Thirteen years after the attacks on the World Trade Center and the Pentagon, one thing has become clear about the challenges of modeling and analyzing terrorism risk: at the core of the peril is the intelligence of an adversary who can decide where and when to strike and have counter-moves for every move you make.
Prior to 9/11, the mathematical science of risk modeling, particularly as it applied to the perils corporations might expect, was based on the data provided by Mother Nature, a much less intelligent actor. “We understand wind storms, we understand surf. We understand that they’re pretty particular. They like the coast,” says Richard Rabs, vice president of insurance and risk at Veolia Environnement North America, a water, waste and energy management company.
“But terrorism doesn’t have any of those types of things. We can make some assumptions, but we just don’t have the data,” he adds.
The data that any one corporation might be privy to about its terror exposures comprises a sample that’s too narrow to allow for charting out probabilities — and much less manage the risks on the basis of those assumptions, according to Rabs.
Yet narrow as the sample may be, it’s dense with different kinds of data. Terrorist acts that can hurt a company’s employees, operations and financial structure, for example, can be directly aimed at individual companies or hit them indirectly, mistakenly or as a component of a broader target. The attackers can be based domestically or in a foreign country. Their weapons can range from computer viruses to stolen planes to chemicals to nuclear, biological or radiological devices. And so on.
“I don’t think the average risk manager does a lot with terror risk modeling,” Rabs says. “Not because we don’t care about it, but because, at least in my case, we’re not 100 percent convinced that there’s really a good model out there.”
It’s a different story, of course, for the property-casualty insurance industry, which can analyze the probabilities of a strike based on the data culled from client portfolios. Compared to information about natural-catastrophe risks, however, those portfolios provide a dearth of data about terrorism risk, simply because collecting it has seemed a priority for only a dozen years.
In short, terrorist catastrophes remain “black swan” events, devastating outliers that seem predictable only in retrospect. Even for the insurance industry, the brevity of modern terrorism risk has made drawing generalizations about it a fool’s game. “Given the paucity of historical data and diversity and shifting nature of expert opinions, catastrophe models used to estimate terrorism risk are relatively undeveloped compared to those used to assess natural hazard risks,” said Robert Hartwig, president and economist of the Insurance Information Industry, in testimony prepared for a U.S. House subcommittee hearing a few weeks ago. “The bottom line is that estimating the frequency of terror attacks with any degree of accuracy … is extraordinarily challenging, if not impossible in many circumstances.”
Given that figuring out the probability of an attack based on the available data is currently so difficult, how can a particular CFO gain a more precise basis for managing the risks of an attack on his or her corporation?
To be sure, probability — estimating the frequency of an event by comparing different sets of data — is still very much in use. But a consensus for a more eclectic and dynamic approach to modeling terrorism risk appears to be emerging.
Using such an approach, probabilities can be built into computer-simulation models, enabling risk analysts to determine the likelihood that terrorists will act in certain ways given certain scenarios.
Yet no matter how up-to-the minute and precise terrorism risk models are, terrorists are notorious for acting in unexpected ways. To anticipate those ways, companies are increasingly relying on game theory, under the notion that by hunting down villains in hypothetical situations, you might be able to unearth the unexpected.
The Desire of al-Qaeda
From the very beginning of terrorism risk modeling, analysts knew that a different game was afoot than that of trying to assess the likelihood of an earthquake or a tornado. Barely more than a year after the 9/11 attacks, Gordon Woo, a mathematician with Risk Management Solutions who had just created RMS’s first terrorism risk model, was declaring that a “traditional probabilistic approach, such as used for modeling natural catastrophes, is simply not up to the challenge” of quantifying terrorism risks.
In introducing the model in 2002 (two other such firms, AIR Worldwide and EQECAT also introduced models that year), Woo said he used game theory in developing it. “Game Theory helps us model the implications of the complex dynamics between… conflicting factors,” he said at a seminar then. “On one hand, we have al-Qaeda’s desire to maximize the utility of their attacks, and on the other hand, we have to consider their rational response to stepped-up security and counter-intelligence efforts and the constraints of their technological and logistical capacities.”
While such models enabled companies to zero in on protecting what are now called “trophy targets” — highly visible, highly valuable corporate assets like the Sears Tower in Chicago — they did not yet focus on analyzing the actions of terrorists in response to counter-terrorism.
In the intervening years, however, counter-terrorism has outstripped terrorism by a considerable margin, according to Woo. Testifying in September before the House Financial Services Committee, he could say that terrorism risk has become “as much about counter-terrorism action as about terrorists themselves. U.S. terrorism insurance is essentially insurance against the failure of counter-terrorism.”
While many terrorist plots are still being developed, “the vast majority are interdicted through the diligence of western intelligence and law enforcement agencies. Mass surveillance of communication links, and the intrusion of intelligence moles, elevate[s] the likelihood of plot interdiction with plot size,” Woo said.
The reasoning is that the larger the terrorist cell, the more likely it is that information will leak out about it to the authorities. RMS estimates that a plot involving as many as 10 would-be terrorists has only a 5 percent chance of not being caught. “With the intensive global surveillance conducted today by Western intelligence agencies, a plot involving as many as 19 hijackers or bombers would have only a minimal chance of eluding their attention,” Woo testified.
But if the balance of power has shifted to counter-terrorism, the chances are good that terrorists will adjust to that, too. To model the risk under current circumstances and be able predict the likelihood of attacks, government and private-sector analysts are increasingly relying on computer simulations and games, according to Barry Ezell, an associate professor of research at the Virginia Modeling, Analysis and Simulation Center at Old Dominion University.
To explain how such a game-theory application might work, Ezell supplies the example of running a seaport. Such an operation could have many activities running simultaneously: ships, trains and other modes of transport arriving, unloading and loading cargo, and departing.
“You can create that environment in a simulated world,” Ezell says, noting that data generated for all those different activities can be used to simulate the operations of the port. “And then you can inject the effects of different terrorism scenarios into that simulation, and look at the consequences to your port operations.”
At that point, the game player (perhaps in the guise of a “blue team” playing against a terrorist “red team”) can introduce various security measures aimed at averting terrorism. Then the player would rerun the scenarios to see how each security measure “drives down the consequences” of the terrorist plot, according to Ezell.
By playing such games, he adds, “you can discover some black swan events that you would have never learned using other approaches.”