it to good old Ben Franklin, the nation’s first decision analyst, or at least the first decision analyst advocating the use of structured analytic techniques.  In a letter dated 1772 to his friend Joseph Priestly, Ben Franklin spoke about his “moral algebra” or “prudential algebra,” or what is perhaps one of the simplest, and most effective structured analytic technique for aiding decision making:

Dear Sir:

In the affair of so much importance to you, wherin you ask my advice, I cannot, for want of sufficient premises, advise you what to determine; but, if you please, I will tell you how.  When these difficult cases occur, they are difficult, chiefly because, while we have them under consideration, all the reasons pro and con are not present to the mind at the same time; but sometimes one set present themselves, and at others times another, the first being out of sight.  Hence the various purposes or inclinations that alternately prevail, and the uncertainty that perplexes us.

To get over this, my way is to divide half a sheet of paperby a line into two columns; writing over the one pro, and over the other con; then during three or four days’ consideration, I put down under the heads short hints of the different motives that at different times occur to me, for or against the measure.  When I have thus got them all together in one view, I endeavor to estimate their respective weights; and, where I find two (one on each side) that seem equal, I strike them both out.  If i find a reason pro equal to some two reasons con, I strike out the three.  If I judge some two reasons con, equal to some three reasons pro, I strike out the five; and thus proceeding I find at length where the balance lies; and if, after a day or two of further consideration, nothing new that is of importance occurs on either side, I come to a determination accordingly.  And through the weight of reasons cannot be taken with the precision of algebraic quantities, yet, when each is thus considered separately and comparatively, and the whole lies before me, I think I can judge better, and am less likely to make a rash step; and in fact I have found great advantage from this kind of equation, in what may be called moral or prudential algebra.

Wishing sincerely that you may determine for the best, I am ever, my dear friend, yours most affectionately.

B. Franklin

For a moment let’s assume that the “Sir” in the salutation was not directed toward Joseph Priestly, but to future decision makers in the United States government.  How would they take it?  I, for one, would heed Dr. Franklin’s advice - he is after all a noted philosopher, mathematician, scientist, artist, statesman, etc., etc.  More importantly, he played a major role (if not the largest role) as one of the founding fathers of the United States government.  So with all this, would he steer us wrong?

From the point of view of one interested in the mechanics of Franklin’s “moral algebra,” let’s examine what he advises more closely.  First, he clearly points out the cognitive limitations of most humans to not be able to entertain the whole picture in their minds at all times.  Sometimes a decision maker might be in an optimistic mood and thus see a decision option for its potential gains, and at other times a decision maker might take the pessimistic view and focus only on the potential losses or harm.  Sometimes a decision maker emphasizes reasons for, and at other times stresses reasons against a particular proposal.  The point is that, as Franklin observes, it is very difficult to be mindful of all reasons pro and con at once.  Hence the need for the use of structured analytic techniques to help decision makers reason through their decision challenges.

Second, the methodology put forth is simple and structured in that it forces each reason for or against a decision into one of two columns, either pro (for the decision) or con (against the decision) (see below for an image of such a thing that I picked up at the National Archives in Washington, DC). Dr. Franklin stresses deliberation in his method, adding items to each column “during three or four days’ consideration.”  This element of time allows one’s conscious and subconscious to continuously (and hopefully critically) evaluate his or her thinking on the particular decision at issue.  I’d imagine that Dr. Franklin would not balk at taking more time to ensure that all majors reasons pro and con are accounted for, but I would also suggest that his pragmatic nature would be mindful of the “80-20 rule.”  Once the major reasons are on paper, the decision maker then does a comparative analysis of all pros and cons, appropriately weighing each individually or in groups against items from the opposite column to see on what side of the pro-con spectrum the balance of reasons lie.  This task, of course, insists on a subjective valuation of each reason along some dimension of personal utility (which inherently includes whatever types of uncertainty, ambiguity, probability, etc. are associated with each reason).  The net result offers a tentative answer to the decision problem; as Dr. Franklin advises, the decision maker should take one or two days to sit on the results to see if anything new comes of importance on either side, such as new reasons, revised weightings, and so on.

