Embed Size (px)
Citation preview
Target-oriented utility theory for modeling the deterrenteffects of counterterrorism
Vicki M. Bier a,n, Fuat Kosanoglu b
a Department of Industrial Engineering, University of Wisconsin-Madison, 1513 University Avenue, Room 3270A, Madison, WI 53706, USAb Department of Industrial Engineering, University of Wisconsin-Madison, 1513 University Avenue, Room 3237, Madison, WI 53706, USA
a r t i c l e i n f o
Article history:Received 12 July 2013Received in revised form3 November 2014Accepted 8 November 2014Available online 21 November 2014
Keywords:Decision analysisUtility theoryRisk analysisReliability
a b s t r a c t
Optimal resource allocation in security has been a significant challenge for critical infrastructureprotection. Numerous studies use game theory as the method of choice, because of the fact that anattacker can often observe the defender’s investment in security and adapt his choice of strategiesaccordingly. However, most of these models do not explicitly consider deterrence, with the result thatthey may lead to wasted resources if less investment would be sufficient to deter an attack. In this paper,we assume that the defender is uncertain about the level of defensive investment that would deter anattack, and use the target-oriented utility to optimize the level of defensive investment, taking intoaccount the probability of deterrence.
& 2014 Elsevier Ltd. All rights reserved.
1. Introduction
Resource allocation in security has been extensively studied bymany authors after the terrorist attacks on September 11, 2001.Numerous studies use game theory as the method of choice, becauseof the fact that an attacker can observe the defender’s investment insecurity and adapt to his choice of strategies. For example, Bier et al.[1] has argued that defending a target against determined adver-saries is more difficult than against an opportunistic attacker. Thus,the optimal defensive allocation should take into account theattacker’s strategy and capabilities.
Investment in defense aims to reduce vulnerability by hardeninga system, minimizing the consequences of an attack, and/or deterringa possible attack. Bier and Abhichandani [1] suggest a model foroptimal resource allocation in series and parallel systems, assumingthat the attacker wishes to maximize the probability of success for anattack on the system, and the defender tries to minimize theprobability of system failure. The extension of this work by Bieret al. [2] assumes that the attacker wishes to maximize the expecteddamage from an attack, while the defender’s objective is to minimizethe expected loss, taking into account not only system functionality,but also the inherent values of the components. In this model, theattacker may still launch an attack even if he cannot disable theentire system, due to the inherent values of components (so, forexample, disabling a single component in a parallel system can beworthwhile even though it won’t lead to system failure).
Levitin has extensively studied security models. Most of his workassumes a static threat, and uses reliability theory rather than gametheory [3–7]. However, the following works illustrate his use ofgame theory to model optimum resource allocation in security.Levitin and Hausken [8] compare the effectiveness of redundancyversus component hardening. In this study, the authors analyze atwo-stage minmax reliability game where the defender moves firstby investing in protection; the attacker can then observe the systemprotections, and choose the best attack strategy. In a later study,Hausken and Levitin [9] present a game-theoretic optimizationmodel in which two fully strategic agents (an attacker and adefender) both have perfect knowledge about the system and theavailable actions. The system consists of series and parallel sub-systems, and each component consists of elements in parallel. Thedefender can physically separate the system components, in orderto apply different protection strategies to them; conversely, theattacker can attack different combinations of components usingdifferent attack strategies. The defender objective is to minimizeexpected damage, while the attacker maximizes expected damage,both subject to a budget constraint. In more recent work, Hauskenand Levitin [10–12] assume that the defender can deploy falsetargets that the attacker cannot easily distinguish from the truetargets. Both the defender and the attacker are assumed to be fullystrategic, and both are assumed to have complete knowledge aboutthe system structure and the available actions, but only the defenderis assumed to know which targets are false.
In some situations (such as computer networks, aviation security,etc.), the level and effectiveness of defensive investment may dependon the actions of other defenders. Kunreuther and Heal [13] examinean interdependent-security (IDS) model in which any agent in the
Contents lists available at ScienceDirect
journal homepage: www.elsevier.com/locate/ress
Reliability Engineering and System Safety
http://dx.doi.org/10.1016/j.ress.2014.11.0060951-8320/& 2014 Elsevier Ltd. All rights reserved.
n Corresponding author. Tel.: þ1 608 262 2064; fax: þ1 608 262 8454.E-mail address: [email protected] (V.M. Bier).
