Publication Date Nov 01, 2004 by Garrick B.J., Hall J.E., Kilger M., McDonald J.C., O'Toole T., Probst P.S., Parker E.R., Rosenthal R., Trivelpiece A.W., Van Arsdal L.A., Zebroski E.L.

The purpose of this report is to suggest a methodology for assessing the risk of catastrophic terrorist attacks, i.e., high consequence attacks that would result in significant loss of life and/or economic damage.

Prepared by A Special Study Group on Combating Terrorism

B. John Garrick, Chair

This report was prepared during a time of unprecedented change in the security of the United States. New laws have been enacted, departments and agencies have been realigned, tens of thousands of new security personnel have been hired, and public awareness of the threat of terrorism has penetrated every community.

The purpose of this report is to suggest a methodology for assessing the risk of catastrophic terrorist attacks, i.e., high consequence attacks that would result in significant loss of life and/or economic damage. While there are numerous examples of quantitative risk assessment and management methods being applied throughout government and the private sector, there has been so far only limited application of the discipline of Quantitative Risk Assessment, which emphasizes the quantification of uncertainties based on the available evidence. The ability to quantify uncertainties is the key to understanding those rare, but critical terrorist attacks that may have catastrophic consequences. The purpose of this report is to present such a methodology.

The broad context to which the methodology is applied for analyzing the risk of terrorism is important. The study group realizes that this is not the final word on how to analyze the risk of a terrorist attack. Rather it is "work in progress." For this reason care is taken: (1) to emphasize the category of terrorist threats having the potential for catastrophic consequences, (2) to suggest a methodology that is general enough to be applied to a variety of terrorist initiated events, and (3) to provide a methodology that has sufficient analytical muscle to dig much deeper than the usual qualitative methods.

The report also emphasizes the need for proper use of all available information in conducting a quantitative risk assessment (QRA) and the need for appropriate organizational responses to create a successful terrorism risk management program. This report is based on well established methods of risk assessment as used in fields such as nuclear power, the chemical and petroleum industry, and more recently, the space program. Applying such methods provides a much-improved basis for making the "right decisions" about how to combat terrorist attacks that could have catastrophic consequences. The primary audience for this report is policy makers and decision makers in government and industry, but the report also reaches out to practitioners.

A major problem in combating terrorism is ensuring that the public and private sector invest resources rationally in ways that actually reduce the threat and vulnerabilities in all segments of society. A logical approach then would be to take timely, investment-wise steps that not only reduce the threat of terrorist attacks occurring, but also lessens the vulnerabilities to attacks that do occur. The implementation of such an effective strategy will depend on leaders in government and industry understanding the risk quantitatively, and out of this understanding, making the right investments and interventions.

The requirements for making and executing good decisions include: (1) a clear understanding of the nature and characteristics of the terrorist threat; (2) a methodology that systematically and quantitatively exposes and assesses the terrorist threats (anticipated attack scenarios) and the vulnerabilities to them; (3) an information base relevant to the issues and decision options being considered; and (4) organizational structures and relationships that facilitate both understanding and implementation of the decisions made.

In support of these objectives this report gives an example application of managing the risks of terrorism using an electrical power grid as a case study. The example involves a combined physical and cyberattack on a regional electrical power grid. The vulnerabilities of the grid are systematically exposed, and corrective actions for reducing the risk are identified. The example is purposefully simplified, to communicate understanding of the basic ideas.

Information and supporting evidence are critical to quantifying the risks of terrorist attacks. The information useful for combating terrorism is often fragmented, limited in scope, and not systematically linked or integrated. Moreover, prior to 9/11, the timely sharing of information was not considered an issue because we did not anticipate a serious terrorist attack. Now we understand, better, that sharing information between government agencies, between government and industry, and with the public is crucial to our security.

An important issue addressed in this report is the challenge of promoting organizational relationships and institutional mechanisms for reducing terrorist threats that are hidden and difficult to detect. Nevertheless, there are many examples of how organizations can, and have dealt with threats especially with respect to technological issues. In the 1940s, resources were mobilized for the Manhattan Project and the building of the atomic bomb. In the 1950s, the private sector joined the federal government in responding to the challenge of Sputnik, and we landed a man on the moon by the end of the next decade. In the 1970s, in response to the challenges of trade in high technologies developed around the world, U.S. companies established partnerships with universities and national laboratories. In the l980s, when U.S. companies appeared to be losing the lead in the integrated circuit industry, federal action was taken to break down antitrust and other legal barriers to cooperation among key industry firms, and SEMATECH, a public-private partnership, was established. One of the challenges facing the nation today is to create organizational relationships that mobilize our engineering, scientific, and technological communities, under government leadership, to counter the terrorist threat.

The study group has focused on methodologies for assessing the risk of catastrophic terrorist attacks. The study group preparing this report included 11 individuals from 10 different segments of our society (see biographies in Appendix C). The study group had staff support as well as two outside consultants. The conclusions are based on unclassified briefings from government, academic, and industry experts (see Appendix D) and from exchanges of views based on study group members' experiences and expertise.

This article was published in a Special Issue of Reliability Engineering and System Safety, Vol. 86, no. 2, November 2004.

The definitive version is available at Science Direct

Download PDF