I beileve that Dr. Franklin doesn’t really insist that this tool (or any tool) make the answer for the decision maker.  After all, the extra time afforded to final deliberation allows the decision maker to consider the tentative result, and if displeased, seek additional arguments in opposition to the stated advice.  At the very least, this tool helps decision makers get to the heart of (or rather make explicit) their reasons for or against a particular decision.  Having the reasons explicitly stated now allows for objetive analysis as to their merit and value, and may very well help the decision maker identify the harmful biases that may be influencing their gut feelings.  In the end, though, decision makers ultimately make the decision regardless of what the tool says.  As Dr. Franklin believes, users of this tool “can judge better, and [are] less likely to make a rash step.”  In this complex world we live in, that’s all we can really hope for.

Now can this tool also help analysts in general (e.g., risk analysts, intelligence analysts), say, argue for or against a particular hypothesis?  Can this tool be applied to a finite set of competing decisions or hypotheses in the same manner, or does it insist that all decision problems be restated as yes/no questions?  At first glance and without giving it much thought, I would say “moral algebra” bears a striking resemblance to Heuer’s Analysis of Competing Hypotheses (ACH) or Chamberlin’s Method of Multiple Working Hypotheses (MMWH) with the exception that any particular column corresponds to one pro-con table (one column asks the question is a particular hypothesis true or false, and each row element states a reason where a “+” sides with true, “-” sides with false, and “0,” “NA,” or [blank] indicates no bearing either way).  In fact, some argue that the true value of ACH or MMWH is in getting all evidence that in support or against each among a large set of hypotheses on the table for the analyst to view holistically.  Of course, as a scientist, I must ask whether there is any evidence that does not refute the assertion that such a technique as moral algebra actually improves decision making.  But if I were to judge based only on Ben Franklin’s advice, I would probably take him at his word.

This set of lectures (Lecture 5 and Lecture 6) for this week centered on the first two, and perhaps most important, phases of the risk assessment process:

• Identifying plausible initiating events
• Identifying plausible outcomes of concern

The products of these activities are lists of events and outcomes.  In the ideal world, these lists should be as complete as possible, and the elements comprising the list should be as distinct as possible.  But how do we do this properly?  And what if the lists are not complete?  Basically, my challenge for the week was to teach the basic concepts of classical set theory without getting too much into the mathematical nomenclature traditionally associated with the subject.

My first lecture for the week began with a review of selected concepts from previous classes.  First and foremost, I reiterated the following 5 points:

• The working definition for risk in this class is uncertainty about future events of interest. This is not necessarily the only definition for risk out there, but it is a good working definition that will get me and the students through this course
  
• Risk analysis … informs decision making … empowers decision makers … creates decision advantage
• Risk and certainty don’t mix (that is, risk = uncertainty, and if there is certainty there is no risk)
• Risk is about the future, not the past (it makes no sense to speak of risks in terms of loss already realized from past events, that is, unless the goal is to perform a “forensic risk analysis.” But even then you would be simulating the future from the point of view of the past)
• Risk analysis does NOT prescribe decisions

Next I restated the six questions of risk, discussed the risk triplet R = <e,p,o> and the mathematical expansion of p = Pr(e,o) = Pr(e)Pr(o|e), and discussed how to decompose this mathematical expression into a series of sequential phases that enable its assessment.  If one thinks carefully about this expression for risk, one might deduce that the first thing to do is identify the set of plausible initiating events, proceed to articulate outcomes of concern, then go on to assess the likeliness of events and likeliness of outcomes given the occurrence of each event.  This brought me to the theme of the week:  how to come up with e and o.

