The document discusses the challenges of assessing and planning for risks facing the United States. It notes that there is no consensus on how to define or rank risks. Probability is difficult to determine for risks like terrorism that involve human behavior, compared to more predictable natural disasters. While scenarios can be imagined, the human mind is biased towards recent events. Overall, the document argues it is difficult to take a truly risk-based approach to planning due to these challenges around defining scenarios, determining probabilities, and overcoming cognitive biases.

1. INTHISSTORY:HowtothinkaboutcatastrophesⅢThenation’sbigrisklandscapeⅢWhatCSOsshouldstartdoing
January 2006 www.csoonline.com 31
FEMA’sdisastroushandlingofHurricaneKatrina’s
aftermathwasallthemoregallingbecausethescenario
waslongforeseen.SowhatcatastropheshouldDHSplanfor
next?Wepickaparttheriskequation.
BYSARAHD.SCALET
MISFORTUNE
PHOTO BY STEPHEN WEBSTER
SP
INNINGTHEWH
EEL
OF
CoverStory
JANKATRINA.qxd 12/16/05 11:22 AM Page 30

2. But as the post-Katrina flood waters rose and then fell, it became
clear just how daunting a task that would be. Why, wondered an
enraged public, was the country so ill-equipped to deal with the sit-
uation in New Orleans, when the flooding of that city had long been
one of the biggest risks identified by the Federal Emergency Man-
agement Agency? And how can citizens be sure that the country isn’t
neglecting preparations for whatever man-made or natural disasters
might be next on the horizon?
CSO set out to explore those risks and get a read on what the gov-
ernment and private sector are doing to address them. In talking
with the nation’s top experts about the country’s risk terrain, post-Kat-
rina, what we found was not encouraging. Not only is there nothing
approaching agreement about what those risks are, but experts have
not even decided on some basic definitions.
“You don’t have agreement to, ‘What is risk?’” notes Randall Yim,
former director of the Homeland Security Institute, a federally funded
research center in Arlington, Va. “And if you asked 10 different peo-
ple about the country’s biggest risks, they would probably rank 10 dif-
ferent priorities, even within a region.”
More confounding, those people’s answers might be on completely
different planes: While one person might rank an avian flu pandemic
as a top risk, another might speak more philosophically about the pos-
sibility that in an effort to improve security, the United States will
destroy the very liberty it is trying to protect.
In light of this lack of consensus, we decided to pick apart the
three components that make up a standard risk equation—scenario,
probability and consequence—and talk about how they each apply to
the nation’s risks. What we found is that the first component, scenario,
January 2006 www.csoonline.com 3332 www.csoonline.com January 2006
Risk Analysis
1. A flu pandemic
“We haven’t considered as
much as we might have the
degree of economic and social
disruption that an event like
an influenza pandemic would
cause. It’s hard to find an
equivalent except a little bit in
how people respond to terror-
ism: You have a fear of some-
thing, and you want to take
action as a result of that fear.
With influenza, that fear is
probably any gathering of
people. Eventually, I would
imagine that most people will
refuse to go to work or send
their kids to school, and they’ll
refuse to take air flights. The
people who work in supermar-
kets, will they turn up? Will the
people who operate Internet
systems turn up? I don’t know.
“If your perspective is
corporate security or network
security, the questions are:
Who is part of your critical
workforce, and what can you
do to ensure that they keep
turning up to work? The plan
should work on the premise
that some outbreak has
started and rational people
are going to think, I do not
want to go where other people
are unless I’m protected or
inoculated in some way.”
2. New flood zones
“Another big risk is that we
are in a phase of high activity
and high severity of hurri-
canes. In sections of the
Mississippi coast, buildings
were effectively destroyed
farther inland than the 500-
year flood plain. The problem
is, all the assumptions about
flood zones are based on how
likely hurricanes are and how
intense they are. That may all
need to be reevaluated.
“There’s a big argument
going on about the climate
change dimensions of this, but
you don’t need to believe in
climate change to recognize
that there are more hurricanes
and more intense hurricanes
occurring at present. Hurri-
canes have changed their
activity in the past. There was
a high cycle in the 1950s, and
a very low period in the ’60s
and ’70s and ’80s, and then
the activity has switched on
again since 1995. Maps of the
coastal flood zones were
based on the frequency of
hurricanes in a period of low
hurricane activity, and these
flood zones will now need to
be redefined and buildings
rezoned.
“If I was based along the
coast and just outside the
defined flood zone, I’d be con-
cerned that I might be rezoned
or that a storm might hit
before the rezoning happened.
