January 2009
|
|
Need Your Own Copy of The Risk Communicator?
|
|
Write for Us
|
| Have you seen a story you would
like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact
the newsletter staff at newsletter@sarma.org. |
Thanks to Our Sponsor
|
|
Legal Matters
|
Copyright 2009
SARMA
All Rights Reserved
Privacy Policy
The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
|
|
|
A Note from the Editor
|
|
To Constant Contact, and Beyond...
Notice something different? This month, SARMA completed its transition into Constant Contact for all of its membership communication activities. From your perspective, it means a cleaner, easier to read newsletter; from ours, it means an improved way of sharing information with members and getting feedback about what we are doing right and what you'd like us to improve. (Keep an eye out for a survey on this exact point.) A fresh newsletter also allows us to shine a spotlight on the contributions of our members. You know better than anyone else what risk management and security analysis professionals are talking about, and it's your insight, not the editorial staff's, that your colleagues are most interested in. If you have a story idea, an essay or some original research you'd like to contribute to The Risk Communicator, please do not hesitate to contact me. And while you're at it, let me know what you think of the new look.
Finally, I want to thank our two outside contributors to this month's issue, Drs. Robin Dillon-Merrill and Irving Lachow. Both are doing some outstanding work in their respective fields, and SARMA is proud that they chose The Risk Communicator to help share their most recent findings with the risk management community. We look forward to bringing you more of their research in the near future.
Best,
Avi Klein
Editor
|
President's Corner
|
| A Warm Welcome for George Foresman, Our Newest Board Member
Happy New Year to one and all! I truly hope that each of you was able to spend time with your loved ones to celebrate the season and enjoy some well deserved rest.
Now that the holiday season has come and gone, it's time for SARMA to get back to work, and I am pleased that we are able to start off the new year by making a significant addition to the SARMA Board of Directors. It gives me great pleasure to announce that the current Board members have unanimously elected George W. Foresman, former undersecretary for preparedness at the U.S. Department of Homeland Security (DHS), to fill the vacancy created by the recent departure of Chel Stromgren.
George has a long and distinguished record in the homeland security risk management field, beginning with his service as a member and vice-chair of the 1998 Advisory Panel to Assess Domestic Response Capabilities Involving Terrorism, commonly known as the Gilmore Commission. Before joining DHS, he also served as assistant to the governor of Virginia for commonwealth preparedness, and as Virginia's homeland security advisor, a cabinet level position in the administration of Governor Mark Warner. All told, George possesses a quarter century of government experience.
As Governor Warner's homeland security advisor, George developed a reputation as an articulate and pragmatic voice for state and local homeland security needs. These skills made him a perfect choice to lead the brand new preparedness directorate at DHS, where, as undersecretary, he was charged with working closely with state, local and private sector officials to ensure the most effective application of the nation's homeland security resources. In this capacity, he became a leader in the effort to transform the department's grant programs into risk-informed instruments of national policy.
Now in private practice, George has graciously accepted the mantle of service once again. With his many connections to federal, state and local policymakers, and his first-hand knowledge of the promises and challenges associated with public and private sector leaders using risk as a key decision support tool, I know that he will be a great asset in helping to shape SARMA's future. Please join me in welcoming George to the SARMA leadership!
Cheers,
Kerry Thomas
President
|
News
|
|
Speakers and Volunteers Needed for June SARMA Conference
The 3rd Annual Conference on Security Analysis and Risk Management is just around the corner, and SARMA is counting on your participation to make it the most successful gathering to date. Whether it's as a speaker presenting your latest research findings, an organizer helping us design the program, a sponsor or a vendor, you can play an important role in promoting SARMA and the risk management and security analysis professions.
Scheduled to take place from 16-18 June 2009 at George Mason University's
Arlington VA campus, the conference is the only national event
organized by security risk analysts and managers for their peers in
government, industry and academia. Last year, more than 200 from around the world attended, including 50 speakers and representatives from all levels of government and from agencies around the world.
