Schneier on Security
A blog covering security and security technology.
« Man-in-the-Middle Attacks Against SSL |
| Terrorist Attacks and Comparable Risks, Part 2 »
April 13, 2010
Terrorist Attacks and Comparable Risks, Part 1
Nice analysis by John Mueller and Mark G. Stewart:
There is a general agreement about risk, then, in the established regulatory practices of several developed countries: risks are deemed unacceptable if the annual fatality risk is higher than 1 in 10,000 or perhaps higher than 1 in 100,000 and acceptable if the figure is lower than 1 in 1 million or 1 in 2 million. Between these two ranges is an area in which risk might be considered "tolerable."
These established considerations are designed to provide a viable, if somewhat rough, guideline for public policy. In all cases, measures and regulations intended to reduce risk must satisfy essential cost-benefit considerations. Clearly, hazards that fall in the unacceptable range should command the most attention and resources. Those in the tolerable range may also warrant consideration -- but since they are less urgent, they should be combated with relatively inexpensive measures. Those hazards in the acceptable range are of little, or even negligible, concern, so precautions to reduce their risks even further would scarcely be worth pursuing unless they are remarkably inexpensive.
As can be seen, annual terrorism fatality risks, particularly for areas outside of war zones, are less than one in one million and therefore generally lie within the range regulators deem safe or acceptable, requiring no further regulations, particularly those likely to be expensive. They are similar to the risks of using home appliances (200 deaths per year in the United States) or of commercial aviation (103 deaths per year). Compared with dying at the hands of a terrorist, Americans are twice as likely to perish in a natural disaster and nearly a thousand times more likely to be killed in some type of accident. The same general conclusion holds when the full damage inflicted by terrorists -- not only the loss of life but direct and indirect economic costs -- is aggregated. As a hazard, terrorism, at least outside of war zones, does not inflict enough damage to justify substantially increasing expenditures to deal with it.
To border on becoming unacceptable by established risk conventions -- that is, to reach an annual fatality risk of 1 in 100,000 -- the number of fatalities from terrorist attacks in the United States and Canada would have to increase 35-fold; in Great Britain (excluding Northern Ireland), more than 50-fold; and in Australia, more than 70-fold. For the United States, this would mean experiencing attacks on the scale of 9/11 at least once a year, or 18 Oklahoma City bombings every year.
Posted on April 13, 2010 at 6:07 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The issue with terrorists getting nukes is not what they have done in the past (zero) but how rapidly it can change the risk profile when they do use a nuke. Scenario: terrorists use a nuclear device on a major city in the US and kill 1 million. This makes the new annual fatality risk in the US equal to 1/300 which is comparable to WWII at the top of the chart.
Scenario: Everybody eats cake.
Saying it might happen does not a risk analysis make.
This is exactly what I talking about when Schneier was speaking about Aviation Security in Second Life.
What they tell us to do is artificially inflate the risk of terrorism during Risk Analysis on the basis of a very vague Security Context Statements provided by the authorities. In some of the documents given to us to assist us to create our Transport Security Programs, they specifically say "Your program must focus on ... Terrorism".
This is where the problem lies, at least in Australia.
and more importantly, that strikes me as the sort of thing that is well handled by traditional means of investigation, another of bruce's themes.
If a terrorist organization gains nuclear capability, and the desire to actually use that, we should know about it long in advance. If we don't, we've already failed.
Clearly we should be doing more to prevent the use of home appliances. :-)
What is the basis of setting the ranges? If it's just what people are likely to agree to, you have to take into consideration *why* they're likely to agree with what makes a certain risk more or less acceptable. Accidents are acceptable at a higher level than terrorism to most people because we feel like there is more we, as individuals, can do to prevent them.
I agree we spend way to much money and energy in ways that aren't helpful when it comes to preventing terrorism. But I don't think you can exactly compare it's risk level to other things by numbers alone.
I'm not really happy with the definitions in the paper, as the rate for traffic accidents in the United States fall in the unacceptable category.
