Article Preview
TopIntroduction
In a world of uncertainty, security is very much on people’s minds. Given the constant threats to lives and property, especially critical infrastructure, these are pragmatic concerns, yet security itself can be imperfect and uncertain. Terrorist attacks, and sweeping programs to prevent them, highlight the tradeoffs between economically balancing security and privacy.
The political system, however, invites people to ignore or deny these tradeoffs (Michaels, 2013). Some politicians demand assurances of safety, as though safety were an all-or-nothing quality of complex systems. Other politicians get elected by saying they will do everything possible to promote security, even though we know that literally it does not make sense to do everything possible. For example, the government could ban all sales of nitrogen fertilizers (Bartlett, 2004) because of their potential diversion to bomb-making uses.
This is not only unlikely, but also impractical because of the impact on agriculture and food production. Still, leaving nitrogen fertilizers on the market means that not everything possible has been done to increase security. Scarcity forces a society to have less than the unconstrained optimum of many goods and services, and security is no different.
Statement of the Problem
Little progress can be made in having informed discussions about security as long as security is presented as a binary condition, safe or unsafe. This paper presents a qualitative model to promote thought about security, how it is achieved, and how much of it is worthwhile. As public understanding of the true nature of security grows, at some point public figures will be able to speak in much more realistic terms.
The Nature of Security
Security is different from many other products and services. A manufacturing firm makes its money by selling a good, but the security with which it operates is often an afterthought at best. When firms increase their security, the positive costs often offset the usually unobserved benefits.
Therefore, security can become a casualty of the bottom line. If security is working well, then a firm has a very low probability of experiencing the adverse events it is guarding against. However, when security works best, it is often taken for granted by managements and customers alike, who may only observe a higher cost or price tag.
The output of a security system is not easy to characterize, but it can be summed up in a distribution of losses by examining combinations of probabilities and consequences. More security means, in some sense, a smaller distribution of probabilities and consequences.
Expected value can be used to make these comparisons by simply multiplying the probability of an event occurring by the size of the loss. In a very simple example where there is a 1/10 chance of a security breach properly valued at $1000, the expected value of the damage is $100 (1/10 x $1000). A risk-neutral decision-maker would be willing to spend up to $100 to prevent the breach.
In theory it would be simple to multiply each adverse event’s probability times its consequences, getting an expected value to be summed over all possible events. However, such a computation would be misleading, for reasons examined later in this paper.
For now, security can be taken to be a continuous variable with higher and lower amounts understood by participants even if it is not precisely quantified. Regardless of how we choose to measure the output of a security system, it is clear that no system can simply be declared safe or not safe.
Methodology
The authors critically review the counter terrorism literature and best-practices to inform the development of an improved risk management security model. An equilibrium model is constructed, based on two fundamental functional components: a protection profile showing the costs of achieving security against terrorism, and a damage profile showing the benefits of varying levels of security