Improving Antiterrorism Risk Analysis
Several important risk analysis methods now used in setting priorities for protecting U.S. infrastructures against terrorist attacks are based on the formula risk = threat × vulnerability × consequence. This chapter identifies potential limitations in such methods that limit their ability to guide resource allocations to optimize risk reductions. After considering specific examples for the Risk Analysis and Management for Critical Asset Protection (RAMCAP™) framework used by the Department of Homeland Security, we address fundamental limitations of the product formula. These include its failure to adjust for correlations among its components, the nonadditivity of risks estimated using the formula, its inability to use risk-scoring results to allocate defensive resources optimally, and the intrinsic subjectivity and ambiguity of the threat, vulnerability, and consequence numbers.