Lewis, Taquechel Seek to Quantify Deterrence
Continuing the collaboration that they began in 2009 in Ted Lewis’ Critical Infrastructure Protection course, which led to an article on transfer threat analysis. CHDS alumni Eric Taquechel and Dr. Lewis recently published their second article in support of risk management advancement. While a student at CHDS Taquechel and Dr. Lewis developed a philosophy and quantitative techniques for measuring the deterrence effectiveness of critical infrastructure security measures. This resulted in a paper published in the July 2012 Homeland Security Affairs Journal: “How to Quantify Deterrence and Reduce Critical Infrastructure Risk.”
1) This paper formally makes a case for the importance of measuring deterrence. Equally significantly, it makes the case for, and shows how to, incorporate measurable deterrence metrics into established probabilistic risk analysis techniques. This is important because critical infrastructure risk data is then more robust and reflects our beliefs on would-be attacker preferences. It shows how to evaluate return on investment of deterrence investments, as the notional data supporting the deterrence quantification equations uses notional investment (dollar) information.
The paper discusses the historical work that lends to a quantitative approach to measuring deterrence. It draws from concepts in well-established operations research and decision making fields such as game theory and utility theory. It offers directions for future work, citing advances in decision theory and other considerations.
2) The key to Taquechel and Lewis’ approach is to consider two temporal states: before deterrence measures and after deterrence measures. Before deterrence measures, the gain an attacker would achieve from attacking one critical infrastructure is compared to the aggregate gains they could achieve from all possible infrastructure attacks under consideration. That comparison yields a ratio, which is treated as a proxy for attacker intent: the probability that a specific attack is desired. After hypothetical deterrence measures, the new gain from one possible attack is compared to aggregate new gains of all possible attacks, and new intent values are calculated. For individual attack options, deterrence is quantified as the extent to which the “before” intent differs from the “after” intent. But, then the “after” intent is applied to the attacker’s new gain, expressed as a probabilistic risk equation, to produce what the authors call an unconditional risk value. The unconditional designation reflects the likelihood that the attacker desires to attack that infrastructure, coupled with the likelihood they would succeed in producing a consequence if they decided to initiate an attack. The effects of new security measures are thus reflected twice in the “after” risk value; and the authors justify this double-counting.
Throughout the process of developing this paper, Taquechel and Lewis were reminded that one challenge to acceptance of new risk methodologies is tailoring them to fit the particular characteristics of different infrastructure sectors, local politics, and other issues. Their methodology is thus deliberately general enough so that it can be modified without sacrificing basic principles, and tries to balance the reality of local variance with the equally salient reality of need for broad applicability. For instance, the case study in this article leverages notional data from one specific probabilistic risk analysis tool. However, industry or government agencies which would use the deterrence measurement methodology proposed in the article may prefer risk data input from a different model. The general deterrence measurement approach proposed in the article would still be applicable; the entering data would be from a different source.
Taquechel and Lewis also believe another challenge with risk management is that there are different schools of thought on the technical approach to risk analysis: most notably, probabilistic risk assessment and operations research. There is an abundance of excellent work in both fields of study, and their differences are highlighted in various articles, government reports, and other sources. So, the authors set out to propose a methodology that drew from elements within both fields. Both fields have valuable techniques and concepts to inform an approach to measure critical infrastructure deterrence.
3) Taquechel and Lewis’ motivation to pursue this effort originated from their attendance at port security discussions at their jobs. These discussions largely centered on the importance of deterrence in maritime security operations and regulatory enforcement, but often the question, “well, how do we quantify deterrence” would be raised. Given that quantitative risk analysis methods support maritime critical infrastructure security policy and tactics, the importance of quantifying deterrence became evident. Thus, the authors decided to take this challenge on. They speculate that agencies with maritime security responsibilities may eventually be called upon to provide quantitative metrics on deterrence operations, and so this methodology would support that contingency.
“Again, the CHDS program helped contribute to the discourse on real-world problems,” Taquechel and Lewis said. “The CHDS program is not intended to create mathematicians, or to teach students deterrence theory and game theory. But, because of the strong instructor-student relationships, the great relationships between the center and DHS agencies and the center’s linkages to other fields of study, there are plenty of opportunities to apply concepts from those fields to current and emerging critical infrastructure risk management issues, in an actionable way. As practitioners and those who educate them, we have an obligation to solve problems, and combining the strengths of different schools of thought into one approach could be the best way to solve those problems.”