Reliability Engineering and System Safety 136 (2015) 35–46
group suffers a loss L in case of a successful attack. A loss can occureither if an agent doesn’t invest in protection of its own asset, or dueto contamination by other agents that didn’t invest in security; forexample, even an airline that screens all incoming baggage could beaffected by a bomb transferred from another airline that didn’t screenbaggage. In this model, each agent has perfect information about therisks and costs of security investment, and decides whether to investin security. Heal and Kunreuther [14] propose a general model thatencompasses three different types of IDS problems. In the first type,an agent may still suffer a loss due to contamination from otheragents even if he invests in security (partial protection with negativeexternalities). In the second type of IDS problem, if an agent invests insecurity, he will not be vulnerable to contamination by other agents(complete protection with negative externalities). For the third typeof IDS problem, agents that invest in security may create positiveexternalities for other agents. In this model, for each type of problem,each agent makes its own decision regarding investment in security. Ifan agent invests in security, he may avoid direct loss with certainty,yet may be harmed by other agents that don’t invest in security.
Note that most of these models do not explicitly considerdeterrence, with the result that they may lead to wasted resourcesif less investment would be sufficient to deter an attack. In practice,though, one objective of investment in defense is often to deter apossible attack. Miller [15] discusses the circumstances under whichdeterrence strategies are likely to be most or least effective. McGill[16] discusses possible methods to deter an attack, includingreducing the perceived level of loss resulting from a successfulattack, decreasing the success probability of an attack by investingin defense, or increasing the perceived likelihood of retaliation afteran attempted attack.
Sandler and Arce [17] present a model to demonstrate deter-rence when a terrorist group can attack either a business site or atourist site. In this model, both sites wish to minimize the cost ofdeterring an attack plus the expected loss from an attack, whilethe attacker tries to maximize his payoff from launching an attack.Deterrence in this case involves deflecting the attack to anothertarget. Arce et al. [18] study a model where an attacker can useeither a conventional attack or suicide tactics, while a defenderinvests in protection of multiple targets. When the attacker’s effortexceeds the defender’s effort, the attacker wins, and vice versa.Arce et al. find that, at equilibrium, the attacker may be deterredwith positive probability, and if not will choose to attack at mostone target.
In some cases, the defender and the attacker may have differentvaluation for the same targets. Powell [19] proposed a model inwhich the attacker and the defender have different valuations forthe targets, which results a sequential nonzero-sum “Blotto” game.He shows that there exists a unique resource allocation strategythat minimizes the defender’s loss and maximizes the attacker’spayoff. In particular, the defender allocates resources to minimizethe attacker’s maximum payoff, and in best response the attackerattacks the target that minimizes the defender’s payoff. Moreover,the defender is always successful in deterring attacks on the targetthat is more valuable to the defender.
However, Hausken [20] has a model in which the second mover(the attacker) can never be deterred from attacking the target thatis more valuable to the defender in a sequential game, as long asthe defender has fixed resources. This is because, unlike in [19],Hausken allows for variable attacker effort in response to theobserved defenses. He also shows that the attacker can be deterredfrom attacking the target is more valuable to the defender, whenthe defender has an unconstrained budget, as long as the unit costof defense is less than half of the unit cost of attack.
Bier et al. [21] study a strategic model in which a defender allo-cates his resources to defense, and an attacker chooses a location toattack. The defender is assumed to be uncertain about the attacker’s
preferences, while the attacker can perfectly observe the defender’sinvestment in security. The attacker seeks to maximize his payofffrom launching an attack, and the defender seeks to minimize thedamage of an attack. In this model, defensive investment in onecomponent may increase the probability of an attack on anothercomponent. Thus, the defender may optimally leave some compo-nents undefended, sometimes preferring higher vulnerability at aparticular component (even if lower vulnerability could be achievedat no cost) for strategic purposes. When the attacker has an “outsideoption” other than attacking, it is possible for defensive investment todeter an attack in this model, by reducing the success probability ofan attack. In an application of this model, Bier et al. [22] quantify theattractiveness of various targets, and explore how the optimal budgetallocation depends on the cost effectiveness of defensive investment.