So either road traffic has to shut down immediately or our perceptions derive slightly from the numerical values and we do make trade offs in some cases. But then the whole idea of the categories is compromised.
the problem is: calculating numbers might be a good approach if done by an insurance company. Unfortunatly are decisions on budgets and regulations not done by analysts but by politicians. And these are calculating with slightly different parameters. Public opinion, press coverage, sponsorship from industries are coming into considerations. These extra parameters alter the results of the calculation obviously significantly.
It is really a pity but a proven fact that public opion is susceptible more to emotions than to facts.
a pedantic but important point: Great Britain by definition excludes Northern Ireland. I think the writers mean "the United Kingdom".
So we cut funding gradually to counter terrorist programs till we reach 2,976 deaths a year increasing funding by the same amount to a higher risk threat and measure results.
@wolfe tone: this may help to clarify your point :-)
"The Great British Venn Diagram"
While I admittedly am not a risk analysis expert, it seems to me that there is a key difference between risks of death from transportation accidents versus terrorism. In the case of terrorism, the risk source is actively Trying to Increase its risk. If cars, planes, or home appliances deliberately and systematically tried to increase their power, rate, and effectiveness of killing, then they would be viewed in very different light as well.
I do think that funding for threat reduction methods like barriers, scanning/screening of passengers, engaging in combat, etc should take into account the risk levels of that particular threat, the effectiveness of the solution in reducing the risk, and the cost associated with it before they are implemented.
In a related manner, once risks are identified and quantified for things like home appliances, cars, and planes etc., there is no need to re-assess unless there are changes to system. Those changes are not intentionally hidden and thus it is easier to identify when a threat should be reassessed for risk. Finally when these threats are assessed, they will not deliberately try to hide or misguide the investigators. In the case of terrorism, the threat sources do try to change and improve themselves, they do try to intentionally hide their changes and efforts, and they do try to avoid being investigated by outside sources through many methods including secrecy and misinformation.
To me, this indicates a clear need for increased and continuing intelligence gathering of the threats, which requires additional funding. As Bruce has suggested before, we would be better served if the funding for many of the specific threat avoidance measures was channeled to better intelligence gathering.
Of course, on the subjective side of the house, there are the very real sociological, economic, etc issues associated with the egregious nature of the risk much like homicide and rape.
Any attempt to put number values on current risk assessment practice is pointless. If a "1 in 10,000" risk was typically considered unacceptable, nobody would drive to work, go to McDonald's, drink, work in construction/fishing/logging/mining, have casual sex,
As I've learned on this blog, human risk assessment is massively affected by various biases (we're more risk-tolerant when we have the illusion of control, when the risk is familiar or easily visible, or when the number of people affected is very small or very large.) To put a number on it is missing the point.
As can be seen, annual terrorism fatality risks, particularly for areas outside of war zones, are less than one in one million and therefore generally lie within the range regulators deem safe or acceptable, requiring no further regulations, particularly those likely to be expensive. They are similar to the risks of using home appliances (200 deaths per year in the United States) or of commercial aviation (103 deaths per year).
This is a false comparison.
First off airline and appliance deaths/injuries/accidents when not due to random chance (weather), operator stupidity (showering with an electric chainsaw) are due to negligence of one sort or another (not following proper maintenance procedures, flight protocals, doing half your calculations in imperial units, the other half in metric etc.). They usually NOT the result of a deliberate attempt by one party to inflict death and injury on another.
Secondly, and what follows on from that in a way, is that there is a HUGE regulatory structure in place to make sure that this negligence happens rarely. From the underwriters laboratory to the NTSB, from FAA regulations and inspectors to ambulance chasing lawyers, if you run an airline or make an appliance there are people waiting for you to screw up.
If you're a terrorist, are you afraid of a lawsuit?
Is there a UN Department of Terrorist Regulation that you have to register with and who verifies that you're using the most humane methods of killing and maiming?
Things like the NTSB, UL, the FAA and lawsuits et. al. consume a rather large (subjectively, not relative to the GDP) chunk of resources, they just do it quietly, and have done it for so long it's "normal", and consume these resources in a distributed fashion in the background.
