DSBlog

What is the value of a human life? In homeland security circles this is not a question that gets much attention. And when the subject of human value does come up, it’s usually waved off as being alternately unmeasurable or sufficiently well-measured already.

We would argue that explicitly valuing a human life in any homeland security risk analysis is a worthy undertaking because of the need to ascertain potential consequences, which usually include both fatalities and economic losses. Combining these disparate consequence types into a single metric requires converting one type to the other, using an ‘exchange rate’ known as the value of human life.

Multiple consequence types are often scaled, weighted and combined in a process that implies a human value. But it’s one that is never really acknowledged – let alone explained. (In 2006, for instance, two groups within DHS implicitly assigned per-person values of $100,000 and $12 million respectively in two separate but simultaneous risk analysis efforts!)

While the existence of an explicit dollar value would avert such internal inconsistencies, assigning such a value is not straightforward. There are three common approaches:

• Legal precedents (i.e., awards in wrongful death cases);
• Studies of personal preference; and
• Policy direction.

In legal cases, value is often based on the loss of a deceased individual’s expected future earnings. But this approach has limited applicability in homeland security because: (a) it is designed to value a specific individual’s life, not a generic human being’s; and (b) it raises questions about how to value groups of people with lower-than-average incomes, such as children, the elderly, the poor and the disabled.

Preference studies, by contrast, measure either people’s willingness to pay to reduce risk (or prolong life), or the sums required to induce them to accept additional risk. In a common example, one can usually trade off a higher risk of death on the job for a higher wage. People’s (cost) sensitivity to small changes in the probabilities of death, extrapolated out to a 100-percent probability and expressed in dollars, is called the Value of a Statistical Life. The VSL is commonly used in making regulatory decisions in some federal agencies, such as the EPA and Dept. of Energy, and it has its proponents in DHS as well.

One problem with wage studies is that in most jobs the risk of death is a very minor factor compared with other factors. Therefore the resulting VSLs can vary wildly, with values typically in the $5- to $10-million range. Second, VSLs mainly probe the price sensitivity of those most willing to work in high-risk jobs, and the values thus derived are therefore not from a representative sample of the U.S. population. Since homeland security risk analyses are meant to be universally applicable, one may view the VSL as more of a lower boundary than an actual value of a typical human life.

Which leaves us with the third method: policy direction. This has been the most commonly employed approach in homeland security, but the justifications have not always been clearly articulated. The advantage of making the value of human life an explicit policy decision is that it places both responsibility and accountability for the decision with the decision-maker. The other two approaches could introduce significant systematic errors if used in the wrong way and, more problematically, could create doubts in the minds of policy-makers and the public by separating the responsibility for calculating the value from the accountability for defending it.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises, for optimizing risk-based strategic, policy, and budgetary decisions.

First, the bad news: we are losing the cybersecurity arms race – chiefly because we keep throwing ever more public and private resources at solutions already manifestly inadequate, and doing so without ever having grasped the rapidly evolving problem we were supposed to be tackling in the first place.

The good news is that it’s not too late to avert our current, worrying, predicament. But doing so will require a complete rethinking of cyber ‘grand strategy’ among a visionary (and collaborating) cross-section of our security and intelligence communities, as well as what promises to be a grindingly slow transformation of the commercial fundamentals and techno-operational priorities of the present-day cybersecurity industrial complex.

Digital Sandbox CEO Bryan Ware contends that part of the problem lies in our conflicting approaches to cyber and physical threats, and that recasting these threats as essentially ‘two sides of the same coin’ will open a door to improved sharing of the best practices each community brings to the table.

Writing in the Fall 2009 issue of IQT Quarterly, a publication of the CIA’s In-Q-Tel technology-investment arm, Bryan advocates a new kind of convergence, one that reaches beyond the by-now widely accepted notion that the physical and cybersecurity communities still have some serious silo-breaking work to do.