Let me stress the following point before I proceed: it is very important to spend a good amount of time coming up with events e and outcomes o.  Defender ignorance is the most significant contributor to vulnerability and risk, particularly if one is concerned about risks stemming from the actions of criminals, terrorists, and other malicious humans.  As Cynthia Grabo points out in her book Anticipating Surprise: Analysis for Strategic Warning (available for free download via NDIC College Press):

Strategic surprise is “the unilateral advantage gained by the introduction of a new weapon (or by the use of a known weapon in an innovative way) in conflict against an adversary who is … unaware of its existence …”

Yes, I do admit that the definition of strategic surprise is narrowly focused on military (and asymmetric warfare) style conflict.  But with a slight adjustment in language to accommodate naturally-occurring and non-malicious anthropic events, we could easily generalize the concept of surprise to include a wide array of environmental and operational hazards.  But the point still holds - if the defender does not know the things that can happen that could lead to undesirable outcomes, the only savior is chance that the event does not occur, that the bad guy goofs, or that some measure that addresses a known hazard is also effective against one that is unknown.

At the conclusion of my Tuesday lecture and again at the start of Thursday’s lecture I displayed a slide of key words (similar to a tag cloud) spanning the current topics.  My goal was to ensure that all words were at least familiar to the students after hearing me speak for an hour.  I asked whether all words had meaning to the students, and if not, to let me know which ones did not so that I could further clarify.  These two “keyword clouds” are shown below (yellow is lecture 5 and blue is lecture 6):

Venn Diagram. A venn diagram (named after the founder of the concept, John Venn, whose work is commemorated by the stained-glass window shown below) is a tool for visualizing sets, the elements contained in sets (and those that are not), and how these elements relate to one another.  Typically, venn diagrams are drawn to be rectangular, but in practice they can take on any shape in any dimension.  The only requirement is that the shape be closed to enable one to clearly state what elements are contained in the set, and which elements are not contained in the set.  In terms of future events, a venn diagram is often said to represent the universe of possibilities.

Possibility vs. Probability. The first point of the day centered on the distinction between the notions of possibility and probability.  An event (such as “truck bomb attack”) is possible if it can occur.  That is, a possible event is one whose probability is greater than zero (obviously constrained by an upper limit of one).  However, under the notion of possibility, there is no indication of what the probability of the event is save for it being bounded by a lower limit (some infinitesimally-small value greater than zero in this case) and an upper limit (one in this case).  In contrast, an impossible event is one whose probability is exactly zero.  Probability is the measure of likeliness attached to an event, where a value of zero corresponds to the impossible event, a value of one means the event is certain, and values in between zero and one express the chances that the event will occur relative to others in the same sample space (e.g., the same universe, Venn diagram, etc.).  In terms of a Venn Diagram, an event is possible if it is contained in the Venn Diagram.  The probability of this possible event is expressed by just how much space the event takes up.  A more detailed discussion of possibility and probability will be provided in later lectures.  But for now keep in mind that just because an event is possible does not mean it is probable; all that the word possible suggests is that the probability of the event is not zero.

Mutually Exclusive. Two events are said to be mutually exclusive if the occurrence of one precludes the occurrence of the other in all respects.  Accordingly, mutually exclusive events are not independent.  For two events to be independent, the occurrence of one event should have no bearing on the possibility or probability of the other event occurring.  Below is an image of a universe “S” consisting of three mutually exclusive events “A,” “B,” and “Not A or B” (the latter event, call it “C,” represents the balance of white space after accounting for “A” and “B”).

