Given that figuring out the probability of an attack based on the available data is currently so difficult, how can a particular CFO gain a more precise basis for managing the risks of an attack on his or her corporation?
To be sure, probability — estimating the frequency of an event by comparing different sets of data — is still very much in use. But a consensus for a more eclectic and dynamic approach to modeling terrorism risk appears to be emerging.
Using such an approach, probabilities can be built into computer-simulation models, enabling risk analysts to determine the likelihood that terrorists will act in certain ways given certain scenarios.
Yet no matter how up-to-the minute and precise terrorism risk models are, terrorists are notorious for acting in unexpected ways. To anticipate those ways, companies are increasingly relying on game theory, under the notion that by hunting down villains in hypothetical situations, you might be able to unearth the unexpected.
The Desire of al-Qaeda
From the very beginning of terrorism risk modeling, analysts knew that a different game was afoot than that of trying to assess the likelihood of an earthquake or a tornado. Barely more than a year after the 9/11 attacks, Gordon Woo, a mathematician with Risk Management Solutions who had just created RMS’s first terrorism risk model, was declaring that a “traditional probabilistic approach, such as used for modeling natural catastrophes, is simply not up to the challenge” of quantifying terrorism risks.
In introducing the model in 2002 (two other such firms, AIR Worldwide and EQECAT also introduced models that year), Woo said he used game theory in developing it. “Game Theory helps us model the implications of the complex dynamics between… conflicting factors,” he said at a seminar then. “On one hand, we have al-Qaeda’s desire to maximize the utility of their attacks, and on the other hand, we have to consider their rational response to stepped-up security and counter-intelligence efforts and the constraints of their technological and logistical capacities.”
While such models enabled companies to zero in on protecting what are now called “trophy targets” — highly visible, highly valuable corporate assets like the Sears Tower in Chicago — they did not yet focus on analyzing the actions of terrorists in response to counter-terrorism.
In the intervening years, however, counter-terrorism has outstripped terrorism by a considerable margin, according to Woo. Testifying in September before the House Financial Services Committee, he could say that terrorism risk has become “as much about counter-terrorism action as about terrorists themselves. U.S. terrorism insurance is essentially insurance against the failure of counter-terrorism.”