In Bryan’s formulation, many other kinds of convergence need to happen. Foremost is a recognition that:

• Physical and cyber threats both originate from an identifiable person or group;
• Each individual or group has both a physical and a cyber identity; and
• All such entities increasingly operate in both cyber and physical space to achieve their goals.

One critical goal of this shift in thinking would be to infuse the cybersecurity community, focused as it is on existing vulnerabilities and responding to attacks, with the threat-assessment ethos that underpins intelligence tradecraft and the risk-mitigation/-prevention mindset of the physical security world.

Convergence of this nature is of course disruptive, and must be mutually beneficial to succeed. The return benefit in this instance is that physical security professionals would gain access to the tools they desperately need (whether or not they know it yet) to analyze not merely the physical characteristics of a threat but its corresponding ‘cyber-signature’ as well.

Organizations with a financial stake in the current cybersecurity regime (e.g., vendors deriving revenue streams from point fixes to point flaws or large enterprises already under compliance pressure) are unlikely to endorse such a sea change, at least without being offered new incentives to do so. As Marcus Ranum, inventor of the firewall, put it: “The Internet will remain as insecure as it is possible to be and still function.”

Yet such a gloomy prognosis doesn’t detract from our core premise: when you are losing a race you cannot afford to lose, change the rules.

Readers interested in the full security convergence article will find it here.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises, for optimizing risk-based strategic, policy, and budgetary decisions.

Ever wondered what PCII stands for, and what it means? Here’s a brief rundown and some background information.

Roughly 85 percent of critical infrastructure in the U.S. is privately owned, while the primary responsibility for protecting such assets lies with the government. Yet the need for improved information-sharing, which is a crucial component of any security risk management effort, is hampered by private-sector concerns that core intellectual property and other sensitive proprietary information could end up being shared too widely, thus affecting a company’s competiveness and perhaps even its very existence.

Enter the Protected Critical Infrastructure Information (PCII) program, established by the Department of Homeland Security pursuant to the Critical Infrastructure Information Act of 2002 (CII Act). DHS says the PCII program “creates a new framework which enables members of the private sector to, for the first time, voluntarily submit confidential information regarding the nation’s critical infrastructure to [DHS] with the assurance that the information, if it satisfies the requirements of the CII Act, will be protected from public disclosure.”

Not surprisingly, there have been a number of legal challenges to the PCII program and other state or local sunshine-law exemptions for homeland security information. DSBlog closely tracks and will periodically report on and analyze developments relating to the PCII program, including court decisions that ‘test’ it.

Meanwhile, a fact sheet and other details on the PCII program can be found here, and a DHS video briefing on the subject is here.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises, for optimizing risk-based strategic, policy, and budgetary decisions.

This Risks Interconnection Map in the Global Risks 2010 report released earlier this year by the World Economic Forum highlights some advancements in technology that allow users to view data in multiple dimensions. With a quick glance at the legend field, even the most casual observer can begin to form an idea of the message the WEF is trying to convey.

Risk data is very dynamic, involving factors both known and unknown. Displaying this on a multi-dimensional map with connectivity nodes emphasizes this point. In addition, the map does a fantastic job of highlighting the key domains that are at risk throughout the world. The drill-down feature is aesthetically pleasing—animating the transition as well as increasing the readability of the links. Overall, it’s an excellent visualization tool to allow users to easily see how different scenarios are connected.

Stare at the map long enough, though, and you’ll start to see an interesting pattern emerge—one that reveals clues about the experts compiling the data. The highest-risk factors, in terms of both likelihood and severity, are economic and financial. A quick scan of the list of experts at the back of the report confirms a hunch: the majority of the 200-odd members of the Global Risk Network and Global Agenda Councils who contributed to the survey that produced the report’s underlying data skew heavily to economists and financial services industry types.

Perhaps they’re right that economic risks predominate (a consistent theme at the famously exclusive Davos meetings the WEF hosts each year in the Swiss alps). Or perhaps it’s just one point of view and emphasis among many, based on subjective data relating to perceived likelihood. Regardless, it’s always worth remembering the source, scope and intended audience of a presentation such as this when absorbing its conclusions.