Most people aren't afraid of floods, but they are afraid of lightening.
Terrorism IS a problem, but mostly because governments respond badly to it.
I like it, but the model seems too simple.
In the first place, costs are not only discussed in terms of fatalities. There's also economic loss. At risk of seeming cold, it seems to me that at a minimum, the risk thresholds should be represented by contours in the 2-D plane of fatalities vs. economic cost, rather than just at set points in fatality rates. After all, if a hurricane destroys a city without causing as many immediate casualties as a bombing, it may still blight more lives for a longer time.
The second improvement is to include future expectation, instead of just historical-actuarial analysis. There are economists who work on incorporating qualitative information (such as from secret intelligence) into risk models that attempt to fully quantify the uncertainties (and no, not in the naive, lazy models used by investment banks, and critiqued in "The Black Swan"). This would begin to incorporate mitigation of risk from low-probability, high-damage events for which actuarial data does not yet exist.
And to the usual chorus of "but terrorism is different, because the terrorist have evil intentions, whereas hurricanes and appliances are dispassionate", you've missed the point of risk analysis. It's not about creating a Top-40s list of whose risk is scarier, but about allocating scarce resources. The _only_ way to make a reasoned allocation between law enforcement, infrastructure investment, intelligence, emergency response, military investment, civil organization, civil rights limitations, and so on, is to compare, quantitatively, the risks addressed by these responses. Obviously, in the infinite resource approximation, we would invest infinite amounts in all of them, to the extent that they don't conflict with each other. But we have finite resources to invest. We can choose allocation criteria based on reason, or on passion. This paper is part of an effort to spell out the reasoned path.
Seems some comments are missing the point. Terrorists cause a fatality rate in the existing prevention system. Cars, appliances, etc, also cause a fatality rate in the existing prevention system.
Nobody is saying "well the terrorists kill so few people, lets just stop trying to stop them until they become a 'real' threat". What they are saying is that we've increased security theater costs to the tune of $1 trillion since 9/11 to counter a threat that has a lower fatality rate than industrial accidents.
Think of how much good that $1 trillion could do if it was applied to poverty, industry safety infrastructure, cancer research, etc.
Do we need to fight and prevent terrorism? Yes. Do we need to keep burning money on ineffectual means of prevention? If your neocortex is bigger than your amygdyla, no.
"And to the usual chorus of "but terrorism is different, because the terrorist have evil intentions, whereas hurricanes and appliances are dispassionate", you've missed the point of risk analysis. It's not about creating a Top-40s list of whose risk is scarier, but about allocating scarce resources."
At least in my case, I don't believe I have missed the point of risk analysis at all nor have I attempted to create a Top-40. There is a credible issue of even performing risk analysis on a threat like terrorism vs hurricanes and appliances Because of the very different way they behave. The quality of the risk analysis that can be performed on a threat like terrorism is much lower than the quality of the risk assessment that can be performed on something like a hurricane or a plane. First, the sheer size of the threat space for terrorism is orders of magnitude larger than that of any of the "traditional" threats used for comparison. And second, the chaotic nature of the human factor makes the number of reasonably possible permutations orders of magnitude larger.
For example, hurricanes are so complex and have so many variables they are quite chaotic in nature and thus very hard to predict (both on the individual and on the aggregate level). Think of the years upon years of research in hurricane models and all the related science along with the massive computer simulation models and systems built just to get to the level of accuracy we are at today. However, at the end of the day hurricanes are limited for all practical purposes to only occur in certain locations of the world (and of those, we really only care about the populated or developed areas), at certain times of the year, produce all of their damage via wind and water, and none of this changes from year to year, decade to decade. Only the specifics of where it makes landfall and with how much force really play into the level of risk. Finally, any attempts to measure, model, and react to hurricanes will not result in any change to the behavior of future hurricanes. All this makes risk assessment of hurricanes reliable enough to drive an insurance industry.