A corporation may well need
to be ahead of the govern-
ment’s thinking on this.”
3. A massive cyberattack
“The third big risk would be
some kind of cyberattack.
This could be something that
brings the network down. It
could also be a virus or worm
that corrupts data very slowly
so that you don’t notice it; by
the time banks realize the cor-
ruption is going on, they have
no record that’s uncorrupted.
The fact that we have a
Microsoft monoculture makes
us particularly susceptible. If
you just have the one species
of tree, you could have a dis-
ease that wipes out the whole
lot. We effectively have some-
thing like a monoculture in
the systems area.
“The people who have the
best understanding of this risk
are the people who have the
best understanding of how
you bring down systems. You
almost need a devious imagi-
nation.”
–S.D.S.
Three Not-to-Miss Risks
Risk Management Solutions, founded at Stanford University, does complex economic risk modeling
for the insurance industry. We spoke with Chief Research Officer Robert Muir-Wood about what he
views as the biggest risks facing the United States. Here’s what he had to say.
challenges the imagination; and the second,
probability, defies knowledge. But the third
component of risk—consequence—is the out-
come of the first two and the most important
place to focus one’s energy. Here’s why.
Scenario: Why planners need
to overcome the availability bias
In risk management, as in the real world, a
scenario is simply what might happen: Ter-
rorists might hijack commercial airliners and
fly them into buildings. The power might go
out in a huge swath of the United States. A
Category 4 hurricane might hit a major met-
ropolitan area. When experts talk about the
country’s biggest risks, like these, they’re actu-
ally talking about low-probability, high-con-
sequence scenarios—things that aren’t likely
to happen in any given year, but that, if they
did, would be extremely damaging. The prob-
lem is, the human mind just isn’t equipped to
deal with this type of risk.
“If we handled low probability and high
consequence well, nobody would buy a lot-
tery ticket,” says John R. Harrald, director of
the Institute for Crisis, Disaster and Risk
Management at The George Washington Uni-
versity.
Risk perception experts call this the avail-
ability bias. “Psychologically, if something
hasn’t happened, we focus on the low proba-
bility and say we aren’t going to worry about
it,” Harrald says. “Once it has happened, we
focus on the consequence. We plan for things
we can either remember or imagine.” For
instance, when Harrald asks people in Mary-
land who live east of the Chesapeake Bay
whether their house is in danger of flooding,
the answer is often: “‘It didn’t flood in [Hur-
ricane] Isabel.’ That’s their mark. It’s a very
natural reaction,” he says.
This is why the National Oceanic & Atmos-
pheric Administration (NOAA) says the
United States has a “hurricane problem”—not
because it gets hit by hurricanes, but because
80 percent to 90 percent of Americans who
live in hurricane-prone areas have never
experienced the core of a severe hurricane.
“Many of these people have been through
weaker storms,” according to NOAA.gov. “The
result is a false impression of a hurricane’s
damage potential. This often leads to com-
placency and delayed actions, which could
NEW ORLEANS, Dec. 1: Viewing damaged
homes three months after Katrina hit
INDONESIA, Oct. 20: Coping with a landslide in the Aceh
province of Sumatra
BAOKANG, CHINA, Nov. 15: Fighting the bird flu
PHOTOS BY REUTERS
When Michael Chertoff took over 11 months ago as the
secretary of the Department of Homeland Security, he
vowed that the department would adopt a risk-based
approach.Noonereallyargued.Itmadesensetofocus
resourcesonthecountry’sbiggestrisks.
JANKATRINA.qxd 12/16/05 11:22 AM Page 32

3. If travelers want to know the probability of a
hurricane striking during the week of their
Florida time-share, an NOAA FAQ will help
them do the math.
Floods, too, are predictable. That’s why the
Army Corps of Engineers creates detailed
flood maps that delineate areas likely to flood
every 100 years or every 500 years. (Although
even those predictions, as Muir-Wood notes in
“Three Not-to-Miss Risks,” Page 33, may be
called into question.) Flood modeling is why
the New Orleans levees were built to certain
heights. It’s also why property owners in some
areas have to purchase flood insurance to
obtain financing.
Likewise, the spread of any given disease is
relatively predictable. If experts know how
transmissible a disease is and how people move
around, they can model very effectively how
quickly it will spread. If they also know the
fatality rate of the disease, they can model the
number of fatalities likely to occur amongst
age groups. This is the kind of disease model-
ing that has scientists so alarmed about a sce-
nario in which H5N1 avian influenza mutates
and spreads easily from human to human.
