Department of Homeland Security Bioterrorism Risk Assessment: A Call for Change (2008)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Appendix H Game Theory and Interdependencies Geoffrey Heal, Ph.D. Paul Garrett Professor of Public Policy and Business Responsibility Columbia University, New York, New York Howard Kunreuther, Ph.D. Cecilia Yen Koo Professor of Decision Sciences and Public Policy University of Pennsylvania, Philadelphia, Pennsylvania There are certain bad events that can only occur once. COMMON FEATURES OF THE PROBLEM Death is the obvious example: an individual’s death is ir- There are several different versions of this problem of reversible and unrepeatable. More mundane examples are interdependencies, and all have certain features in common. bankruptcy, being struck off a professional register, and In what follows a payoff is assumed to be discrete and binary. other discrete events. In addition there are other events that A bad event either occurs or does not, and that is the full can in principle occur twice but that are so unlikely and/or range of possibilities. You die or you live. A firm is bankrupt so dreadful that one occurrence is all that can reasonably be or not. An anthrax attack is successful or not in a densely considered. The events of September 11, 2001, are perhaps urban city. A plane crashes or not. Another feature common of this type. A set of coordinated anthrax attacks in several to these interdependent problems is that the risk faced by highly populated regions is another. The fact that such events one agent depends on the actions taken by others—there are are typically probabilistic, taken together with the fact that externalities. The risk of an airline’s plane being blown up the risk that one agent faces is often determined in part by by a bomb depends on the thoroughness with which other the behavior of others, gives a unique and hitherto unnoticed airlines inspect bags that they transfer to this plane. The risk structure to the incentives that agents face to reduce their that an anthrax attack in an urban city is successful depends exposures to these risks. on the nature of our system for preventing, detecting, and The key point is that the incentive that any agent has to responding to the threat of biological weapons. invest in risk-reduction measures depends on how he or she Finally there is a stochastic element in all of these situ- expects the others to behave in this respect. For cases where ations. In contrast to the standard prisoner’s dilemma para- there are complementarities or positive externalities, if the digm where the outcomes are specified with certainty, the agent thinks that they will not invest in security, then this re- interdependent security problem involves chance events. duces the incentive for the agent to do so. On the other hand, The question addressed is whether to invest in security should the agent believe that they will invest in security, when there is some probability, often a very small one, that then it may be best for it to do so also. So there may be an there will be a catastrophic event that could be prevented or equilibrium where no one invests in protection, even though mitigated. The risk depends in part on the behavior of others all would be better off if they had incurred this cost. Yet this in the system. The unfavorable outcome is discrete in that it situation does not have the structure of a prisoner’s dilemma either happens or does not. game, even though it has some similarities. A fundamental question that needs to be posed is “Do individuals and organizations invest in security to a degree IMPORTANCE OF PROBLEM STRUCTURE that is adequate from either a private or social perspective?” These three factors—non-additivity of damages, depen- In general the answer is no, for reasons that are described dence of risks on the actions of others, and uncertainty—are, below. as we shall see, sufficient to ensure that there can be equi- libria at which there is underinvestment in risk-prevention measures. The precise degree of underinvestment depends on the nature of the problem. To illustrate the nature of interde-   NOTE: This appendix is based on material appearing in Heal and Kun- pendencies we focus on two examples: airline security and reuther (2006). computer security. If an airline accepts baggage that contains 116 

APPENDIX H 117 a bomb, this need not damage one of its own planes: it may from not investing to investing in protection, then all others be transferred to another airline before it explodes. So in this will find it in their interests to do the same. And even if there framework one agent may transfer a risk fully to another. It is no single agent that can exert such leverage, there may be may of course also receive a risk from another. There is a a small group. Obviously this finding has significant implica- game of “pass the parcel” here. The music stops when the tions for policy-making. It suggests that there are some key bomb explodes. It can only explode once so only one plane players whom it is particularly important to persuade to man- will be destroyed. age risks carefully. Working with them may be a substitute The structure of this game is quite different in the case for working with the population as a whole. of computer networks. Here it is