If you'd like to participate, please contact the SARMA Conference Committee for additional information. Details for prospective speakers can be found here.
|
Join SARMA on LinkedIn
In little over one month, dozens of your security analysis and risk management colleagues have joined SARMA on our new LinkedIn page. Participants are networking, swapping stories and discussing critical issues. Why not add your voice to the dialogue?
To create an account, go here. If you already have an account, you can go directly to the SARMA group here.
See you online!
|
|
Research and Analysis
|
|
How Near Misses Alter Perceptions of Risk
by Dr. Robin Dillon-MerrillFollowing catastrophic natural disasters, people often ask why individuals did not evacuate and why government and first-responder organizations were so appallingly underprepared. A consistent conclusion of hurricane evacuation studies is that "evacuation behavior is a consequence of the perceptions which people form about risk prior to taking protective action" (Fitzpatrick and Mileti, 1991; emphasis ours). Our research focuses on the linkage between prior experience and perceptions of risk, whereby the degree of success people feel in surviving prior disasters heavily influences their perceptions of the risk involved in these decisions and thus how they respond to warnings of subsequent impending disasters. When people, by chance, escape prior disasters they have experienced a "near-miss." We define different types of near-misses: 1) a didn't near-miss, wherein a prior near-miss is interpreted as "a failure that did not happen"; versus 2) an almost near-miss, wherein a prior event that did not happen also has some characteristic that leads it to be interpreted as "almost happened." We believe that didn't near-misses will bias individuals towards risky future decisions while almost near-misses should attenuate this bias. We explore the robustness of this near-miss phenomenon by testing how the two different types of near-misses influence both the general population -- in this case, people who currently live in New Orleans (67 percent of our sample evacuated for Hurricane Katrina) -- and a sample of professional emergency managers, including those solicited in the December 2008 issue of The Risk Communicator. In the studies, participants read a short statement explaining that they lived in an area subject to hurricanes, and that the National Weather Service was tracking a hurricane that had a 30-percent chance of hitting their community with moderate force within 36 hours. They were further told that they lived alone and had no pets, and that to evacuate they would incur a sure loss of $2,000. If they stayed, however, the collateral damage of a moderate hurricane (above and beyond damage to house, such as car, self, etc.) would add up to $10,000. Although all participants faced the same dilemma, they varied in some of the life experiences they were assigned to consider. Participants assigned the didn't near-miss condition read:
You have lived in this house through three prior storms similar to that forecasted and you and your neighbors have never had any property damage.
Participants assigned the weak almost near-miss condition read:
You have lived in your house through three prior storms similar to that forecasted and have never had any property damage. In the last storm, however, a tree fell on your neighbor's car and completely destroyed it.
Participants assigned the strong almost near-miss condition read:
You have lived in your house through three prior storms similar to that forecasted and have never had any property damage. In the last storm, however, a tree fell on your neighbor's house, destroying the second story of the house, and killing your neighbor.
Participants assigned the no near-miss information (control) condition read:
You have no specific data regarding past hurricane impacts to your property.
Additionally, after the evacuation task decision was completed, we asked the participants a series of gamble questions, one of which was isomorphic (identical in form) to the hurricane evacuation decision: You are stuck with a losing gamble. If you take the gamble, you have a 30-percent chance of losing $10,000 and a 70-percent chance of losing nothing ($0). You can avoid the gamble by paying $2,000 up front. Do you accept the gamble or pay the $2,000?
This gamble was hidden among three other unrelated gambles to disguise the similarity of the tasks. We discarded the results from those unrelated gambles. The graph below shows the percentage of participants in each condition who choose to evacuate, and -- as can be seen from the graph -- participants with didn't near-miss information evacuated significantly less than those in the other conditions:  The results affirm our contention that near-misses can prime a particular mindset. Results show that even a weak almost near-miss can make participants choose the risk-averse option and decide to evacuate despite the sure loss. Moreover, the stronger the almost near-miss, the more likely participants are to choose the risk-averse option and evacuate. Although the expected value for all of these decisions is the same, the context surrounding them influences the choices people make. Specifically, the type of near-miss highlights a particular aspect of the situation that is either positive or negative, which then appears to either prime either complacency or mitigation action.