It seems logical to presume that the Depart-
ment of Homeland Security can and should
plan mathematically for events of this type.
But here’s the rub: DHS has to simultane-
ously deal with natural disasters and domes-
tic terrorism. And terrorism is an entirely
different story. It’s the old apples to oranges
analogy. In fact, it’s more like apples to, oh,
snow tires.
“With things of a human origin, it’s harder
to objectively figure out the probabilities,” says
Baruch Fischhoff, professor of social and deci-
sion sciences at Carnegie Mellon University
and current president of the Society for Risk
Analysis. “To the best of my knowledge, peo-
ple are not doing credible analysis on the risks
facing this country, and if they were, who’s to
know that those are static probabilities?”
Terrorists learn and adapt. They can
improve the probability that they will launch
a successful attack in the United States
through research and practice. Similarly, the
United States can decrease the probability
that a terrorist attack will occur—by shutting
down air travel in the days after 9/11, for
instance, or by creating a “no-fly” list that pro-
hibits certain people from commercial flights.
Given the range of human behavior, trying to
pin down the resulting probability is next to
impossible.
Figuring out probabilities is also intensely
political. Just consider the debate about the
role of risk in divvying up federal DHS funds.
Uproar over the funding formula started when
an early budget proposal would have given
landlocked Wyoming seven times as much
funding per capita as New York State, and it
hasn’t stopped yet.
Even trying to figure out terrorism proba-
bilities is intensely political. Retired Adm.
John Poindexter’s controversial FutureMAP
proposal, part of the disbanded Total Infor-
mation Awareness program, would have
established a futures exchange where terror-
ism experts could “bet” on national security
scenarios, thus yielding probabilities about
which were considered the most likely. Critics
railed against this program as a “terrorism
betting parlor,” and the project was canned.
This inability to figure probabilities opens
the door for spending on terrorism to be driven
not by logic, but by mainstream media, hyste-
ria, local economics—and, of course, politics.
The good news, if you can call it that, is
that determining probabilities with very low
numbers may not necessarily be worth the
time anyway. “You have something called
ALE: average loss expectancy,” says security
pundit Bruce Schneier, CTO of Counterpane
Internet Security. “You multiply the proba-
bility of an event happening with the amount
of damage you’ll incur, and that’ll tell you how
much to spend on security. When you deal
with events that have a very, very high damage
[amount], and a very, very low probability of
Radiological dispersal devices
Terrorists detonate dirty bombs
in three separate but region-
ally close moderate-to-large
cities.
Chemical attack: chlorine
tank explosion Terrorists
infiltrate an industrial
facility and rupture a
chlorine storage tank,
releasing a large amount
of chlorine gas.
Cyberattack Terrorists conduct
cyberattacks on critical infrastruc-
tures using a sophisticated
network of bots built over
a long period of time.
Natural disaster:
earthquake A 7.2-magnitude
earthquake and then an 8.0-
magnitude aftershock shake
a metropolitan area, affecting
10 million people.
Bombing using improvised explosive
devices Terrorists detonate multiple
bombs at a crowded sports arena and
then the lobby of the nearest hospital’s
emergency room.
Disease outbreak: pandemic
influenza A new and severe respira-
tory illness sweeps the country.
Biological attack: plague Terrorists
release pneumonic plague at a city’s
airport, sports arena and major
train station.
Chemical attack: blister agent
Terrorists use an airplane to spray
chemical blister agents on a packed
college football stadium.
Biological attack: food contamination
Terrorists infiltrate a food plant and
contaminate beef with anthrax,
which is then shipped to three
states.
Biological attack: foreign
animal disease Terrorists
infect farm animals with foot-
and-mouth disease at specific
locations.
Chemical attack: toxic
industrial chemicals
Terrorists land several
helicopters at oil refineries
and launch rocket-propelled
grenades and detonate bombs.
result in the loss of many lives.”
This availability bias is also why the coun-
try spent the past four years focusing on sce-
narios involving terrorism, after the so-called
failure of imagination that preceded 9/11.
What have politicians and citizens done for
the past four years if not imagine terrorism?
And it’s why many observers are now
questioning whether the country should have
spent that time planning not for terrorism
but instead for other potential catastrophes.
Like a deadly pandemic. Or major earth-
quake. Or hurricanes.
“One of the key dangers is that people are
always focusing on the last catastrophe,” says
Robert Muir-Wood, the London-based chief
research officer for Risk Management Solu-
tions, which does economic risk modeling
for the insurance industry. “It’s a big chal-
lenge to keep everything in perspective and
not be biased by what has last happened.”