Either way, though, we really do like that map…

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises, for optimizing risk-based strategic, policy, and budgetary decisions.

Proposed legislation making the rounds on Capitol Hill recently directs the Administrator of the Federal Emergency Management Agency (FEMA) to establish a grant program to assist projects that improve the ability of airports and trauma-center hospitals to withstand earthquakes.

The legislation is clearly a reaction to the recent 7-plus-magnitude earthquakes in Haiti (January) and Chile (February) and far from certain ever to become law – or even to make it out of the House Committee on Transportation and Infrastructure’s Subcommittee on Economic Development, Public Buildings and Emergency Management, where it was referred in mid-March.

Nevertheless, the so-called Critical Infrastructure Earthquake Preparedness Act of 2010 is of interest from a risk-analytics perspective. For example, in making grants to state and local government agencies the FEMA Administrator would have to consider:

• The vulnerability to an earthquake of the facility to be improved.
• The size of the population served by the facility to be improved.
• The availability of similar facilities in the area surrounding the facility to be improved.
• The ability to withstand an earthquake of the facility to be improved, if the proposed project is not carried out.

A copy of the bill can be found here.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises, for optimizing risk-based strategic, policy, and budgetary decisions.

A recent Pennsylvania court case appears, at first glance, to represent a victory for proponents of transparency and open government. A closer reading of the court’s decision, however, shows a willingness to give state agencies wide latitude in interpreting what constitutes sensitive information whose disclosure would jeopardize public safety and security.

Just as a new statewide Right-to-Know Law went into effect in January 2009, Pittsburgh Tribune-Review staff writer Brian Bowling filed a request with the Pennsylvania Emergency Management Agency (PEMA) seeking data on all first responder equipment and services the agency purchased with Department of Homeland Security grant funds during fiscal years 2005-2008, including copies of all contracts and invoices.

PEMA granted Bowling’s request but omitted the names of all recipients of the equipment and services, on the grounds that their disclosure would endanger the state by revealing gaps, vulnerabilities and emergency response capabilities. Such details, PEMA argued, allow potential adversaries to more easily locate, steal, destroy or develop countermeasures against various systems and pieces of hardware.

Bowling appealed the decision to the state’s Office of Open Records, which determined in April 2009 that PEMA properly withheld the recipients’ names under a Right-to-Know provision exempting from disclosure records “maintained by an agency in connection with the military, homeland security, national defense, law enforcement or other public safety activity that, if disclosed, would be reasonably likely to jeopardize or threaten public safety or preparedness or public protection activity or a record that is designated classified by an appropriate Federal or State military authority.”

Undeterred, Bowling appealed that decision to the Pennsylvania Court of Appeals. And on February 5, 2010, the court determined that PEMA’s blanket redaction of the recipients’ names was overly broad, and that it must make a reasonable effort to differentiate between goods and services which are reasonably likely to endanger public safety and those that aren’t—and in latter instance to name the recipients of those items. In other words, no blanket redactions allowed.

On its face, this ruling appears to be a victory for Bowling because PEMA now must justify non-disclosure of information on a case by case basis. (That’s how he cast it when reporting the decision in a subsequent Tribune-Review article.)

But the court has also accorded PEMA a tremendous amount of discretion by granting it the authority to determine which disclosures would endanger public safety or preparedness.

And while it didn’t impose a ‘test’ for PEMA to apply when making such determinations, it did indicate support for the withholding of information that would allow an adversary to pinpoint the physical location of, say, agency computer servers or bio-chemical testing gear. It likewise called the location of “bungee cords” and other “innocuous items” not sensitive enough to proscribe, as PEMA had done initially.

So the next time PEMA is faced with a similar request, will it disclose substantially more information? Perhaps—if there’s a lot of data on innocuous items like bungee cords. But it’s equally likely that all of the more sensitive stuff will remain safely shielded behind the homeland security exemption.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises, for optimizing risk-based strategic, policy, and budgetary decisions.