In addition, our results show that people with didn't near-miss information make riskier choices than those without this information, because thenear-miss events lead them to perceive a lower level of risk regarding the decision situation. The interpretation of near-misses as evidence of a system's resiliency means that too many potential failures go under-diagnosed, and few will invest in mitigation or protection actions the next time.
Our results also show that almost near-miss information (i.e., reminding people of a system's vulnerability) can push people back toward decisions with lower risk. This is an important finding for organizations that must communicate risks to the public and invest in protective actions.
Dr. Robin Dillon-Merrill is an
Associate Professor in the McDonough School of Business at Georgetown
University and a founding director of SARMA.
|
Commentary
|
|
Cyber Terrorism: Risk or Menace?
by Irving Lachow, Ph.D.
Cyber terrorism is often portrayed as a major threat to the United States. Articles, books and reports discussing the subject often conjure images of infrastructure failures, massive economic losses and even large-scale losses of life. Fortunately, the hype surrounding this issue outpaces the magnitude of the risk. Terrorists use the Internet extensively, but not to launch massive cyber attacks. In fact, while there is clear evidence that terrorists have used the Internet to gather intelligence and coordinate efforts to launch physical attacks against infrastructure targets, there has not been a single documented incidence of cyber terrorism against the U.S. government. For those in the risk management and security analysis business, a clear-eyed and honest appraisal of the threat is critical.
What exactly do I mean by "cyber terrorism?" My preferred definition is borrowed from Dorothy E. Denning:
"... a computer based attack or threat of attack intended to intimidate or coerce governments or societies in pursuit of goals that are political, religious, or ideological. The attack should be sufficiently destructive or disruptive to generate fear comparable to that from physical acts of terrorism. Attacks that lead to death or bodily injury, extended power outages, plane crashes, water contamination, or major economic losses would be examples... Attacks that disrupt nonessential services or that are mainly a costly nuisance would not."
(Emphasis added.)
Denning's definition makes clear that cyber terrorism contains all the features of traditional terrorism, but is carried out via cyber rather than kinetic means (although the ultimate effects of the cyber attack could be kinetic). It is also important to notice that Denning includes an important caveat regarding the severity of the cyber attacks: there is a difference between a creating a nuisance (e.g., email going down for five minutes) and generating terror (e.g., air traffic control system being shut down for hours). The latter is much harder to accomplish than the former, and far more costly and disruptive.
One of the reasons that cyber terrorism is perceived to be such a major threat is that the term is often misapplied to a wide range of activities. This error occurs among experts as well as lay-people. For example, some security professionals stretch the definition of cyber terrorism to include physical attacks on information technology systems. This is misleading and unhelpful. As Denning makes clear, cyber terrorism refers to the means used to carry out the attack, not to the class of target. Otherwise, the term cyber terrorism loses all value and analyses of cyber terror threats become diffuse and lacking in rigor.
The failure of security professionals to properly define their terms has had the predictable result of contaminating popular news reporting. A typical example is found in a 2004 USA Today article: "Cyberterror Impact, Defense Under Scrutiny". The article begins with this sentence: "A terrorist threat is out there -- and not just against physical infrastructure." However a few paragraphs later a security expert is quoted explaining that "Al-Qaeda doesn't see cyberterrorism as achieving significant military goals." The article then states that other groups and nations are looking at using cyber terrorism to damage the United States and provides this vague quote from a senior government official: "There are a large number of threats: hackers, cybercriminals, other countries."
Reading this article, it is not clear what exactly cyber terrorism refers to. The article makes the case that hackers, criminals and nation-states are engaging in cyber terrorism while terrorist groups are not. One is left wondering what kind of cyber terrorism is ignored by terrorists and used by everyone else engaged in hostile activities on the Internet. There are many other examples of this confusion in terminology. To cite just one more: an article found on the Council on Foreign Relations website describes the cyber attacks conducted against Estonia in 2007 as being a case of "cyber espionage" when in fact the attacks were clearly focused on shutting down systems rather than stealing information.
