Thirteen years after the attacks on the World Trade Center and the Pentagon, one thing has become clear about the challenges of modeling and analyzing terrorism risk: at the core of the peril is the intelligence of an adversary who can decide where and when to strike and have counter-moves for every move you make.

Prior to 9/11, the mathematical science of risk modeling, particularly as it applied to the perils corporations might expect, was based on the data provided by Mother Nature, a much less intelligent actor.  “We understand wind storms, we understand surf.  We understand that they’re pretty particular.  They like the coast,” says Richard Rabs, vice president of insurance and risk at Veolia Environnement North America, a water, waste and energy management company.

“But terrorism doesn’t have any of those types of things.  We can make some assumptions, but we just don’t have the data,” he adds.

The data that any one corporation might be privy to about its terror exposures comprises a sample that’s too narrow to allow for charting out probabilities — and much less manage the risks on the basis of those assumptions, according to Rabs.

Yet narrow as the sample may be, it’s dense with different kinds of data. Terrorist acts that can hurt a company’s employees, operations and financial structure, for example, can be directly aimed at individual companies or hit them indirectly, mistakenly or as a component of a broader target. The attackers can be based domestically or in a foreign country. Their weapons can range from computer viruses to stolen planes to chemicals to nuclear, biological or radiological devices. And so on.

“I don’t think the average risk manager does a lot with terror risk modeling,” Rabs says. “Not because we don’t care about it, but because, at least in my case, we’re not 100 percent convinced that there’s really a good model out there.”

It’s a different story, of course, for the property-casualty insurance industry, which can analyze the probabilities of a strike based on the data culled from client portfolios. Compared to information about natural-catastrophe risks, however, those portfolios provide a dearth of data about terrorism risk, simply because collecting it has seemed a priority for only a dozen years.

In short, terrorist catastrophes remain “black swan” events, devastating outliers that seem predictable only in retrospect. Even for the insurance industry, the brevity of modern terrorism risk has made drawing generalizations about it a fool’s game. “Given the paucity of historical data and diversity and shifting nature of expert opinions, catastrophe models used to estimate terrorism risk are relatively undeveloped compared to those used to assess natural hazard risks,” said Robert Hartwig, president and economist of the Insurance Information Industry, in testimony prepared for a U.S. House subcommittee hearing a few weeks ago. “The bottom line is that estimating the frequency of terror attacks with any degree of accuracy … is extraordinarily challenging, if not impossible in many circumstances.”

Given that figuring out the probability of an attack based on the available data is currently so difficult, how can a particular CFO gain a more precise basis for managing the risks of an attack on his or her corporation?

To be sure, probability — estimating the frequency of an event by comparing different sets of data — is still very much in use. But a consensus for a more eclectic and dynamic approach to modeling terrorism risk appears to be emerging.

Using such an approach, probabilities can be built into computer-simulation models, enabling risk analysts to determine the likelihood that terrorists will act in certain ways given certain scenarios.

Yet no matter how up-to-the minute and precise terrorism risk models are, terrorists are notorious for acting in unexpected ways. To anticipate those ways, companies are increasingly relying on game theory, under the notion that by hunting down villains in hypothetical situations, you might be able to unearth the unexpected.

The Desire of al-Qaeda
From the very beginning of terrorism risk modeling, analysts knew that a different game was afoot than that of trying to assess the likelihood of an earthquake or a tornado. Barely more than a year after the 9/11 attacks, Gordon Woo, a mathematician with Risk Management Solutions who had just created RMS’s first terrorism risk model, was declaring that a “traditional probabilistic approach, such as used for modeling natural catastrophes, is simply not up to the challenge” of quantifying terrorism risks.

In introducing the model in 2002 (two other such firms, AIR Worldwide and EQECAT also introduced models that year), Woo said he used game theory in developing it. “Game Theory helps us model the implications of the complex dynamics between… conflicting factors,” he said at a seminar then. “On one hand, we have al-Qaeda’s desire to maximize the utility of their attacks, and on the other hand, we have to consider their rational response to stepped-up security and counter-intelligence efforts and the constraints of their technological and logistical capacities.”

While such models enabled companies to zero in on protecting what are now called “trophy targets” — highly visible, highly valuable corporate assets like the Sears Tower in Chicago — they did not yet focus on analyzing the actions of terrorists in response to counter-terrorism.

In the intervening years, however, counter-terrorism has outstripped terrorism by a considerable margin, according to Woo. Testifying in September before the House Financial Services Committee, he could say that terrorism risk has become “as much about counter-terrorism action as about terrorists themselves. U.S. terrorism insurance is essentially insurance against the failure of counter-terrorism.”

While many terrorist plots are still being developed, “the vast majority are interdicted through the diligence of western intelligence and law enforcement agencies. Mass surveillance of communication links, and the intrusion of intelligence moles, elevate[s] the likelihood of plot interdiction with plot size,” Woo said.

