Header  

Posts - Integrating the
Model in the Real
World:

1/13/09: Audit & Risk - Seeing the Forest from the Trees



9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?


5/10/01: FFIEC Business
Continuity Planning
Handbook


4/3/08: SOX 404 Audits

Boise and Terrorists - Confusing Impact, Threats and Vulnerabilities

In a 2007 paper in Risk Analysis a group of researchers, funded by the Department of Homeland Security (DHS), released a list of American cities most vulnerable to a terrorist attack. The paper likely would not have received much notoriety, except for the conclusion that Boise, Idaho was the most vulnerable location in the western United States (Boise ranked 10th most vulnerable out of the 132 urban areas assessed). The media had a difficult time fathoming how a relatively remote city such as Boise could rank so high on the list and the bloggers had a field day criticizing the government for wasting money.

The controversy demonstrated how poorly operational risk is understood in the general population. Far too many commentators confused Vulnerability with Threats and Impact and wrongly jumped to the conclusion that the report meant that Boise presented a high risk to the nation from a terrorist attack.

If you apply a methodology such as the Simple Risk Model to the findings, you reach a more reasonable perspective:

  1. Vulnerability - The report focused primarily on the Vulnerability component in the Risk equation based on an assessment of social demographics, natural hazards and infrastructure vulnerability. It did not assess the Impact or importance of Boise compared to the other 131 urban areas, nor did it address whether terrorists would see Boise as a prime target. It did conclude that, if attacked, Boise was at a higher risk of not adequately responding to a disaster compared to other urban areas. This certainly is a profound conclusion for the residents of Boise. Terrorists aside, the report leads to the conclusion that Boise should improve its ability to withstand such Threats as wildfires, storms and flooding. But how should the results of this survey be approached at the national level? Should DHS allocate the same level of resources to protecting Boise as it does to New York City? The report, on its own, does not answer this question. You need to also factor in the elements of Threats and Impact to determine the overall level of risk and where control resources would be most effective..
  2. Threats - The research uses a very structured, mathematical approach to analyzing the data. While the results are an important indicator in the assessment of terrorist risk, it needs to be stressed that terrorists do not follow mathematical models. The human factor in the risk equation is highly unpredictable. Hence the results from studies such as this need to be considered within the emotional, religious and political motivations of the Threats. Is the primary motivation of a terrorist to publicly demonstrate the ability to conduct an attack, destabilize a nation, change public perception, achieve the largest monetary loss, etc.? Once the motivations and the other Capability components are identified and prioritized, the next question is whether an attack on a city such as Boise would achieve this goal compared to an attack on another urban area.
  3. Impact - The reality is that governments have limited resources and those resources, if they are to be efficient and effective, should be focused where the potential for loss (Impact) is greatest. This requires an assessment of which urban areas present the highest risk of a loss to the nation.

It is reasonable to assume that, while Boise would receive a "High" Vulnerability level based on this study, the Threat and Impact Levels would be "Low" or "Medium". When you combine these three elements, you would likely reach a conclusion that Boise is not a prime target and should not be one of the cities in major need of resources to combat terrorism.

It is worthwhile noting that the Transportation Safety Administration (a division within the DHS) does approach risk assessment from the perspective of criticality, vulnerabilities and threats.