The National Infrastructure Protection Plan is replete with references to deterrence, most notably on page 38, which account for the adversary’s ability to recognize the target and the deterrence value of existing security measures. Also, Homeland Security Presidential Directive (HSPD) 7 emphasizes deterrence of Critical Infrastructure (CI) attacks.
Since DHS also advocates quantitative terrorism risk analysis, to support the goal to deter attacks, DHS would benefit from a methodology to quantify the deterrence value of CI terrorism risk reduction investments in a way that complements and enhances existing traditional approaches to risk analysis.
Various elements within DHS have begun efforts to analyze deterrence, or influence adversary decision-making before a CI attack is executed. This necessarily involves considering human factors; specifically, thinking about the adversary’s approach to terrorism planning. For example, the US Coast Guard, in conjunction with the University of Southern California’s Center for Risk and Economic Analysis of Terrorism Events (CREATE), has begun the development of PROTECT, a model intended to help Coast Guard units deter adversary planning by patrolling CI in a random fashion.
Recent work at the Naval Postgraduate School in Monterey, CA has produced a model that measures the resiliency of supply chains, accounting for perceived attacker preferences for disrupting a supply chain and increasing commodity shipment costs. Additionally, DHS Science and Technology (S&T) recently undertook a review of multiple methodological approaches to enhancing traditional risk analysis by incorporating insights from intelligent adversary modeling, which accounts for adversary planning and goals.
In the spirit of this DHS emphasis on deterrence, and assuming DHS components may eventually have to report measures of effectiveness, we propose that CI deterrence can be quantified as the extent to which an attacker’s intent to attack a CI target changes. This change is a result of changes in expected utility from a potential attack on a CI after a CI defender attempts to deter an attack, as compared to what the attacker’s expected utility from a potential attack would have been before the defender deterred. Utility is the value of an outcome.
To read the full article: http://www.hsaj.org/?fullarticle=8.1.12
Source: Homeland Security Affairs, Volume VIII 2012