Terrorism is also complex and chaotic and thus very hard to predict (both on the individual and on the aggregate level). However, there is far less scientific and objective data into when, where, why, and how about past attacks compared to hurricanes. There are far fewer and much poorer quality computer simulation models and systems. Terrorism is not limited from any physical location on the planet (although we still only really care about populated or developed areas), is not limited to any one time of year, can produce their damage via any number of methods, and the methods/frequency/effectiveness can vary dramatically over time. Finally, any attempt to measure, model, and react to terrorist threats may (and the more effective the reaction, the higher the likelihood) change the behavior of future terrorist threats. All of this makes risk assessment of terrorist threats much more difficult.
Additionally, the second improvement regarding future expectations and qualitative information's inclusion into the model is absolutely desirable - it's the holy grail! It is also very impractical (and possible impossible). If one could model the human factor well enough for the terrorist threat, one could also model the stock market.
Therefore, I submit that the quality of the risk assessment performed for terrorist threats is much lower than that of the other proposed competing risk groups and thus at some point a subjective, qualitative judgment must be made. Risk assessment and all the numbers in the world simply aren't sufficient here.
This is why I favor increasing intelligence and emergency response preparedness over most specific threat mitigation investments.
@ Carlo Graziani,
"I like it, but the model seems too simple."
Yes it is. As you say the costs are somewhat difficult to assess.
For instance if you look at the "total cost to society" then your life has significantly different values depending on your age.
And in some cases your life has a negative value (ie you cost society less if you are dead).
One area that is difficult to assess is "short term gain" (tax revenue on smoking) verses "long term loss" (the cost of health care for those with smoking related illness).
Idealy for society you as an individual would smoke and drink heavily and indulge in other high taxation activities, whilst remaining economicaly productive untill you either die or retire.
If you retire you should continue your high taxation activities whilst you are not "a burden on society". When you do become a burden on society you should die as quickly as possible.
Unplesant as this sounds many "quality of life" assessments used by amongst others the medical provision fraternaty use just this model for deciding who does and does not benifit from treatment.
"This is why I favor increasing intelligence and emergency response preparedness over most specific threat mitigation investments."
I would very much agree, but with one stipulation.
Both the intelligence and emergency response preaparedness should be "broad based" not "narrow of focus".
That is when we learn how to "fight fires" we are taught the basics as apply to nearly all fires, and then only if warented by circumstances are we taught the specifics of fighting particular types of chemical fires (gas aluminium etc).
Likewise a "fire drill" should be almost as much use for other natural (earth quake) or man made (terrorism etc) issues.
Also teaching people more than just the rudiments of first aid is highly desirable for just about any incident you care to think about.
The lives of more soldiers have been saved by the quick response of those around them at the time they are injured than by the field hospitals. Most of the people who die on our streets would not die if those around them know how to give the required emergancy stabalisation treatment in short order instead of waiting for others to arive after it is to late.
It is some what harder to give examples of broad -v- narrow intel but you can rest assured that the broder the scope of investiagation the more "edge cases" it includes. And in general it is the edge cases that are more of a threat than the main stream (which is one of the reasons anti-terrorism activities are difficult).
However the one area tha under no circumstances should be broadend is legislation. That should always be narrow and specific in order to reduce the oportunity for abuse by those in authority.
@ mcluvin at April 13, 2010 10:35 AM
"Think of how much good that $1 trillion could do if it was applied to poverty, industry safety infrastructure, cancer research, etc."
If we really cared about saving people and making lives better then that would be a much better use of resources.
However we care more about fighting people we think might become terrorists and one day might kill a few hundred people - but only if its on a plane as preventing train attacks (or car, or..) is too hard.
The article notes that "Politicians and bureaucrats do, of course, face considerable political pressure to deal with terrorism, but that does not relieve them of their responsibility to expend public funds wisely."
But I think it leaves out the personal cost of these same politicians and bureaucrats of thier jobs when they appear to put the economics before the desire of their constituents to take real or imagined (security theater) action. In those cases, it's cheaper to create the Department of Homeland Security.
I see several fundamental flaws with this article. (I don't see it as an analysis.)
