Risk, Uncertainty and Everything Else

According to a model for homeland security risk analysis that is currently under consideration for use in supporting resource allocation decisions, the formula for the risk associated with a specified scenario is as follows:

Risk = C * L(S|A) * L(A)  (Equation 1)

where L(A) is the likelihood of an attack being attempted, L(S|A) is the likelihood of adversary success given attack, C is the consequences following a successful attack, and the total risk is obtained by summing the results of Equation 1 for all relevant scenarios.  At first glance, it would appear to the casual reader that this model is simply an implementation of risk measured in terms of expected loss, with the exception of the non-standard representation of L(.) for expressing the probability of the event contained within the parenthesis (I disagree with this notation, but let’s just go with it for now). Further elaboration of this model was presented at a recent workshop I attended, where it was noted that the consequence variable C corresponded to the “worst reasonable case” consequences given a successful attack.

Equation 1 is a valid representation of risk if and only if the consequence represents a conditional expected consequence, or rather mean value of consequence given adversary success. That is, Equation 1 works in the context of risk expressed as an expected loss, all things considered.  While admittedly I have no information that fully explains the intent of the qualifying phrase “worst reasonable case,” one can reasonably assume from this phrasing that such a value takes on a value well above the mean, and perhaps positioned somewhere in the upper tail of the corresponding probability distribution on loss.

For sake of argument and without loss of generality, let’s assume that worst reasonable case corresponds to some percentile value above the median, say 90%. That is, the worst reasonable case loss according to this hypothetical interpretation is the value of loss that will not be exceeded in 9 out of 10 cases (or rather, will only be exceeded in 1 out 10, or 10% of attacks). Alternatively, worst reasonable case can be taken as the conditional average value of loss in some finite region of the upper tail, or any other percentile value above the median. Of course, the exact interpretation of “worst reasonable case” is vague, but assuming that it takes on any value other than the mean is equally valid in making the point in this critique.

One reasonable assumption in using the risk model in Equation 1 is that given inputs for consequence characterized as “worst reasonable case” for each scenario, the result from Equation 1 should be the “expected worst reasonable case” consequence in light of non-zero probabilities of adversary success and failure and non-zero probabilities for attack and no attack. As described in any textbook on risk analysis or decision theory, the use of an expected conditional loss given success in Equation 1 yields risk that is, in fact, in terms of an expected loss across all included scenarios. Now assuming that “worst reasonable case” preserves its interpretation in the context of both “worst reasonable case” consequence given success and “expected worst reasonable case” consequence (e.g., “worst reasonable case” always implies a percentile value of 0.9 or 90%), does Equation 1 adhere to this assumption? Only one single counterexample of how the translation does not hold is necessary to answer this question in the negative.

Example: Consider two scenarios, labeled “Scenario 1″ and “Scenario 2″ with conditional consequence distributions (given a successful attack) shown in Figure 1. From these distributions, the “worst reasonable case” (at 90%) is 12.6 and 6.3 for Scenarios 1 and 2, respectively. Now let’s assume that the probability of adversary success for Scenario 1 has been determined to be 0.8 (probability of adversary failure is 0.2), and the same parameter for Scenario 2 has been determined to be 0.7 (probability of adversary failure is 0.3). This gives conditional consequence distributions (given attack) for both scenarios as shown in Figure 2, where it is assumed that attack failure produces no consequence. From these conditional consequence distributions given adversary success, the “conditional worst reasonable case” consequences are 12.3 and 6.1 for Scenarios 1 and 2, respectively.

Now, let’s further assume that the probability of attack in a given time frame is 0.4, with 0.7 of this probability being allocated to Scenario 1 and the balance (0.3) being allocated to Scenario 2. From this extra information, the probability of attack for Scenarios 1 and 2 are 0.28 and 0.12, respectively (0.6 probability of no attack). The aggregate consequence distribution is shown in Figure 3. Recalling that we are setting “worst reasonable case” to the 90% percentile value on loss, the “worst reasonable case” consequence in light of the conditional consequences and probabilities for attack (and no-attack) and success (and failure) for each scenario is in the low 10’s (just read the consequence value off the chart that corresponds to a probability of 0.9 on the y-axis).

Figure 1. Cumulative probability distribution functions for the simple conditional consequence distribution given adversary success for Scenarios 1 and 2

Figure 2. Cumulative probability distribution functions for the simple conditional consequence distribution given attack for Scenarios 1 and 2

Figure 3. Cumulative probability distribution functions for the aggregate consequence distribution

For Equation 1 to be mathematically valid, it must be coherent. That is, the “worst reasonable case” as read from the distribution in Figure 3 must equal that calculated from Equation 1. Let’s see if this is the case. For Scenario 1, the “worst reasonable case” consequence conditioned on adversary success is 12.6, with a probability of adversary success of 0.8 and a probability of attack of 0.28. Thus, the “expected worst reasonable case” consequence for Scenario 1 is (12.6)(0.8)(0.28)=2.8. For Scenario 2, the “worst reasonable case” consequence conditioned on adversary success is 6.3, with a probability of adversary success of 0.7 and a probability of attack of 0.12. Thus, the “expected worst reasonable case” consequence for Scenario 2 is (6.3)(0.7)(0.12)=0.5. Adding these two values together gives a “total expected worst reasonable case” consequence of (2.8)+(0.5)=3.3. This value for “expected worst reasonable case” is NOT equivalent to the value read from the plot in Figure 3. In fact, according to Figure 3.3, a consequence of 3.3 is about equal to the 70% percentile on aggregate loss. THIS VALUE IS MARKEDLY LESS THAN THE ACTUAL “WORST REASONABLE CASE VALUE”, which suggests that the value obtained from Equation 1 may SIGNIFICANTLY UNDERESTIMATE the worst reasonable aggregate consequence. This effect is even more exaggerated when considering many more than 2 scenarios.

Bottom Line: Unless “worst reasonable case” consequence is another way of saying “expected” consequence (which I doubt, otherwise the word “expected” would be used), there is no guarantee that Equation 1 produces results that are coherent with more rigorous calculations on the underlying probability distributions. Accordingly, Equation 1 is improper for use in the context of informing resource allocation decisions for homeland security.