Nassim Taleb's latest book about "black swans" has garnered a good deal of attention within the homeland security risk community recently. Unfortunately, I have seen some leaders (who probably have not read the book) used the black swan argument as a reason not to do risk analysis. The NYT Sunday Magazine recently provided a good analysis of a similar type debate that is going on in the financial community (http://www.nytimes.com/2009/01/04/magazine/04risk-t.html).
The arguments against doing homeland security risk management basically go along these lines: terrorists are dynamic and unpredictable. Traditional risk analysis doesn't work because we can't depend on historical data to predict future attacks. Further, traditional risk analysis used in the actuarial circles doesn't account for "threat-shifting." In other words, if you implement a risk mitigation against flooding, you dont have to worry about mother nature deciding to change tactics and implement a different approach to "attack" and infrastructure or population. With terrorists, you do have to assume that they will adapt to countermeasures and change tactics over time.
I have seen folks within DHS basically use this type of reasoning to say that it is pointless to do risk analysis for terrorism issues. Why try to calculate risks when we will always be faced with black swans?
There are a few ways to answer this question. Most simply, if we dont do risk analysis, then everything is a black swan. A systematic risk management program should thoroughly evaluate all possible risks, and develop mitigation plans/measures that (1) are cost effective in reducing total risk across the spanning set of scenarios and/or (2) focus on the highest risks. Yes, there is always the chance that a risk will be overlooked or missed, but it doesnt make sense scrap the whole process because of that. Further, if you are looking for mitigation measures that are most cost effective across the spanning set of scenarios, it is highly likely that will be effective against scenarios that you couldnt come up with.
Another way to answer this question is by looking at the definition of black swan itself. Taleb developed the concept of black swans largely based on his experiences with VaR models. These models do not accurately take into account fat-tailed events (i.e., low probability, high consequence events). However, homeland security risk analyses are typically focused exclusively on fat-tailed events. When defining scenarios to be analyzed in a homeland security risk analysis, we typically only include these low probability, high consequence events. There is some work now to begin looking at how we can combine high probability, low consequence events (e.g., illegal immigration) into the same risk analyses as low probability, high consequence events, but typically these scenarios are analyzed seperately. In a way, we are already addressing the concerns of Taleb in our risk analyses.
Security Flaws in Children's Smart Watches
16 hours ago