Collectively Exhaustive. The next point centered on the concept of exhaustiveness.  Given a list (or set) of events answering the question “what can go wrong,” the entire collection of these events are collectively exhaustive if it includes all possibilities.  That is, the set consists of all events that are possible.  It is important to note that it is ALWAYS POSSIBLE to specify a collectively exhaustive set provided that one includes the residual hypothesis.  For example, let’s say that one comes up with three possibilities for the question “what can go wrong” labeled as “A,” “B,” and “C.”  In most practical situations, it is conceivable that there are also events “D,” “E,” “F,” and so on that could also occur, but for whatever reason we cannot articulate specifically the nature of these events.  If we are honest with ourselves, then we would explicitly admit that set consisting of events “A,” “B,” and “C,” is not collectively exhaustive since it does not account for events beyond our ability to describe.  Fortunately, we can “close the set” by including a residual event, call it “R”, that accounts for all events other than “A,” “B,” or “C” (that is, R = NOT(A or B or C)).  Together, “A,” “B,” “C,” and “R” represent an exhaustive set.  Below shows an exhaustive set “S” with events “A” and “B” that together span the entire set of possibilities (note that event “C” may exists that partially overlaps with “A” and “B,” but this event would not penetrate the boundaries of this venn diagram).

The Residual Event. But there is a problem with the residual event.  Given that the residual event lacks specific definition, its presence makes it impossible to assign meaningful probabilities to the stated events “A,” “B,” and “C.”  This can be illustrated as follows.  According to the second axiom of probability theory, the probability of “A” occurring (or Pr(A) using shorthand notation) is equal to one minus the probability of “Not A” (or 1 - Pr(~A), where the “~” means “Not”).  In compact form, Pr(A) = 1 - Pr(~A).  According to this expression, any statement about the probability of “A” also makes a statement about “Not A.”  That is, the second axiom highlights the implications of our opinions of the complementary event “Not A” given a statement we make about “A” itself.  But keep in mind that the event “Not A” really means that “B or C or something else contained in R” will occur.  So, if we make a statement about “A,” we are also making a statement about an event we know nothing about.  This obviously doesn’t make any sense, which leads me to suggest that inclusion of the residual event does not permit assessment of meaningful probabilities.  Now let’s look at this situation a different way. We could, in theory, make a statement about “R” which would yield a complementary statement about the collection of events “A,” “B,” or “C.”  But we would not do this because we know nothing about “R,” and accordingly we know nothing about the likeliness of “R” (Pr(R)).  If Pr(R) is unspecified, then it can conceivably take on any value between zero and one, and according to the second axiom, Pr(A or B or C) can too take on any value between zero and one.  Letting the probability of an event take on any value between zero and one is a vacuous or empty statement of likeliness.

Conditionally Exhaustive. Fortunately, there is a way to alleviate the woes of attributed to the residual event.  If an analysts makes the explicit assumption to NOT include the residual event, the focus of the analysis would then be on the set consisting solely of events “A,” “B,” and “C.”  While this set is not inclusive of all possibilities, it is inclusive of all known possibilities.  This means that while the set is not collectively exhaustive, it is conditionally exhaustive.  That is, the set of events is exhaustive only under the condition that we deliberate omit the possibility of the unknown event.  In probability notation, when we say Pr(A) under this assumption of conditionally exhaustiveness, we are really saying Pr(A) = Pr(A|~R), where “~R” is the event the residual event is not a possibility.  Now we can make statements about probability for the events “A,” “B,” and “C,” but the analyst must bear in mind that any such statement is still under the conditionally exhaustive assumption, and thus is only valid given that no other event is possible.

Open versus Closed World Assumptions. By making the conditionally exhaustive assumption, one is deliberately closing the world to all other events that cannot be articulated or judged as impossible.  Thus, the conditionally exhaustive assumption is also known as the closed world assumption.  In contrast, the open world assumption admits the possibility of unknown events.  The difference between an open and closed world rests on the meaning of exhaustiveness under both assumptions.  Exhaustiveness in an open world must consider both the articulated events and the residual event.  Exhaustiveness in a closed world considers only those events that can be articulated.  Thus, the difference between the closed world and open world is simply whether or not one includes the residual event.  And of course, from the previous discussion, probabilistic statements are meaningful only under the closed-world assumption.  Outside the closed-world assumption, other theories are necessary (such as possibility theory) if one desires to quantify the uncertainty attributed to the occurrence of future events.