Despite this confusion, in the final analysis it is far more important to pay attention to what things are, rather than focusing on what they ought to be called. Seven years after September 11, we know that Al Qaeda has expressed interest in cyber terrorism properly defined, although such attacks are beyond its capabilities at present. Nevertheless, the Internet plays a critical role in terrorist operations world-wide by providing the means for group members to plan and conduct physical attacks, to spread their ideology, manipulate the general public and the media, recruit and train new terrorists, raise funds, gather information on potential targets and control operations.
As a result, terrorist groups can easily operate on a global front and use the networked nature of cyberspace to become both more effective and robust. Technological and demographic developments portend a future in which the power of individuals and groups continues to grow relative to that of the nation-state. The United States will need to confront this reality if it wishes to thrive in the coming century.
The good news is that relying on the Internet is a two-edged sword for terrorist organizations: despite the many benefits associated with using the Internet this technology also carries liabilities. For example, terrorist reliance on websites and discussion forums allows outsiders to monitor their methods and track trends. It also creates the opportunity for outsiders to pose as insiders in order to provide misinformation or simply to create doubt among the terrorists about whom they can trust. The bad news is that terrorists are doing their best to minimize the liabilities associated with heavy reliance on the Internet. They are quick to learn from mistakes and to disseminate "best practices" on how to defeat the tactics used by intelligence and law enforcement agencies.
It is critical for the United States to combine its cyber defense efforts with a well-developed strategy for countering terrorist use of the Internet. Such a strategy must be well resourced, developed and executed in an interagency context, and flow coherently up and down the chain of command. It must address the "war of ideas" occurring between extremist groups and the West, and it must attempt to counteract the operational effectiveness that these groups gain by using the Internet. And it must not be distracted by unlikely threats and confused definitions. None of this will be easy, but it must be done.
Irving Lachow is a Senior Research Professor at the National Defense University's Information Resources Management College. This article is based on his "Cyber Terrorism: Myth or Menace," in Franklin Kramer, Stuart Starr and Larry Wentz, eds., Cyber Power (Dulles, VA: Potomac, forthcoming). Readers may also refer to Irving Lachow and Courtney Richardson, "Terrorist Use of the Internet: The Real Story," Joint Forces Quarterly, 45 (2nd Quarter, 2007), pp. 100-103.
|
|
Key Reports
|
|
Homeland Security Grant Program Risk-Based Distribution Methods
In this December 2008 briefing for Congress, GAO reviews the methodology used by DHS and FEMA in awarding HSGP grants and finds DHS has "generally constructed a reasonable methodology to assess risk and allocate funds." However, GAO notes that DHS has not taken action on an earlier recommendation that the department "formulate a method to measure vulnerability that captures variations across states and urban areas, and apply this vulnerability measure in future iterations of this risk-based grant allocation model."
Get the report
Nuclear Security Spending: Assessing Costs, Examining Priorities
Stephen I. Schwartz and Deepti Choubey's 2009 report for the Carnegie Foundation finds that of the $5.2 billion in nuclear weapons-related funding in 2008, less than $700 million, or 1.3 percent, was dedicated to "prepare for the consequence of the use of these weapons, including continuity of government operations, training expert teams to detect and defuse weapons, and developing methods to trace the original source of materials used in such weapons."
Get the report
DHS' Role in State and Local Fusion Centers is Evolving
This December 2008 report from DHS' inspector general finds that "challenges remain with internal Department of Homeland Security coordination, aligning fusion center activities and funding with the department's mission, and deploying personnel to state and local fusion centers in a timely manner." According to the inspector general, communication between the fusion centers and DHS remains a significant problem.
Get the report
|
|
Job Board
|
|
Management and Program Analyst (Risk Analyst)
National Protection and Programs Directorate
Vacancy Ann.#: DHSHQRA08-5147
Who May Apply: Public
Pay Plan: GS-0343-13/15
Appointment Term: Permanent
Job Status:Full-Time
Opening Date: 11/12/2008
Closing Date: 03/31/2009
Salary: From 82,961.00 to 149,000.00 USD per year
|
|
|
|
|