The reasoning is that the larger the terrorist cell, the more likely it is that information will leak out about it to the authorities. RMS estimates that a plot involving as many as 10 would-be terrorists has only a 5 percent chance of not being caught. “With the intensive global surveillance conducted today by Western intelligence agencies, a plot involving as many as 19 hijackers or bombers would have only a minimal chance of eluding their attention,” Woo testified.

But if the balance of power has shifted to counter-terrorism, the chances are good that terrorists will adjust to that, too. To model the risk under current circumstances and be able predict the likelihood of attacks, government and private-sector analysts are increasingly relying on computer simulations and games, according to Barry Ezell, an associate professor of research at the Virginia Modeling, Analysis and Simulation Center at Old Dominion University.

To explain how such a game-theory application might work, Ezell supplies the example of running a seaport. Such an operation could have many activities running simultaneously: ships, trains and other modes of transport arriving, unloading and loading cargo, and departing.

“You can create that environment in a simulated world,” Ezell says, noting that data generated for all those different activities can be used to simulate the operations of the port. “And then you can inject the effects of different terrorism scenarios into that simulation, and look at the consequences to your port operations.”

At that point, the game player (perhaps in the guise of a “blue team” playing against a terrorist “red team”) can introduce various security measures aimed at averting terrorism. Then the player would rerun the scenarios to see how each security measure “drives down the consequences” of the terrorist plot, according to Ezell.

By playing such games, he adds, “you can discover some black swan events that you would have never learned using other approaches.”

, , ,

4 responses to “Game Theory Sparks Terrorism Risk Modeling”

  1. Very insightful and I will certainly post forward. We face risk everyday of our lives and perhaps by human nature spend much of each day trying not the thing about it… Good strategy for a single person, not so good for organizations, who surprise me with an ‘isn’t this an insurance matter’ attitude.

    It is about analysis, review, process and procedure… and then some.

    • It sounds like the editors had a bare spot to fill when they used this article. Here in the DC metro area, “game theory” has not been referenced since … um… college days for most of us. Check out both Google (west coast) and InQtel / DARPA award lists (East Coast, Arlington VA) for the latest developments in predictive modeling. Or NIST / Germany collaborative efforts. Game theory algorithms long ago gave way to a new genre of real -time prediction, much of which will utilize technology reflected in early stages of squid and related R&D, (see NIST 2012), and incorporate physical elements such as ambient noise monitoring and other pervasive capture methodologies.

      But the real danger to corporations worldwide, is not terrorism – which per US Dept of State’s latest tallies, kills on average 150 – 250 persons worldwide, each year, 2001 being an exception – but executive kidnap, family kidnap, and crime. Drug cartels and syndicated crimes kill far more each year, than the 911 flights combined. And kidnap or threats to family members are much more likely to impact a corporate executive or senior manager, than is terrorism.

      Our own company continues to search diligently, and to support the ongoing and heartbreaking search, for our CEO’s kidnapped child, violently abducted at age 8, from very near CIA HQ in Mclean VA, following extortion threats and demands referencing his mother’s alleged CIA affiliation and White House recognition for Sept. 11 intelligence actions. Evan Carpenter remains missing, and even the US Pentagon, opening its own inquiry into Evan’s disappearance earlier this year, has found no sign of this child. Child or family member kidnap – for extortion or retaliation – remains the most common threat worldwide, facing corporations or government or law enforcement individuals; followed by drug or crime cartel killings. Witnesses to Evan’s kidnap could not stop crying, hysterically. And this was because his mother’s involvement and recognition for efforts in public safety, were not kept confidential. Wherever there is a lot of money or influence involved, there will be a lot of risk.
      This is a significant point for people to remember, because it is a very different motivation, from terrorism. And requires an entirely different mindset to address. And yet, this motive – greed, and its adjacent motive of coercion (desire to compel or prevent a certain action, whether testimony, or providing information, etc) – poses a much greater threat to corporate or government execs than terrorism. And to families.

      Evan is the first child to be hurt – possibly murdered – on US soil because of a parent’s intelligence affiliation or role, in US history. And he was only 8.

  2. Science has moved much farther ahead than this article would indicate. In fact there exists a new science based on probability (versus predictive modeling) that already does and surpasses what is being discussed in this article. It is a scientific breakthrough that was patented by USPTO in January 2012. See USPTO, Complexity Systems Management Method, Patent No.: US 8,103,601 B2. The research behind this patent received the Navigator Award from the Potomac Institute (with ties to DARPA and the IC) way back in 2004. It is always a good idea to have a patent watch or other search mechanism for new technologies before writing articles like these. Otherwise you risk looking a bit silly to real scientists who believe in real research before they write a paper.

  3. In the current environment where companies operate on global foot print the tentacles of terrorism extents beyond the company to the dealers and supplier bases. With lack of data and a robust model to predict the impact,it has become difficult to manage on a global platform.

Leave a Reply

Your email address will not be published. Required fields are marked *