The readings for these lectures consisted of a variety of articles on different types of novel attack types, including the use of lasers, high-powered microwaves, forest fires, and food.  Citations for these papers are available via my blog post from mid may on Emerging Terrorist Threats.  Basically, these papers were used to provide insight into the types of scenarios that might otherwise fall under the category of unknown events (or residual scenario) due to the fact that many have not previously occurred (at least knowingly).  The brief discussion of these threats veered off into a discussion of other novel attacks, to include the man using a homemade armored bulldozer to terrorize a small town.

Striving for MECE. MECE, or “Mutually Exclusive, Collectively Exhaustive” is an acronym used in some analytic circles to express the analyst’s goal of establishing as complete as set of hypotheses as possible for a particular question at issue.  While this may be the holy grail of analysis, a practical re-write of this acronym in light of the discussion thus far is “Mutually Exclusive, Conditionally Exhaustive” with the caveat that the analyst must make explicit the assumption of deliberately excluding the residual hypothesis from the analysis of event likeliness.  Of course we should not ignore the possibility of unknown, “black swan”-type events, but for the purposes of establishing relative likeliness, it is essential to put them aside until such hypotheses can be made more explicit.  After doing an analysis under the “conditionally exhaustive” assumption, one way to hedge the analysis is to make a statement such as “We cannot rule out the possibility of alternative futures not addressed in this study.”  Yes, such a statement may make the analysis appear weaker, but not including such a statement might convey a unwarranted sense of certainty in the impossibility of events contained in the residual hypothesis.

Combinations and Possibility Trees. In the event that one must consider possible combinations of events or outcomes, possibility trees facilitate the process of generating an exhaustive set of possibilities.  A possibility tree is a technique for visualizing combinations of events without specifying the probabilities, temporal order, or logical relationships of events.  If done properly, a possibility tree will construct an exhaustive set of event and outcome combinations.  For example, consider three outcome types of concern to the information security professional: confidentiality, integrity, and availability.

• Let C be the event “loss of confidentiality” and ~C represent “Not C.”
• Let I be the event “compromise of integrity” and ~I represent “Not I.”
• Let A be the event “loss of availability” and ~A represent “Not A.”

A possibility tree can be used to construct an exhaustive set of event combinations as shown below, where each combination of events is shown in the the right-most column.  Trying to explain how to do construct a possibility tree in words eludes me at the moment, so I will instead suggest checking out the book entitled Discrete Mathematics with Applications by Susanna Epp (ISBN: 0534359450).

Scenarios. A scenario is the combination of an initiating event and outcome.  The initiating event can, in principle, be a single event (e.g., explosive attack) or combination of events (e.g., two simultaneous explosive attacks, one attack at the same time as a hurricane, etc.).  Likewise, the outcome can be specified along a single dimension (e.g., confidentiality) or along multiple dimensions (e.g., confidentiality, integrity, and availability).

Cross Product. Given a set of events and outcomes, a complete set of event-outcome pairs (i.e., scenarios) can be obtained by systematically pairing an event with each outcome, then repeating the process for all other events.  This operation is known as the cross product of events e and outcomes o.  For example, consider the case of three initiating events “A,” “B,” and “C” and three outcomes “X,” “Y,” and “Z.”  The cross product of events e and outcomes o, denoted as e × o, yields the following scenarios: (A,X), (A,Y), (A,Z), (B,X), (B,Y), (B,Z), (C,X), (C,Y), and (C,Z).  Note that the cross-product generates a complete set of scenarios without considering whether the combination is, in fact, possible.  For example, let’s say “A” = “cyber attack” and “X” = “structural damage.”  The combination (A,X) expresses the scenario “cyber attack results in structural damage.”  Now perhaps this is a feasible pairing in some circumstances, but in most situations I can think of it is a practically impossible combination.  Nonetheless, the cross-product operation would generate this scenario, thus leaving it up to the analyst to leverage all available evidence to judge such a combination as impossible (or in weaker form, “practically impossible”).