Hausken and Zhuang [23] develop a model in which thedefender moves first and the attacker moves second in each ofmultiple time periods. The attacker and the defender are myopic,in the sense of considering payoffs in only one time period whenchoosing their strategies for that period. Since parameter valuesmay change through time (e.g., due to technological changes), theattacker and the defender will in general use different strategies ineach time period. Hausken and Zhuang indicate that when theattacker’s valuation of the target is not sufficiently large, theattacker will not attack at all even if there is no investment indefense, and will instead carry over the unused attack resources tothe next period. Moreover, even if the attacker’s valuation of thetarget would have been large enough to justify an attack on anundefended target, the attacker may still be deterred by additionalinvestment in defense if the defender’s valuation of the target issufficiently large to justify suitable investment.
Azaiez and Bier [24] assume that the defender wishes to deter anattack by maximizing the cost of an attack to the attacker. Theauthors assume that the defender’s investment in security increasesthe level of effort required for the attacker to attain a given pro-bability of success. However, Azaiez and Bier do not explicitlyconsider the level of attack cost at which an attacker would bedeterred, leading to possible overinvestment in security.
Another recent paper proposes a model to determine how manycontainers would need to be inspected in order to deter smugglingattempts [25]. The model assumes that a sufficiently high probabilityof being caught may deter an attacker from smuggling weapons ofmass destruction into US ports. The defender moves first by choosingan inspection level to minimize the inspection cost plus the expectedloss (both the expected damage and the cost of any resultingretaliation) from a weapon being successfully smuggled into the US,while the attacker wishes to find the best response to the defender’spolicy in order to maximize his expected reward. In an extension ofthis work, Haphuriwat et al. [26] suggest a model to identify therequired percentage of containers to inspect in order to deter one ormore nuclear weapons from being smuggled in to the US in shippingcontainers.
Bordley and Kirkwood [27] propose a new target-orientedutility approach that can be applied to the problem of deterrencein security. Target-oriented utility theory assumes that the deci-sion maker wishes to minimize the probability of failing to achievean uncertain target. In this paper, we assume that the defender isuncertain about the level of investment that would be sufficient toachieve deterrence. The defender objective is then to maximizethe expected value of deterrence (the probability of deterring anattack, times the expected loss if an attack occurs), minus thedefensive cost. For additional studies, Hausken and Levitin [28]classify some recent studies of defense and attack models.
Section 2 of this paper presents a basic model for a single-component system assuming that the probability of deterrence is afunction of the level investment in security. Section 3 presents arevised model, taking into account the fact that investment in
V.M. Bier, F. Kosanoglu / Reliability Engineering and System Safety 136 (2015) 35–4636
defense may affect the success probability of an attack, as well asthe probability of an attack occurring. Then, Section 4 comparesthe results of this target-oriented model to those of a moreconventional game-theoretic model that ignores deterrence. InSection 5, we allow the attacker’s behavior to depend on the lossfrom a successful attack, as well as the success probability of anattack. Finally, the last section discusses the conclusions from ourwork and presents some directions for future research.
2. Notation and basic model formulation
2.1. Single-component system
We begin our work by constructing a basic model for a single-component system. This simple system gives us insights about howthe value of the defender’s objective function depends on the valuesof the parameters in the model. In this model, the defender aims tominimize the expected loss from an attack (i.e., the probability offailing to deter the attacker, times the loss from an attack), plus thelevel of defensive investment. We assume that the attacker candecide whether to attack or to withdraw, but cannot adjust theattack effort, and this is known to the defender. The initial problemformulation for a single component is thus as follows:
min L 1�PdðcÞð Þþx ð1Þwhere L is the loss from a successful attack (which will be treated asa constant, even though it may of course be the expected value of aprobability distribution for uncertain attack consequences), x is theadditional resources invested in the component, c¼xþc0 is the totalinvestment, c0 is the initial investment in the component (prior tothe start of our analysis), Pd cð Þ is the probability that an attack on agiven component will be deterred at investment level c.
We consider only two possible outcomes; either the defendersuccessfully deters an attack, or the defender fails to deter an attackand suffers a loss L. In order to explore the effects of differentprobability distributions for the deterrence threshold, we assumethat the level of investment x needed to deter an attack follows anexponential, Rayleigh, or Weibull distribution. These distributionsare commonly used in reliability theory [29], and all of them haveclosed-form cumulative distributions, making them suitable for usein our work. In other words, our objective function can be:
min L e�λ xþ c0ð Þ� �
þx when Pd cð Þ is exponential ð2Þ
min L e�λ2ðxþ c0Þ2=2� �
þx when Pd cð Þ is Rayleigh ð3Þ
min L e� xþ c0=bð Þa� �þx when Pd cð Þ is Weibull ð4Þ
From now on, we will ignore c0, and treat the initial investmentas zero. This implies that the probability of deterring an attack iszero when the additional investment x is zero. In the real world,however, a system or component may of course have some inherentlevel of security even if no investment is made in protection.