Risk is defined as consequence times probability (and often not necessarily a simple mathematical 'times' at that - 'combined with' is a more accurate description).
Although they can be used to estimate event frequency IF the events are reasonably predictable, historical events have no probability - they either happened or didn't happen and so their probability is undefined. Since it appears to be based entirely on historical data the last column in the table is actually Annual Fatality Frequency, NOT Annual Fatality Risk.
To further clarify the above point: The risk of a fatality from traffic accidents in the USA in 2011 is very near 1 in 8000 because the probability that about 34,000 people will die in traffic accidents is near one. However, the risk of a fatality from a terrorist attack in the USA in 2011 is NOT 1 in 3,500,000 because the probability of a major terrorist attack in the USA resulting in many deaths in that year is NOT predictable enough to be defined as the historical frequency.
Historical frequency for traffic accidents is pretty reliable, historical frequency for major terrorist events is not. I would argue that the risk of death from a terrorist event in the USA in the near future is much less than 1 in 3,500,000 due to some of the responses to the 2001 attacks. (And I agree that many of the responses have not helped...)
Because of the dependence on probability, quantitative risk numbers are very tricky. Just because someone generates a risk number doesn't mean it's technically defensible or even meets the definition of a risk descriptor.
I've yet to meet any reputable analyst who will state a defensible probability number for a major terrorist event in any reasonable specific future time period.
This 'analysis' is based on the flawed assumption that short-term historical frequency of deaths from major terrorist events over an arbitrary time period is a reliable indicator of future probability. It ain't so...
I thought it might be good to expound on my last point.
A good indicator of the quality of an analysis result is a sensitivity analysis. Change the input and see how much the output changes.
For deaths from traffic accidents, cutting the time period in half, then doubling it, gives very close to the original annual frequency numbers. i. e., the annual number of traffic deaths is pretty predictable. (You can get the raw numbers from the Dept. of Transportation web site if you want to do the calculations yourself.)
For terrorist event annual frequency, doubling the time period (to 1933-2007) essentially cuts the annual frequency in half. Not a good sign...
Cutting the time period in half results in either near zero for the annual frequency (for 1970-1988) or makes it twice as big (1988-2007). Again, not a good sign. This shows that the resulting annual frequency can be pretty much any number you want just by changing the input time period appropriately. (Try 1995-2001 as an input time period... Try August 2001-October 2001... Try 1800-2009)
Results that are this sensitive to input tells you that your results are probably too inaccurate to be defensible. In simpler language, the results can be easily manipulated just by changing the input appropriately. The results are likely wrong and probably not reliably determinable using the current dataset and analysis technique. In simplest terms, the results of the estimation of terrorist event annual death frequency are meaningless.
My can opener has it in for me. I'm surrendering it to the FBI.
There are a lot of commenters on this blog who seem to have a weird view on how risk is calculated and discussed.
I find that weird.
I wonder if anyone has used ISO 31000 yet..
Surely the risk estimation process involves saying things like
"in the last 10 years there have been X incidents therefore we think the probability is X/10 per year but this is modified by the recently identified trend that shows in the last 2 years there have been ((X/10)*4) incidents so this risk is increasing and we will treat it as Y"
The idea that a risk assessment is as simple as incidents / random time interval is not something I have ever used.
(Admitedly, lots and lots of risk assessments are even more arbritrary than that...)
Why only count death and not risk of other economic impacts? Terrorism has caused us over $1 Trillion of economic damage in the past decade. That's what terror does. Fear crushes our economy and makes our government do stupid things.
Certainly this economic damage has caused deaths, many more than terrorism has directly caused.
It is an unfortunate indicator of the world's general state of mind that terrorist attacks, auto accidents and environmental catastrophes are all measured by the economic yardstick.
There is a pervasive attitude of complacency from those in positions of authority towards these very real, equally valid issues. 1 or 1 million is not the issue morally. Striving towards what is proper in collective human conduct is.
If this was truly our Leaders' intent, as they espouse, then the fatalities of such events would be reduced to near zero...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.