Theory of Scenario Structuring. The Theory of Scenario Structuring, or TSS, is a “theory” proposed by Dr. Stan Kaplan and colleagues, and described in his 1999 monograph entitled New Tools for Failure and Risk Analysis: An Introduction to Anticipatory Failure Determination (AFD) and the Theory of Scenario Structuring (ISBN: 1-928747-05-1).  TSS was also later described in relation to Hierarchical Holographic Modeling in the paper entitled “Fitting Hierarchical Holographic Modeling into the Theory of Scenario Structuring and a Resulting Refinement to the Quantitative Definition of Risk” by Kaplan et al. and published in the journal Risk Analysis, Vol. 21, No. 5, pp. 807- (doi:10.1111/0272-4332.215153). (side note: AFD and HHM will be discussed in greater detail in future lectures).  TSS assumes the existence of a “success” or “as planned” scenario that describes the future as it should or is supposed to unfold.  The success scenario is labeled S0 and is shown as a black curve in the figure below.  Deviations in the “success” scenario may be beneficial (in the green zone above the S0 curve) or detrimental (in the red zone below the S0 curve).  Since the focus of this course is on security, we restrict our attention to those scenarios in the red zone.  At some point in time, an initiating event occurs (the little explosion graphic) that disturbs the system in a manner that yields undesirable consequences.  As events unfold, the situation may improve or get worse; this can be observed at branch points, where an upward branch means improvement and downward branch means detriment.  Each branch point creates an additional partition (i.e., division) of the outcome space, until ultimately there are a complete set of end states (consequence states).

To emphasize the concept of set partitioning, I ran through a number of examples a shown in the figures below.  Note that I leveraged MS PowerPoint’s custom animation feature to systematically partition the event space in a manner that preserves its exhaustiveness

I was also careful to emphasize that one could quickly get carried away with partitioning sets as shown in the sequence below. The top level event is “All Possible Scenarios” which can be divided as follows:

Further partitioning the event “A Malicious Attack Occurs” gives:

Further partitioning “A Malicious Explosive Attack Occurs Against Something that Matters to Me” gives:

where “AP#” reads “Attack Profile #,” where an attack profile describes a specific combination of delivery system and intrusion path leading to the asset (chemical plant, in this case).  After all this partitioning, the event “AP8″ shown above in relation to all other possible events in the universe is shown below (circled in yellow).  If we proceeding to partition all events in this same manner, we would be left with hundreds of events, each of which needing full consideration in order to assess meaningful estimates of probability.  Quite a challenge indeed.

The goal with partitioning sets is to do so in a manner that yields sufficient resolution to answer the question at issue yet is careful to not overwhelm the resources available to do analysis.  Fine resolution costs more to analyze, but may not yield any additional insight than a slightly coarser model (e.g., “an attack will occur at 12:01:32 on Tuesday afternoon 26-feet off the northwest corner of Main Street and 45th Avenue with a 324.3 kg ANFO explosive (rho=0.631) packed in a blue 1996 Chevrolet minivan driven by two adults, one 24 yrs, 5 mos, the other bearded …”).  In contrast, coarse resolution is cheap to analyze, but the result may be too general or abstract (e.g., “an attack will happen”) to be useful.

In-Class Exercise. To get the class thinking about all of the above, I had students in groups participate the following exercise:

You are the lead security risk manager for the National Spy Office (NSO), an organization that deals with analytical and operational matters at all classification levels. You have been asked by DDNSO to evaluate the proposed policy of allowing personal cell-phones within secured areas on the basis of risk. Establish the security context(s) and articulate what can go wrong and what outcomes are of concern.