commonly the case that if a virus (or hacker) enters the network through one weak CHARACTERIZING THE PROBLEM: point, it (or he or she) then has relatively easy access to the TWO-AGENT PROBLEM rest of the network and can damage all other computers as well as the entry machine (Kearns, 2005). In this case the We now set out formally the framework to study inter- bad outcome has a characteristic similar to a public good: dependent security (henceforth denoted IDS). Consider two its consumption is non-rivalrous. Its capacity to damage is identical airlines, A1 and A2, each having to choose whether not exhausted after it has inflicted damage once. A bomb, or not to invest in a baggage screening system. Each faces in contrast, has a limited capacity to inflict damage, and this a risk of a bomb exploding on its plane, causing a loss of L. capacity is exhausted after one incident. There are two possible ways in which damage can occur: a The computer network problem is similar to what might bomb can explode either in a bag initially checked onto the happen in a bioterrorist attack such as anthrax or smallpox airline’s own plane or in a bag transferred from the other where it is possible for contamination to spread across in- airline. The probability of a bomb exploding in luggage ini- dividuals. Even if an individual or firm has taken protective tially checked on a plane of an airline that has not invested actions, there is still some chance that it can be contaminated in security is p. The expected loss from this event is pL. If or infected by others who have not undertaken similar mea- the airline has invested in security precautions then this risk sures and hence are at risk. For example, if a person has been is assumed to be zero. vaccinated or taken preventive medicine against a disease, Even if an airline has invested in a baggage screening he or she may still contract the illness from others who have system there is still an additional risk of loss due to contagion the disease if the vaccine or medicine is not 100% effective. from the other airline if it has not invested in security. The In these cases where there are complementarities or posi- probability of a dangerous bag being accepted by one airline tive externalities created by an individual taking protective and then being transferred to the other is denoted by q. With measures, there is more incentive for one unit to invest in respect to the chances of contagion, q is the likelihood that protective measures if the other units have taken similar on any trip a dangerous bag is loaded onto the plane of one actions. In fact, investing in security is most effective if all airline and is then transferred to another airline where it ex- elements of the system obtain protection and weak links may plodes. We assume that there is not enough time for an airline lead to suboptimal behavior by everyone. to examine the bags from another airline’s plane before they In both cases, the airline and computer security problems, are loaded onto its own plane. the incentives depend on what others do. Suppose that there These probabilities are interpreted as follows. On any are a large number of agents in the system. In Kunreuther given trip there is a probability p that an airline without a and Heal (2003) we show that in the computer security security system loads a bomb that explodes on one of its problem, if none of the other machines are protected against own planes. For the airline scenario, thorough scanning of viruses or hackers then the incentive for any agent to invest baggage that an airline checks on its own plane will prevent in protection approaches zero. For airline security, if no other damage from these bags, but there could still be an explosive airline has invested in baggage checking systems and there in a bag transferred from another airline. There is thus an ad- is a high probability that bags will be transferred from one ditional risk of loss due to contagion from another agent who airline to another, the expected benefits to any airline from has not invested in loss prevention, denoted by q. If there are this investment approaches 63% of what it would have been n ≥ 2 airlines, the probability per trip that this bag will be in the absence of contagion from others. transferred from airline i to airline j is q/(n - 1). Note that the As we show below there can be a stable equilibrium where probability per trip that a bag placed on an airline without a all agents choose not to invest in risk reduction measures, security system will explode in the air is p + q. even though all would be better off if they did invest. An We assume throughout that the damages that result from interesting property of some of these equilibria is the pos- multiple security failures are no more severe than those sibility of tipping as described by Schelling (1978). How can resulting from a single failure. In other words, damages are we ensure that if enough agents will invest in security that all not additive. In the airline baggage scenario, this amounts the others will follow suit? In some cases there may be one to an assumption that one act of terrorism is as serious as agent occupying such a strategic position that if it changes several. In reality, having two bombs explode on a plane is 