A true risk-based approach means that,
when all else is equal, one must override the
availability bias and focus on the most likely
future scenarios. Unfortunately, figuring out
the probability of any given scenario raises its
own set of complexities.
Probability: Why it works
better for natural disasters than for
terrorism
The probability component of risk is simply
how likely it is that a scenario will come to
pass. From this standpoint, Hurricane Kat-
rina wasn’t just predictable; it was almost
inevitable. The Gulf of Mexico has been pro-
ducing hurricanes since long before New
Orleans was settled, and it was only a matter
of time before a Category 4 storm hit the city.
(Indeed, it’s only a matter of time before a
Category 5 storm hits the city directly; Katrina
was downgraded shortly before landfall.)
When it comes to hurricanes, predictions
abound—tangible, science-based predictions.
Based on activity between 1944 and 1999,
for instance, NOAA data shows that New
Orleans has a 40 percent chance of getting
hit by a hurricane or tropical storm in any
given year. For Miami, and Cape Hatteras,
N.C., two of the riskiest locations in the
United States, the probability is 48 percent.
January 2006 www.csoonline.com 35
Risk Analysis
34 www.csoonline.com January 2006
Natural disaster: hurricane
A Category 5 hurricane makes
landfall in a major metropolitan
area.
Biological attack: aerosol anthrax
A tractor-trailer exiting a large city
at rush hour disperses 100 liters of
anthrax.
WHAT DOES DHS
view as the country’s
biggest risks? A hint came last
April, with a widely distributed draft of
a report for use in national and local
planning. (DHS has not released
the final version.) “National Planning
Scenarios,” a dire 157-page report,
listed 14 unranked scenarios that
collectively demonstrate the need
for a far-reaching range of
response capabilities.
14 Nightmare Scenarios
Ifwe
handledlow
probability
andhigh
consequence
well,nobody
wouldbuya
lotteryticket.
–john r. harrald,
the george washington
university
LONDON, July 7: Crisis response to terrorist attack
Nuclear detonation: 10-kiloton
improvised nuclear device
Hundreds of thousands of people
are killed when terrorists detonate
a nuclear device in a densely
populated area during rush hour.
PHOTO BY REUTERS
JANKATRINA.qxd 12/16/05 11:22 AM Page 34

4. at Ford Motor, are trying to ingrain in busi-
nesses, under the much ballyhooed rubric of
public-private partnerships. Now an academic
specialist with the School of Criminal Justice
at Michigan State University, Jones helps run
tabletop exercises (partially funded by DHS)
where business leaders come together to talk
about disaster recovery and business conti-
nuity with local government officials.
“The business has an assumption that if
they call the police department or fire depart-
ment, they’re going to be there,” says Jones,
who is also a retired U.S. Secret Service agent
in charge. “What we have to look at now is
wide-scale disasters that can shut down a
region.” When Jones asks businesspeople how
they would respond to a given scenario, he
says, “If somebody raises their hand and says,
‘We’re going to call the police,’ then I say, ‘Let’s
get the police in here.’” And the police chief is
likely to point out that a major disaster would
quickly exhaust the department’s resources.
Taking this self-sufficiency step down
another level, Jones says companies should
encourage their employees to do their own
disaster planning. Duct tape jokes aside, he
says that DHS’s website, Ready.gov, really does
have good advice about the importance of stor-
ing at least 72 hours’ worth of food, water,
batteries, medicines and other critical sup-
plies to have in the event of an emergency.
The risks we should really be worried about,
in the end, are the meta-risks, not the spe-
cific ones—like the possibility that the coun-
try isn’t devoting enough time to figuring out
roles and responsibilities of different entities
during any crisis.
“I think we need to have the debate about
when something is the primary responsibility
of the federal government, and when it’s the
responsibility of the state and local govern-
ment, and when it’s the responsibility of the
private sector,” says Yim, the former Home-
land Security Institute director, “so that peo-
ple don’t try to do the same thing. We talk
about layered defenses, and that doesn’t mean
redundant defenses. It means people doing
slightly different things that in some ways are
complementary.”
Or like the fact that we simply don’t know
how to evacuate a city, either in terms of the
legal processes or the logistical ones. Just look
at what happened in Houston as Hurricane
Rita approached hard on the heels of Katrina.
Traffic was stalled so badly that many would-
be evacuees turned around and went home.