The students, as a class, impressed me quite a bit with this exercise.  While each group (among about 8-10 groups) came up with their own small set of plausible events and outcomes of concern, as a class the students brainstormed everything including disguising bad things as a cell phone (bomb, jammer, etc.), leveraging the cell-phones capabilities to collect information (camera, audio), using advanced phones as a web-server to break into classified networks, using the GPS capabilities to track spies, using the phones to enable command and control within the organization, lost productivity due to cell phone usage at work, hazardous cell phone accidents (e.g., battery explosions), using an ad hoc network of bluetooth phones to create a surveillance net, and so on.  After this exercise, I highlighted to the students that, in some cases such as this one, the information they generated was sufficient to inform decisions on what can be done to improve security.  That is, this case is one where assessing the likeliness of alternative events and the vulnerability to outcomes isn’t necessary to generate a prioritized list of scenarios in order to come up with low-cost, yet effective, countermeasure ideas.  Such proposals included:

• Having employees turn off their cell phones before they enter the secured area
• Having employees turn the phones on to show the guards that they are, in fact, cell phones and not something else
• Allowing only low-tech cell phones, such as those without cameras, GPS, Internet
• Allowing only very senior people to carry cell phones into the building
• Having people remove the batteries from the phone before entering the secured area
• Creating layers of security, where the outer layer allows cell phones and the inner layer does not
• Purchasing approved cell phones for employees
• Installing shielding that prevent cellular signals from entering or leaving the secured area

Again, this was a fun and impressive exercise.  However, looking back on this exercise, I should have reminded the students to strive for MECE - many forgot to include the residual hypothesis.

Things I Forgot To Include

Since the two lectures for the week was supposed to cover set theory (albeit in disguise), I should have included the following topics, at least briefly:

• The intersection of two events “A” and “B” produces an event, call it “C,” defined as “C = A and B.”  For example, let “A” be “explosive attack occurs” and let “B” be “hurricane occurs.”  The event “C” is then “an explosive attack and a hurricane occurs.” The probability of the joint event “C”, Pr(C), is then equal to Pr(A,B) = Pr(A)Pr(B|A) = Pr(B)Pr(A|B).  If the two events “A” and “B” are independent, then Pr(A|B)=Pr(A) and Pr(B|A)=Pr(B).  This gives Pr(C)=Pr(A)Pr(B).
• The union of two events “A” and “B” produces an event, call it “D,” defined as “D = A or B.”  For example, let “A” be “explosive attack occurs” and let “B” be “hurricane occurs.”  The event “D” is then “an explosive attack or a hurricane occurs.”  According to the third axiom of probability, the probability of “D,” Pr(D), is equal to the sum of the probabilities of “A” and “B” minus the intersection of “A” and “B.”  Thus, Pr(D) = Pr(A) + Pr(B) - Pr(A,B).  (note that Pr(A,B) = Pr(C) in the intersection discussion).  If the two events “A” and “B” are mutually exclusive, then Pr(A|B)=Pr(B|A)=0, and Pr(D) = Pr(A) + Pr(B).
• A set “D” is said to contain “A” if “A” is a subset of “D.”  Conversely, “D” is a superset containing “A.” In the discussion of union above, “D = A or B,”  thus single events “A” and “B” are subset elements of “D” since “D” contains both.  The same cannot be said about “C,” since the intersection of two events “A” and “B” does not contain either unless “A” and “B” are equivalent.  All of “A,” “B,” “C,” and “D,” are contained in the universe “S.”
• The complement of the event “A” is simply the event “Not A.”

Final Impressions

I covered quite alot of ground this week, and I personally worry that the students might not have completely absorbed all of this content.  My concerns would have been tempered had I felt assured that my students had adequate exposure to set theory and probability theory prior to enrolling in my course.  But alas the system does not appear to be working in my favor, thus leaving it up to me to provide sufficient background instruction to enable good risk analysis.  Fortunately, my impression is that the students at least kind-of get it, and the good news is that we have 25 lectures to go before the semester is done.  All I really want is for my students to develop a “risk intuition” and knowledge of what is required of a risk analysis (plus critical thinking skills, of course).  From this point of view I believe we are on the right track.

Next week’s topic: vulnerability (this should be a good one).