118 DEPARTMENT OF HOMELAND SECURITY BIOTERRORISM RISK ASSESSMENT no more damaging than just one. The key issue is whether risk of damage originating at one’s own airline. The term qL, or not there is a failure, not how many failures there are. showing the expected loss from damage originating at the Indeed as the probabilities are so low, single occurrences other airline, is multiplied by (1 - p) to reflect the assumption are all that one can reasonably consider. One could think of that the damage can only occur once. So the risk of contagion the definition of a catastrophe as being an event so serious only matters to an airline when that airline does not suffer that it is difficult to imagine an alternative event with greater damage originating at home. consequences. We focus first on the case of two airlines, each The conditions for investing in security to be a dominant of which is denoted as an agent. This example presents the strategy are that c < pL and c < p(1 - q)L. The first constraint basic intuitions in a simple framework. We then turn to the is exactly what one would expect if there were only a single multi-agent case. airline: the cost of investing in security must be less than the To illustrate the framework in the context of a real-world expected loss. Adding a second airline tightens the constraint event, consider the destruction of Pan Am flight 103 in 1988. by reflecting the possibility of contagion. This possibility In Malta terrorists checked a bag containing a bomb on Malta reduces the incentive to invest in security. Why? Because Airlines, which had minimal security procedures. The bag in isolation investment in security buys the airline complete was transferred at Frankfurt to a Pan Am feeder line and then freedom from risk. With the possibility of contagion it does loaded onto Pan Am 103 in London’s Heathrow Airport. not. Even after investment there remains a risk of damage The transferred piece of luggage was not inspected at either emanating from the other airline. Investing in security buys Frankfurt or London, the assumption in each airport being you less when there is the possibility of contagion from that it was inspected at the point of origin. The bomb was others. designed to explode above 28,000 feet, a height normally This solution concept is illustrated below with a numeri- first attained on this route over the Atlantic Ocean. Failures in cal example. Suppose that p = .2, q = .1, L = 1000 and c = 185. a peripheral part of the airline network, Malta, compromised The matrix in Table H.1 is now represented as Table H.2. the security of a flight leaving from a core hub, London. One can see that if A2 has protection (S), then it is worth- Assume that each airline has two choices: to invest in while for A1 to also invest in security since its expected baggage screening, S, or not to do so, N. Table H.1 shows the losses will be reduced by pL = 200 and it will only have payoffs to the agents for the four possible outcomes. to spend 185 on the security measure. However, if A2 does Here Y is the income of each airline before any expendi- not invest in security (N), then there is still a chance that A1 ture on security or any losses from the risks faced. The cost will incur a loss. Hence the benefits of security to A1 will of investing in security is c. The rationale for these payoffs only be pL(1 - q) = 180 which is less than the cost of the is straightforward. If both airlines invest in security, then protective measure. So A1 will not want to invest in protec- each incurs a cost of c and faces no losses from damage so tion. In other words, either both airlines invest in security or that their net incomes are Y - c. If A1 invests and A2 does neither of them does so. These are the two Nash equilibria not (top right entry) then A1 incurs an investment cost of for this problem. c and also runs the risk of a loss from damage emanating from A2. The probability of A2 contaminating A1 is q, so THE MULTI-AGENT IDS CASE that A1’s expected loss from damage originating elsewhere is qL. This cost represents the negative externality imposed The results for the two-agent case carry over to the most by A2 on A1. In this case A2 incurs no investment costs and general settings with some increase in complexity. In this faces no risk of contagion but does face the risk of damage section we review briefly the main features of the general originating at home, pL. The lower left payoffs are just the cases, without providing detailed proofs of the results. These mirror image of these. can be found in Kunreuther and Heal (2003). If neither airline invests, then both have an expected There are two key points that emerge from the discussion payoff of Y - pL - (1 - p)qL. The term pL here reflects the of the general case with respect to the IDS problem. One is TABLE H.1  Expected Costs Associated with Investing TABLE H.2  Expected Costs Associated with Investing and Not Investing in Airline Security and Not Investing in Airline Security: Illustrative Example Airline 2 (A2) Airline 2 (A2) S N S N S Y − c, Y − c Y − c − qL, Y − pL S Y − 185, Y − 185 Y − 285, Y − 200 Airline 1 (A1) Airline 1 (A1) Y − [pL + (1 − p) qL], N Y − 200, Y − 285 Y − 280, Y − 280 N Y − pL, Y − c − qL Y − [pL + (1 − p)qL] NOTE: S, screening of baggage; N, no screening. NOTE: S, screening of baggage; N, no screening. 

