Beruflich Dokumente
Kultur Dokumente
a r t i c l e i n f o
abstract
Article history:
Received 11 June 2011
Received in revised form
28 May 2012
Accepted 1 June 2012
Available online 15 June 2012
Incorporating an appropriate representation of the likelihood of terrorist decision outcomes into risk
assessments associated with weapons of mass destruction attacks has been a signicant problem for
countries around the world. Developing these likelihoods gets at the heart of the most difcult
predictive problems: human decision making, adaptive adversaries, and adversaries about which very
little is known. A plural modeling approach is proposed that incorporates estimates of all critical
uncertainties: who is the adversary and what skills and resources are available to him, what
information is known to the adversary and what perceptions of the important facts are held by this
group or individual, what does the adversary know about the countermeasure actions taken by the
government in question, what are the adversarys objectives and the priorities of those objectives, what
would trigger the adversary to start an attack and what kind of success does the adversary desire, how
realistic is the adversary in estimating the success of an attack, how does the adversary make a decision
and what type of model best predicts this decision-making process. A computational framework is
dened to aggregate the predictions from a suite of models, based on this broad array of uncertainties.
A validation approach is described that deals with a signicant scarcity of data.
& 2012 Elsevier Ltd. All rights reserved.
Keywords:
Adaptive adversary
Probabilistic risk analysis
Plural analysis
Descriptive modeling of decisions
1. Introduction
Probabilistic risk analysis (PRA) is being used extensively to
address not only the risks of engineered and natural structures,
but also attacks by human adversaries [14]. There has been some
criticism and extended discussions about the appropriateness of
PRA for situations in which the threat is an adaptive, human
adversary (hereafter called an adaptive adversary) [512]. The
focus of this paper is not PRA and whether it is an appropriate
approach for risk analysis involving adaptive adversaries. Rather,
the focus of this approach develops a plural modeling framework
that is similar to suggestions made by Guikema and Aven [13] and
addresses modeling adaptive adversaries for risk analysis so that
the results can be used by whatever higher-level risk analysis
method seems appropriate. The conversation for this paper will
be the threat risk assessments performed by the Department of
Homeland Security for weapons of mass destruction (WMD). In
particular, our illustrations will be for the bio-terrorism risk
assessment, but the approach and comments apply for any risk
analysis of this sort.
The motivations for modeling terrorists as adaptive adversaries will be addressed extensively later in this paper. But to
summarize for now, terrorists are not homogeneous but differ
Corresponding author. Tel.: 1 703 861 3678; fax: 1 703 860 8639.
E-mail address: dbuede@innovativedecisions.com (D.M. Buede).
0951-8320/$ - see front matter & 2012 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.ress.2012.06.002
78
D.M. Buede et al. / Reliability Engineering and System Safety 108 (2012) 7789
D.M. Buede et al. / Reliability Engineering and System Safety 108 (2012) 7789
79
Distributions over
Red preferences.
Total Cost to Red
Change Blue Policy
Recruit - Further cause
Adhere to Religious Teachings
Fig. 2. More detailed representation of the red decision problem. (For interpretation of the references to color in this gure legend, the reader is reffered to the web version
of this article.)
Fig. 3. Detailed simplication of realistic inuence diagram for reds decision problem. (For interpretation of the references to color in this gure legend, the reader is
reffered to the web version of this article.)
80
D.M. Buede et al. / Reliability Engineering and System Safety 108 (2012) 7789
Fig. 4. Reds perceptions of blues decision on countermeasures. (For interpretation of the references to color in this gure legend, the reader is reffered to the web version
of this article.)
D.M. Buede et al. / Reliability Engineering and System Safety 108 (2012) 7789
81
eavDi blnvDi
n
P
eavDj blnvDj
j1
82
D.M. Buede et al. / Reliability Engineering and System Safety 108 (2012) 7789
surprising that aggregating those models results in better predictions than any one of those models operating alone. There is
nothing strictly inevitable about that reasoning, but the empirical
ndings cited above show that reasoning to widely hold true. That
said, two concerns about plural modeling call for comment:
First, plural modeling muddles the relationships of which
assumptions drive which results, which can be deduced by careful
study of an individual model. Yet there is nothing in plural
modeling that precludes the modeler from deducing those relationships in each individual model, then analyzing how those many
relationships map into the aggregated behavior of the plural model.
A second concern involves framing. Any model has a particular
scope and set of assumptions. That scope and those assumptions
have an effect on the descriptive performance of the model, which
we will refer to here as a framing effect. In the case of the
component models considered here, those assumptions include
ones concerning the ranges of alternatives, and value attributes of
those alternatives, considered, and the choice model employed.
