please check the attached module D thank you
4/10/2020 Elective Module D: Critiques on Security and Probabilistic Risk Analysis: SRA 311, Section 002: Risk Analysis, SP20 Howerton WC https://psu.instructure.com/courses/2043139/pages/elective-module-d-critiques-on-security-and-probabilistic-risk-analysis?module_item_id=28203356 1/1 Elective Module D: Critiques on Security and Probabilistic Risk Analysis For this module, you are to review the trio of articles critiquing PRA methodology for security. Probabilistic Risk Analysis: Its Possible Use in Safeguards Problems (1976) (https://psu.instructure.com/courses/2043139/files/105770568/download?wrap=1) Security Decisionmaking and PRA Methodology: Does PRA Methodology Effectively Assist Security Decisionmakers? (https://psu.instructure.com/courses/2043139/files/105770599/download?wrap=1) How Probabilistic Risk Analysis Can Mislead Terrorism Risk Analysis (2011) (https://psu.instructure.com/courses/2043139/files/105770600/download?wrap=1) 1. Look up who the authors of each article are and comment on their credibility on this topic. 2. Read and dissect each article using the Eight Elements of Thought. Use the EEoT worksheet. 3. What is PRA? Is each author operating on the same definition of PRA? 4. Summarize the main critiques of PRA. Choose at least one from EACH author. Do the authors agree with each other? Do their opinions differ? 5. If not PRA, then what for security? Comment on what each author says and then propose your own ideas. https://psu.instructure.com/courses/2043139/files/105770568/download?wrap=1 https://psu.instructure.com/courses/2043139/files/105770599/download?wrap=1 https://psu.instructure.com/courses/2043139/files/105770600/download?wrap=1 How Probabilistic Risk Assessment Can Mislead Terrorism Risk Analysts Risk Analysis, Vol. 31, No. 2, 2011 DOI: 10.1111/j.1539-6924.2010.01492.x How Probabilistic Risk Assessment Can Mislead Terrorism Risk Analysts Gerald G. Brown1 and Louis Anthony (Tony) Cox, Jr.2,∗ Traditional probabilistic risk assessment (PRA), of the type originally developed for engi- neered systems, is still proposed for terrorism risk analysis. We show that such PRA appli- cations are unjustified in general. The capacity of terrorists to seek and use information and to actively research different attack options before deciding what to do raises unique fea- tures of terrorism risk assessment that are not adequately addressed by conventional PRA for natural and engineered systems—in part because decisions based on such PRA estimates do not adequately hedge against the different probabilities that attackers may eventually act upon. These probabilities may differ from the defender’s (even if the defender’s experts are thoroughly trained, well calibrated, unbiased probability assessors) because they may be con- ditioned on different information. We illustrate the fundamental differences between PRA and terrorism risk analysis, and suggest use of robust decision analysis for risk management when attackers may know more about some attack options than we do. KEY WORDS: Decision analysis; expert elicitation; terrorism risk analysis 1. INTRODUCTION Following continued practice by the Department of Homeland Security (DHS), Ezell et al.(1) recently asserted that “a useful first-order indicator of terror- ism risk is the expected consequences (loss of lives, economic losses, psychological impacts, etc.)” and claimed that: “We take it for granted that all proba- bilities are conditional on our current state of knowl- edge . . . [T]here is no fundamental difference in this type of conditioning compared to conditioning prob- ability judgments in the case of natural or engineered systems.” This important claim—that the same type of conditional probability assessment applies as well to terrorism risk analysis as to probabilistic risk as- sessment (PRA) of natural hazards and engineered 1Operations Research Department, Naval Postgraduate School, Monterey, CA, USA. 2Cox Associates, Denver, CO, USA. ∗Address correspondence to Louis Anthony (Tony) Cox, Jr., Cox Associates, 503 Franklin Street, Denver, CO 80218, USA; tel: 303-388-1778; fax: 303-388-0609;
[email protected]. systems—is presented without proof. We believe that this is importantly incorrect, and that PRA calcula- tions based on this idea can be highly misleading, rather than useful, for terrorism risk analysis. In par- ticular, applying conventional PRA to terrorism may result in recommendations that increase the risk of at- tacks, or that fail to reduce them as much as possible for resources spent. This article seeks to clarify why conditioning risk estimates on knowledge or beliefs about the future actions of others, who in turn may condition their preferences for alternative actions on what they know about our risk estimates, leads to new problems in terrorism risk analysis that cannot be solved well, if at all, by traditional PRA. The particular formalism advocated by Ezell et al., based on the threat–vulnerability–consequence (TVC) formula “Risk = Probability of attack × Prob- ability that attack succeeds, given that it occurs × Consequence of a successful attack,” has previously been criticized on other grounds, such as its failure to optimally diversify protective investments, or to 196 0272-4332/11/0100-0196$22.00/1 C© 2010 Society for Risk Analysis How PRA Can Mislead Terrorism Risk Analysts 197 account for correlations and dependencies among the factors on its right-hand side, or to reveal the costs and benefits of alternative risk management de- cisions, or to use well-defined concepts that demon- strably improve, rather than confuse and obscure, de- cision making.