APPENDIX H 119 that the main feature of the two-agent case carries over to n rate and specify the relevant time interval in determining agents: the incentive that any agent faces to invest in security whether or not to invest in these actions. There may be some depends on how many other agents there are and on whether uncertainty with respect to both of these parameters. From or not they are investing. Other agents who do not invest re- the point of view of dynamics, the decision to invest depends duce the expected benefits from one’s own protective actions on how many others have taken similar actions. How do you and hence reduce an agent’s incentive to invest. get the process of investing in security started? Should one Secondly there is a new possibility that emerges from the subsidize or provide extra benefits to those willing to be in- multi-agent case. There is the possibility of a tipping phe- novators in this regard to encourage others to take similar nomenon. In some cases there may be one firm occupying actions? such a strategic position that if it changes from not investing to investing in protection, then all others will find it in their Endogenous Probabilities interests to follow suit. And even if there is no single firm that can exert such leverage, there may be a small group. Heal The above analysis assumed that the risks faced by the and Kunreuther (2007) show when this can happen and how airlines are independent of their own behavior. In reality to characterize the agents with great leverage. Obviously if some airlines are known to be more security-conscious this point has considerable implications for policy-making. than others, they are presumably less likely to be terrorist It suggests that there are some key players whom one needs targets. In this sense the problem of investing in security to persuade to manage risks carefully. has similarities to the problem of theft protection: if a house announces that it has installed an alarm, then burglars are likely to turn to other houses as targets. In the case of airline EXTENDING THE ANALYSIS security, terrorists are more likely to focus on targets that are The choice of whether to protect against events where less well protected. This is the phenomenon of displacement there is interdependence between your actions and those of or substitution, documented in Sandler (2005). Keohane and others raises a number of interesting theoretical and empiri- Zeckhauser (2003) and Bier (2007) also consider the case of cal questions. We mention some of these in this section. endogenous terrorist risks. For the case of endogenous probabilities in the airline security problem, Heal and Kunreuther (2007) show that an Differential Costs and Risks airline is more likely to invest in security when probabilities The nature of Nash equilibria for the problems considered are endogenous than when these probabilities are exogenous above and the types of policy recommendations may change because of the increased likelihood of being a target when as one introduces differential costs across the agents who are others invest in protection. In addition, if one makes the considering whether or not to invest in security. Consider reasonable assumption that the total externality imposed on each airline deciding whether to invest in a baggage security any non-investing firm decreases as the number of investing system. In Heal and Kunreuther (2007) we have shown that if firms increases, then this should lead more firms to invest there are differential costs and/or risks between companies, in protection. For both these reasons it should also now be we would expect to find some airlines investing in baggage easier for a coalition to tip the other firms into investing in security systems and others who would not. Furthermore, security than if the probabilities were exogenous. Future as we discussed above, the airline which creates the largest research should examine how changes in endogenous prob- negative externalities for others should be encouraged to abilities impact on IDS solutions and the appropriate strate- invest in protective behavior not only to reduce these losses gies for improving individual and social welfare. but also to make it profitable for other airlines to follow suit, thus inducing tipping behavior. Behavioral Considerations The models discussed above all assumed that individuals Multi-Period and Dynamic Models made their decisions by comparing their expected benefits Deciding whether to invest in security normally involves with and without protection to the costs of investing in se- multi-period considerations since there is an upfront invest- curity. This is a rational model of behavior. As pointed out ment cost that needs to be compared with the benefits over in Chapter 2 of this report, there is a growing literature in the life of the protective measure. An airline that invests in behavioral economics that suggests that individuals make a baggage security system knows that this measure promises choices in ways that differ from the rational model of choice. to offer benefits for a number of years. Hence one needs to With respect to protective measures there is evidence from discount these positive returns by an appropriate interest controlled field studies and laboratory experiments that many individuals are not willing to invest in security for a num-   ber of reasons that include myopia, high discount rates and See Schelling (1978) for a characterization of a number of tipping problems. budget constraints (Kunreuther et al., 1998). In the models 