Finally there’s the meta-risk of where per-
sonal freedoms fit into all this. “What free-
doms are we willing to give up to have orderly
evacuation?” ponders Dennis Treece, direc-
tor of corporate security at Massport, the
agency that runs the Boston Harbor seaport
and Logan Airport. “Are you willing to be told
that you have to leave your home? Is it even
legal to order somebody to go away? In creat-
ing a statute that allows that, there’s a loss of
freedom. Is that good or is that not good?
Well, I think we need to have some public
debate over this stuff.”
The consequences, if we don’t, are simply
too big to consider. Ⅲ
Senior Editor Sarah D. Scalet can be reached at
sscalet@cxo.com.
January 2006 www.csoonline.com 37
occurrence, you multiply infinity by zero and
get whatever you want.”
All of which is why the more important
question to ask may not be “What’s next?”—
although that’s an enticing question—but
“What’s the set of potential consequences?”
“I believe with great passion that everything is
hard to predict,” says Peter Bernstein, finan-
cial market guru and author of the best-seller
Against the Gods: The Remarkable Story of
Risk. “We never know what the future holds.
When I say that to people, their heads go up
and down, but they still act as if they know
what the future holds.
“We don’t know what’s going to happen,”
Bernstein continues, “but there’s a range of
outcomes out there. The ones that may make
a difference are the ones you really have to
make preparations for. If someone is walking
around my house with a lit match, I have to
worry about it. It doesn’t mean my house is
going to burn down, but if it does, it’s going to
be a disaster.”
Tim Williams, CSO of Nortel Networks,
says he simply wouldn’t want to discard any
risk as a low-probability one. “In this day and
age, it’s hard to determine what’s a low-prob-
ability event, given what we’ve seen over the
past years,” he says. “When you see all the
issues that have occurred, such as war and
natural disasters, the tsunami and all the
rest—those were all low-probability, but they
happened. I think our whole concept of rec-
ognizing what are low-probability and high-
impact events has substantially changed. The
universe of what can happen is much larger.
We’ve had our minds opened.”
Consequence: When
probability fails, focus on universal
recovery planning
Consequences were in the headlines for weeks
after Hurricane Katrina. Yes, Katrina was a
natural disaster, one that broke trees like twigs
and tossed cars like coins. But everything that
happened after the winds let up was man-
made. The levees failed—a consequence of the
way they were built and maintained. Eighty
percent of the city flooded—a consequence of
having positioned homes and businesses
below sea level on land that relied on the lev-
ees to stay dry. Basic infrastructures failed—
sometimes because critical systems or backup
generators were placed at ground level. As
many as 60,000 people were left stranded at
the Superdome for days—a consequence of
critical personnel leaving the city to care for
their own families, and of confusion over
where state and local responsibilities ended
and federal ones began.
No one could have stopped the storm, of
course, but the country could have better con-
trolled the consequences. That’s why experts
say that instead of playing a game of pin-the-
probability-on-the-scenario, a more helpful
approach is to mitigate the consequences of
whatever happens, through good preparation.
“It’s fun to think about low-probability,
high-impact things,” says Dave Kent, CSO of
Genzyme (speaking like a true CSO). But ulti-
mately, he says, it doesn’t really matter which
specific event punches out your data center,
keeps your employees from getting to work,
disrupts communications or electricity, or
causes a pandemic.
“It doesn’t serve the interest of the organi-
zation to have someone yelling, ‘The sky is
falling!’ on every potentially low-risk, high-
impact disaster that may befall an organiza-
tion,” Kent says. But the effects of all those
possible events have certain commonalities.
“You have to be thoughtful about where your
people are, and you have to have a plan for
doing business if you can’t get into your facil-
ity. Those solutions cut across a wide range of
disasters.” This is Business Continuity 101:
Know who your critical people are, know what
your critical systems are, and have contingency
plans in place to keep them both humming.
As part of this planning process, it’s become
clear that businesses, to an extent greater than
ever, need to prepare to be self-sufficient after
any large-scale disaster, rather than counting
on local municipalities having enough
resources to help everyone.
This is a point that people like Rad Jones,
former manager of security and fire protection
36 www.csoonline.com January 2006
Risk Analysis
PHUTTICKA, PAKISTAN, Nov. 30: Quake damage slows relief aid
Allthathasoccurred,suchas
warandnaturaldisasters,thetsunami
andalltherest—thosewereall
low-probability,buttheyhappened.
We’vehadourmindsopened.
-tim williams, cso of nortel networks
Mapping Risk
Geography is another way to analyze risk. See a
global view in “The Color of Risk.” Find the link at
www.csoonline.com/010106.
PHOTO BY REUTERS
JANKATRINA.qxd 12/16/05 11:22 AM Page 36