(2,3) Here, we focus on a different issue: considering why a belief that there is no fundamen- tal difference in conditional probability calculations for systems with and without reasoning agents can provide a dangerously misleading foundation for ter- rorism risk analysis. More constructively, we suggest that a different approach, based on explicit recog- nition that attack probabilities may depend on in- formation that an attacker has but that we do not have, can be used to make more robust and use- ful risk management decisions—demonstrably supe- rior to those from PRA based only on our own information—by enabling a defender to allocate de- fensive resources to hedge against what he does not know about the attacker’s information. 2. ATTACK RISKS MAY DEPEND ON THE DEFENDER’S RISK ANALYSIS RESULTS The theory of “common knowledge” in informa- tion economics(4) explains why conditioning proba- bility judgments on the actions, beliefs, or statements of other reasoning agents differs in crucial respects— some of them startling—from conditioning probabil- ity judgments on information about a system with- out reasoning agents. One fundamental difference is that the behavior of reasoning agents may depend on what they know (or believe or infer) about what we know . . . including what we know they know, what they know we know they know, and so forth. This can lead to risks very different from those in systems without reasoning agents. For example, an attacker who uses the defender’s allocation of defensive re- sources to help decide where to attack (e.g., by rea- soning that the defender will give priority to protect- ing what he values most) poses a different kind of threat from an earthquake or a tornado, which strikes at random. Traditional PRA (e.g., based on event trees, F-N curves, probabilistic simulation models, etc.) is appropriate for the second type of hazard, but not the first. 2.1. Example: PRA Estimates that Inform an Adversary May be Self-Defeating Following the rationale of Ezell et al. (p. 578),(1) suppose that our terrorism experts compare the rela- tive probabilities of several different possible attacks, based on our judgments of the “relative technical dif- ficulties of executing these attacks.” Specifically, sup- pose that our experts rank five possible attacks on this basis from most likely to least likely. Consider an attacker who understands our risk assessment and who uses this decision rule: Do not attempt either of the two attacks that we (the Defender) rank as most likely (because we may be prepared for those), nor either of the two that are ranked least likely (because they may be too unlikely to succeed to be attractive). Instead, undertake the attack that is midway between these extremes. Then, any PRA ranking that our ex- perts generate will be self-defeating, in that the at- tacks that it ranks as most likely will actually have zero probability, whereas the middle-ranked attack will actually have a higher probability. This is be- cause the attacker cares about, and uses, the results of our PRA to decide what to do. Natural and engi- neered systems do not act this way. 2.2. Example: PRA Estimates that Inform Enemy Actions May be Self-Fulfilling Conversely, suppose that an attacker is very un- certain about whether an attack will succeed if at- tempted. He uses the decision rule: Attempt what- ever attack our (the Defender’s) PRA identifies as most likely to succeed (after any defensive mea- sures have been taken). In this case, whatever po- tential attack our PRA ranks at the top becomes the one that is actually attempted. In this context, using a random number generator to rank-order attacks would be just as accurate as expert elicitation, or any other ranking method. Moreover, although our ex- perts might assess identical PRA risk estimates in this example and the previous one, it is clear that the true risk of any specific attack depends on what deci- sion rule the attacker uses, and on what our own PRA concludes. This is very different from the behaviors of any natural or engineered system that does not use decision rules and that does not respond to PRA results. 2.3. Example: Risk Depends on Attacker Patience and Choices, Not Random Variables Ezell et al. advocate using the formula “Risk = Probability of attack × Probability that attack suc- ceeds, given that it occurs × Consequence of a suc- cessful attack.” But the phrase “given that it oc- curs” glosses over crucial information about why 198 Brown and Cox (i.e., based on what decision rule) the attacker at- tacks. Without this information, the proposed for- mula for risk is ambiguous. For example, suppose the three factors on the right side vary from day to day. Suppose an attacker uses the decision rule “At- tack if and only if the probability that the attack will succeed if it is attempted today is at least p,” where p is a number between 0 and 1. A patient at- tacker may wait for p to be close to 1; a less patient attacker will set p lower. The “Probability that at- tack succeeds, given that it occurs” depends on the attacker’s patience parameter, p, because this (and the successive realizations of the random variables) determines when the conditions for an attack are triggered. More patient attackers will have higher success probabilities, on average, than less patient at- tackers, but will wait longer. An assessment of risk based in part on the factor “Probability that attack succeeds, given that it occurs,” but without specifying p, is underdetermined. On the other hand, an assess- ment of risk based on specifying the above factors may be self-defeating. For example, suppose an at- tacker sets p by dividing the attacker’s own estimate of vulnerability by 2 (as would be appropriate if the attacker is a Bayesian with a uniform prior for this probability and if he interprets the defender’s vul- nerability estimate as an upper bound on the true but unknown value of this success probability). In this case, the defender’s PRA estimate of vulnerabil- ity will always be twice the true (realized) value that triggers an attack. In short