Plural modeling in general presents an opportunity to reduce
framing effects by combining models with different framings.
However, the plural modeling presented here has limitations on
reducing those framing effects. That is all the component models
aggregated here share the same range of alternatives and range of
attributes. So, while the plural modeling presented here has the
opportunity to reduce the framing effect of which particular
choice model is used, by aggregating over several choice models,
it does not reduce the framing effects of the ranges of alternatives
and attributes considered.
Certainly time has proven that predicting human decision
making, especially those of humans who are adversaries (e.g.,
terrorists), is quite difcult and fraught with peril. The research
literature on building descriptive models of human behavior
demonstrates that no single approach does very well [33].
For DARPAs on-going Integrated Crisis Early Warning System
(ICEWS) program, Innovative Decisions, Incorporated, the consulting group with which the authors are afliated, constructed a
probabilistic aggregation model to combine the estimates made
by four statistical and two agent based models. The combined
estimates outperformed those of any one other model. To accomplish this IDI characterized the estimates of each model, effectively recalibrating them, and developed a Bayesian network,
through a data mining process, to compute the combined estimates [34].
Section 3.1 describes ensemble approaches for aggregating the
results of multiple models. The next section after that describes
the descriptive models that we believe should be employed in any
plural modeling approach to predicting the decision outcomes of
red. Finally Section 3.3 describes an approach to aggregating
across this collection of descriptive models given that no ground
truth data is available.
Table 1
Aggregation methods.
Aggregation method
Majority vote
Average
Weighted Average
Variance Algorithm [39]
Coherent Approximation Principle [41]
Generative Bayesian [42]
IDI ICEWS aggregator [34]
Multi-response linear regression (MLR) [43]
Aggregation requirements
Priors
Calibration
X
X
History
X
X
X
X
X
X
Coherence
Precision
Dependence
among experts
X
X
X
X
D.M. Buede et al. / Reliability Engineering and System Safety 108 (2012) 7789
n
X
i1
wi vi xi
83
84
D.M. Buede et al. / Reliability Engineering and System Safety 108 (2012) 7789
pp
dpg
dpg 1pg
D.M. Buede et al. / Reliability Engineering and System Safety 108 (2012) 7789
85
the left (long dash and single dot repeated). This is not an
inuence diagram but a diagram showing the ow of inputs (data
and models) and outputs (data results and reports).
The next three gures show the framework details and
illustrate two use case examples of how users might interact
with this framework. At the top of Fig. 7, we see that the
framework includes two user interface modules: the problem
denition query processor and the visualization query processor.
The arrows indicate data ows (dotted lines) and ow of controls
(dashed lines). The double-headed arrows indicate that data or
controls ows in both directions (e.g., query and response). The
rst query enables a user to compose a query that denes what
input data is required, what models are to be used, and what
outputs are desired while resolving conicts that arise such as
more data will be required than is available for those models. This
problem denition query processor requires some controller
capabilities to help resolve those conicts. The visualization query
processor enables interactions with the user once the computations are complete and various visualization formats are being
explored. Here some controller and output processing capabilities
are needed. The supervisor module integrates the problem denition with Monte Carlo simulations that must be performed. The
Monte Carlo simulation module calls the models that are required
and supervises the model computations needed to complete the
problem denition. Each of models is enabled to call the data
needed from the database. Finally the module for aggregation and
results sorts through the model results to create the outputs
desired by the users in the formats of choice. Different shapes are
used for the functional blocks in the computational framework to
make the functional differences clear to the reader.
Fig. 8 presents the rst of two use cases, which show just the ow
of data between the modules of the computational framework. Here
all of the arrows are solid since they represent just one activitydata
ow. This use case addresses the denition of a query and the
computation of models needed to complete the query. This use case
illustrates a clear interaction of the user with the Problem denition
query processor, which interacts with the supervisor, which sets up
the query and enables the Monte Carlo simulation module to carry
out the computations. The results of these computations are then
stored in the database. The second use case addresses pulling these
results out of the database for visualizations to the user.
Fig. 9 presents a use case for the visualization query. Here the
user interacts with the visualization query processor to dene the
format of the subset of results of interest. The visualization query
processor interacts with aggregation and results module so that
the latter module can format the visualizations requested and
Selected
models
Selected
groups & data
Probabilities
of interest
Output
Processing
Capability
Reports
New models
Model Base
New data
Data Base
Custodial Capabilities
Computational Framework
Fig. 6. External interactions with plural modeling framework.