120 DEPARTMENT OF HOMELAND SECURITY BIOTERRORISM RISK ASSESSMENT considered above there were also no internal positive effects in Kunreuther and Heal (2003) is theft protection where there associated with protective measures. Many individuals invest are negative externalities to others from your taking protec- in security to relieve anxiety and worry about what they tion. In the case of theft protection, if you install an alarm perceive might happen to them or to others so as to gain system that you announce publicly with a sign, the burglar peace of mind (Baron et al., 2000). A more realistic model will look for greener pastures to invade. of interdependent security that incorporated these behavioral factors as well as people’s misperceptions of the risk may Risk Management Strategies suggest a different set of policy recommendations than a rational model of choice. For each IDS problem there are a range of risk manage- ment strategies that can be pursued by the private and public sectors for encouraging agents to invest in cost-effective FUTURE RESEARCH ON RISK MANAGEMENT protective measures. STRATEGIES FOR IDS PROBLEMS We conclude by suggesting a set of problems that involve • Collecting information on the risk and costs (e.g., interdependent security and suggesting the types of risk constructing a scenario so that one can estimate p, q, management strategies that could be explored for address- L, and c with greater accuracy); ing them. • Developing more accurate catastrophe models for examining the risk of terrorist attacks and other large- scale disasters; Types of Problems • Designing incentive systems (e.g., subsidies or taxes) to The common features of IDS problems are the possibility encourage investment by agents in protective measures; that other agents can contaminate you and your inability to • Developing insurance programs for encouraging invest- reduce this type of contagion through investing in security. ment in protective measures when firms are faced with You are thus discouraged from adopting protective measures contagion; when you know others have decided not to take this step. • Structuring the liability system to deal with the conta- Here are some problems that fit into this category, some of gion effects of IDS; which have been discussed in this paper: • Carefully designed standards (e.g., building codes for high-rises to withstand future terrorist attacks) that are • Investing in airline security well enforced through mechanisms such as third-party • Protecting against bioterrorist attacks inspections; • Protecting against chemical and nuclear reactor • Introducing federal reinsurance or state-operated pools accidents to provide protection against future losses from terrorist • Making buildings more secure against attacks attacks to supplement private terrorist insurance. • Investing in sprinkler systems to reduce the chance of a fire in one’s apartment It may be desirable to integrate several of these measures • Making computer systems more secure against terrorist through public-private risk management partnerships. For attacks example, banks and financial institutions could require that • Investing in protective measures for each part of an firms adopt security measures as a condition for a loan or interconnected infrastructure system such as electricity, mortgage. To ensure that these measures are adopted there water or gas so that services can be provided to victims may be a need for third party inspections or audits by the of a disaster private sector. Firms who reduce their risks can be rewarded through lower insurance premiums. If there are federal or In each of these examples there are incentives for indi- state reinsurance pools at reasonable prices to cover large vidual units or agents not to take protective measures but losses from a future terrorist attack, then private insurers there are large potential losses to the unit making a decision may be able to provide terrorist coverage at affordable (e.g., individual, organization, city) as well as to society. In premiums. the case of bioterrorism, if each unit takes protective action it will create positive externalities to others in the system and to society. Furthermore, the losses from these events are   One could make a similar argument with respect to cities taking pro- sufficiently high that they are considered to be non-additive. tective measures against bioterrorism. For example, if certain cities were One can only get a specific disease once (e.g., smallpox, equipped with sensors to detect biological attacks, the terrorist might focus anthrax), an airplane can only be destroyed once; a building his or her attention on those urban areas that did not have this form of protection. can only collapse once. You can only die once!   For more details on the challenges in developing catastrophe models These IDS problems can be contrasted with others that do and appropriate strategies for dealing with them, see Grossi and Kunreuther not have these features. One that is discussed in more detail (2005). 

APPENDIX H 121 REFERENCES Kearns, M. 2005. “Economics, Computer Science and Policy.” Issues in Science and Technology, Winter: pp. 37-47. Baron, J., J. Hershey, and H. Kunreuther. 2000. “Determinants of Priority Keohane, N., and R. Zeckhauser. 2003. “The Ecology of Terror Defense.” for Risk Reduction: The Role of Worry.” Risk Analysis 20(4):413- Journal of Risk and Uncertainty. Special Issue on Terrorist Risks 427. 26(2/3):201-229. Bier, V. 2007. “Choosing What to Protect.” Risk Analysis 27 (June):607- Kunreuther, H., and G. Heal. 2003. “Interdependent Security.” Journal 620. of Risk and Uncertainty, Special Issue on Terrorist Risks 26(2/3):231- Grossi, P., and H. Kunreuther. 2005. Catastrophe Modeling: A New Ap- 249. proach to Managing Risk. New York: Springer. Kunreuther, H., A. Onculer, and P. Slovic. 1998. “Time Insensitivity for Heal, G., and H. Kunreuther. 2006. “You Can Only Die Once: Interde- Protective Measures.” Journal of Risk and Uncertainty 16(3):279-299. pendent Security in an Uncertain World.” In The Economic Impacts Sandler, T. 2005. “Collective Action and Transnational Terrorism.” The of Terrorist Attacks, H.W. Richardson, P. Gordon, and J.E. Moore, III World Economy 26(6):779-802. (eds.). Northampton, Mass.: Edward Elgar. Schelling, T. 1978. Micromotives and Macrobehavior. New York: Norton. Heal, G., and H. Kunreuther. 2007. “Modeling Interdependent Risks.” Risk Analysis 27(3):621-633.