CHDS Alum proposes resilience options for grant program

Eric Taquechel (MA, 2010) recently published his third journal article in support of risk management advancement.

In “Options and Challenges of a Resilience-Based, Network-Focused Port Security Grant Program” published in the Journal of Homeland Security and Emergency Management (JHSEM), Taquechel suggests new evaluative approaches and options for the Federal Emergency Management Agency’s Port Security Grant program (PSGP).

The paper builds on concepts from previous work that originated from Dr. Ted Lewis’ CHDS Critical Infrastructure Protection course.

Taquechel had been exposed to the world of port security grants for several years at his job, and wanted to leverage ideas on resilience and risk from CHDS and additional study to propose alternatives to the current PSGP approach. The current approach prioritizes investments to improve security of individual maritime critical infrastructures/key resources (MCIKR).

(1) The paper explains why MCIKR should be modeled as components of supply chains or interdependent networks, rather than treated as stand-alone entities. It then explains why the current theoretical risk foundation for the PSGP might not be adequate if a resilience-based, network-focused approach were adopted.

Next, the paper reviews a brief history of risk-based, resilience-based, and network interdiction-based theory and application.

Then, the paper proposes a definition of quantifiable resilience in the context of supply chains and lays out a methodology to analyze and quantifiably improve the resilience of supply chains that include MCIKR as their “starting points.” PSGP investments to rebuild physical damage to MCIKR would be the means of improving resilience. This methodology leverages principles from risk analysis, resilience analysis, and the Operations Research (OR) concept of “optimization-based reverse engineering.” It also incorporates principles from intelligent adversary modeling, another field espoused by OR experts, to give analysts and decision makers additional options for exploring supply chain resilience.

Thus, an analyst could determine how PSGP resilience investments would influence not only the MCIKR ability to restore productivity after an attack or other disruption, but also how the downstream customers of that MCIKR would be affected. Overall network resilience is calculated before and after hypothetical future PSGP resilience investments. These investments could be optimal, or suboptimal, depending on decision-maker preferences. An analyst could also conjecture how such resilience investments could theoretically deter a would-be attacker who was considering an attack to precipitate supply chain failure.

(2) The technical approach, which could leverage data from existing MCIKR risk analysis tools,  would be implemented in an upgrade to Lewis’ Model Based Risk Assessment (MBRA) tool, incorporates principles from Taquechel’s previously published work on transfer threat analysis, “Layered Defense: Modeling Terrorist Transfer Threat Networks and Optimizing Network Risk Reduction” in the December/November 2010 edition of IEEE Network.

(3) These principles included the concept of juxtaposing MCIKR “organic” and “inherited” failure susceptibilities in the context of layered defense.

“That said, applying this concept to analysis of supply chain network resilience in the PSGP paper required different mathematics than applying it to analysis of attacker decision-making processes in the 2010 paper,” Taquechel said.

The technical approach also incorporates principles from Taquechel and Lewis’ previous work on measuring deterrence in the July 2012 Homeland Security Affairs Journal, “How to Quantify Deterrence and Reduce Critical Infrastructure Risk.” Because the present paper compares “organic” supply chain resilience to “enhanced” resilience after hypothetical grant investments, one could argue that this change in outcome produces a change in attacker intent, influencing the relative probability of attacking one supply chain versus another. This change in intent is a proxy for measuring deterrence, but can also be applied to create what the paper calls “unconditional resilience”, reflecting the supply chain’s ability to restore productivity that accounts for its attractiveness from an adversarial perspective. This resonates with the DHS Risk Lexicon, which includes in its definition of deterrence:

“Resilience, in terms of both critical economic systems and infrastructure and in societal resilience (e.g., the famed British ?stiff upper lip? of WWII, advance preparation for effective consequence reduction response operations, etc.), also has a potential deterrent value achieved when terrorist groups perceive that the strategic impact they seek through a particular attack or type of attack will not be achieved.” (DHS 2010, p. 12)

Equally importantly, the methodology in this approach is indifferent to the “precipitating event” that would warrant resilience funding. MCIKR would need to rebuild regardless of whether a natural or man-made attack precipitated structural damage and impeded operations. So, the principles in this approach might have applicability to modeling resilience in the face of problems beyond just those induced by terrorism.

“The goal was first and foremost to continue the exposition of different schools of thought for terrorism risk analysis, and to suggest how principles from these schools might be synthesized. This was all done with the intent of exposing this information to FEMA and other stakeholders with equity in both the federal grants programs and supply chain management,” Taquechel said. “As in our last paper, we propose that combining the strengths of different fields is a viable option to help solve critical infrastructure security problems. There has been a robust debate throughout academic and government circles over the last decade. While it is important to acknowledge the tremendous effort that has gone into developing the different theories and applications in multiple fields, and to laud the fruits of that labor, we claim it is equally important to think about ways that we can ‘cherry-pick’ from the best of these fields.”

Taquechel added, “Grant policy has recently emphasized resilience in addition to prevention and protection, but we wanted to provide an actionable methodology to support implementation of the policy emphasis. If adopted, this approach might have implications for civil engineers and contractors who would help rebuilding damaged infrastructure, regulatory agencies who oversee building permitting, and other entities with equity in replacing physical infrastructures after a disaster. It would take some burden off  port security experts who analyze ‘prevention/protection needs’ and create opportunities for those who come into play after a disaster- the ‘respond/recover’ folks. This doesn’t mean that prevention and protection become any less important to grants or infrastructure security in general; it just means that different elements of the Homeland Security and Emergency Management enterprise would be engaged in a methodical way.”

3) Taquechel concluded:  “On a personal note, it’s worth pointing out that this third piece represents the culmination of an effort to propose different ways of addressing each of the three components on the right hand side of the traditional probabilistic risk equation: Risk=Threat *Vulnerability * Consequence. I wish I could say it was by design from the start, but halfway through the writing of the HSAJ paper and concurrent development of the JHSEM paper’s concepts, Dr. Lewis and I realized we were exploring new ideas on all three of these components.

Our experience told us that existing risk analysis tools often emphasized the individual CIKR susceptibility to an attack once that attack was initiated, which reflects vulnerability, and immediate effects of a successful attack, which reflect short term consequence. These specific attack stages were emphasized to communicate the risk tools’ strengths, which were primarily analysis of the specific attack stages immediately before and after an attack, and with respect to attacks on individual CIKR. So, it made sense to research the ‘outlying’ stages of that attack sequence, more specifically threat and long term consequences. It also made sense to research vulnerability from a systems perspective, given the ongoing emphasis by the Domestic Nuclear Detection Office and other agencies on supply chain exploitation and the radiological/nuclear attack threat.

The IEEE paper expanded on vulnerability to attack, analyzing transfer threat susceptibility or supply chain exploitation susceptibility while the HSAJ paper expounded on threat, analyzing how one component of threat (intent) could change given defensive investments at our infrastructures, and used that change in intent as a proxy for measurable deterrence. Now, our JHSEM paper offers a new way of thinking about consequences, proposing ideas for improving supply chain resilience and addressing second order effects.

For each of these papers, we’ve tried to ground the theoretical discussion in context of policy, whether it be the International Ship and Port Facility Security (ISPS) code that could benefit from analysis in the IEEE paper, or the Port Security Grant Program implications of the HSAJ and JHSEM papers.”


Associated file: Options and Challenges of a Resilience-Based, Network-Focused Port Security Grant Program