Probabilities
for all TRAs
86
D.M. Buede et al. / Reliability Engineering and System Safety 108 (2012) 7789
User
Interface
Capability
Input
Processing
Capability
Problem Definition
Query Processor
Visualization
Query Proc
Supervisor
Controller
Capability
Aggregation
& Results
Meta data
Monte
Carlo
Simulation
Model
Compu
-tation
Processor
Capability
Output
Processing
Capability
Model Base
Data Base
Custodial Capabilities
Fig. 7. Computational framework for plural modeling.
D.M. Buede et al. / Reliability Engineering and System Safety 108 (2012) 7789
87
88
D.M. Buede et al. / Reliability Engineering and System Safety 108 (2012) 7789
red actions that fully accounts for and communicates all of those
many uncertainties.
The approach described in this paper handles all of these
issues. A plural modeling approach is used to compensate for our
uncertainty in red decision making. Inuence diagrams representing the uncertainties about who red is and what red knows
(perceptions) are used to structure the decision problem for each
of the descriptive decision models employed: MODA, satiscing,
lexicographic reasoning, Prospect theory (two versions), and
level-k game theory. Monte Carlo simulation as well as Luce
normalization and randomized utility methods are used to
produce probability distributions over the red decision outcomes.
Then a computation framework is proposed for building these
analytic methods into any terrorist risk assessment for red WMD
actions.
Finally any modeling effort must address how its results can
be validated. This is especially difcult in problem areas of
predictive modeling for which ground truth data is scarce. This
paper describes a three-step process that involves cause-effect
graphing; the triangulation of a range of data, judgments and
previous modeling results; and face validity assessments that the
approach employs reasonable methods and is not ignoring other
reasonable methods.
In summary, this paper denes the benchmarks against which
any method for modeling adaptive adversary decision behaviors
should be judged.
Acknowledgements
The authors are most grateful to their colleagues for many
suggestions and productive collaboration in this effort: Seth
Guikema, Laura McClay, Casey Rothschild, Jerrold Post. The
Department of Homeland Security Science and Technology Directorate funded this work under Contract No. HSHQDC-10-C-00105.
The authors wish to thank the reviewer for his many insightful
comments.
References
[1] U.S. Nuclear Regulatory Commission (USNRC). Reactor safety study: assessment of accident risk in U.S. Commercial nuclear plants. WASH-1400
(NUREG-75/014). Washington, D.C.: U.S. Nuclear Regulatory Commission;
1975.
[2] Vesely WE. Fault tree handbook. Washington DC: Ofce of Nuclear Regulatory Research; 1981.
[3] Garrick BJ. Perspectives on the use of risk assessment to address terrorism.
Risk Analysis 2002;22(3):4213.
[4] Ezell B, Bennett S, von Winterfeldt D, Sokolowski J, Collins A. Probabilistic risk
analysis and terrorism risk. Risk Analysis 2010;30(4):57589.
[5] Department of Homeland Securitys Bioterrorism Risk Assessment: A Call for
Change. Committee on methodological improvements to the department of
homeland securitys biological agent risk analysis, National Research Council
of the National Academies. Washington, DC: The National Academy Press;
2008.
[6] Cox Jr LA. Improving risk-based decision making for terrorism applications.
Risk Analysis 2009;29(3):33641.
[7] Wein L. Homeland security: from mathematical models to policy implementation. Operations Research 2009;57:80111.
[8] Parnell GS, Smith CM, Moxley FI. Intelligent adversary risk analysis: a
bioterrorism risk management model. Risk Analysis 2010;30(1):3248.
[9] Brown G, Cox A. How probabilistic risk assessment can mislead terrorism
analysts. Risk Analysis 2010;31(2):196204.
[10] Ezell B, Collins A. Letter to editor in response to brown and cox, how
probabilistic risk assessment can mislead terrorism analysts. Risk Analysis
2010;31(2):192.
[11] Brown GG, Carlyle WM, Harney RC, Skroch EM, Wood RK. Interdicting a
nuclear-weapons project. Operations Research 2010;57(4) 896877.
[12] Rios J, Rios Insua D. Adversarial risk analysis for counterrorism modeling.
Risk Analysis 2012;32(5):894915.
[13] Guikema SD, Aven T. Assessing risk from intelligent attacks: a perspective on
approaches. Reliability Engineering and System Safety 2010;95:47883.
D.M. Buede et al. / Reliability Engineering and System Safety 108 (2012) 7789
89
[53] Rothschild C, McLay L, Guikema SD. Adversarial risk analysis with incomplete
information: a level-k approach. Risk Analysis 2012;32(7):121931.
[54] McLay L, Rothschild C, Guikema SD. Robust adversarial risk analysis: a level-k
approach. Decision Analysis 2012;9(1):4154.