As expected, the optimum defensive investment xn is increasingin the loss L (see Figs. 1–3). The defender is willing to pay more (andachieves a higher probability of deterrence) when the expected lossL from a successful attack is large. When Pd cð Þ is exponential, theoptimum level of defensive investment xn is initially increasing inthe cost effectiveness λ, and then decreasing (see Fig. 4). Tounderstand this behavior, consider the fact that when cost effec-tiveness is zero, it is obviously optimum not to invest in defense,since investment would not affect the probability of deterrence.Then, for moderately small values of λ, the defender would need toinvest quite a bit to achieve deterrence; as λ gets larger, lower levelsof investment would still be enough to deter an attacker. When
Pd cð Þ is Rayleigh or Weibull, the optimum level of investment isinitially zero; then, when the cost effectiveness of defensiveinvestment is big enough to justify investing, the optimum levelof investment xn becomes positive and decreasing in the costeffectiveness of defensive investment (see Figs. 5 and 6).
0
2
4
6
8
0 500 1000 1500
x*
L
Fig. 1. Optimal defensive investment in a single component as a function of lossfrom a successful attack for exponential distribution (where λ¼1).
0
1
2
3
0 500 1000 1500
x *
L
Fig. 2. Optimal defensive investment in a single component as a function of lossfrom a successful attack for Rayleigh distribution (where λ¼1).
0
1
2
3
4
0 500 1000 1500
x*
L
Fig. 3. Optimal defensive investment in a single component as a function of lossfrom a successful attack for Weibull distribution (where β¼1, α¼2).
0
10
20
30
40
0.01 0.1 1 10(log scale)
x*
Fig. 4. Optimal defensive investment in a single component as a function of costeffectiveness of defense for exponential distribution in single.
V.M. Bier, F. Kosanoglu / Reliability Engineering and System Safety 136 (2015) 35–46 37
3. Probability of deterrence as a function of the successprobability of an attack
In this section, we define the probability of deterrence to be afunction of the attacker’s probability of successfully disabling theentire system. Here, we assume that an attacker would give upattacking when the success probability is sufficiently small. Thus,the defender may invest in protection both to reduce the successprobability of an attack (if one occurs), and to deter the attacker (ifthe success probability becomes sufficiently small). The modelformulation for a single component is as follows:
Z ¼ min L 1�Pd Ps xð Þð Þ½ �PsðxÞþx ð5Þwhere x is the resources invested, Z is the defender’s optimumobjective value, PsðxÞ is the success probability of an attack wheninvestment level is x, Pd Ps xð Þð Þ is the attack deterrence probabilitywhen the success probability of an attack is PsðxÞ.
Since data directly relevant to deterrence of terrorist attacks isnot available, it is difficult to determine the functional form of thedeterrence probability. Fortunately, however, there are relatedempirical studies that can give some insight into the functionalform of the probability of deterrence. In particular, based on datafrom interviews with imprisoned drug dealers, Anthony [30]suggests that a drug dealer would not be deterred at all if theperceived probability of interdiction is not sufficiently high, andthen finds that the marginal rate of deterrence is increasing in theprobability of success. In another empirical study based on inter-view data from serious adolescent offenders, Loughran et al. [31]suggest that increases in the detection probability reduce the rateof offending more when the detection probability is close to 0 or 1,resulting in a reverse S-shaped function. To reflect this behavior,we assume that the probability of deterrence follows a Kumar-aswamy distribution [32]. It is defined over a domain of [0, 1], likethe Beta distribution, but has the advantages of a simple closed-form cumulative distribution function. Moreover, since the Kumar-aswamy distribution, given in Eq. (6), has two shape parameters
(α and β), it is reasonably flexible; for example, in cases whereattacks will be almost completely deterred for even a moderatelylarge success probability, higher values of α will fit better. Asshown in Fig. 7, the Kumaraswamy distribution with parametervalues higher than 2 is S-shaped, and for parameter values lowerthan 1 is reverse S-shaped.
F xð Þ ¼ 1� 1�xαð Þβ ; 0oxo1 ðThe cumulative distribution function
of Kumaraswamy distributionÞ ð6Þ
As stated above, Loughran et al. [31] suggest a reversed S-shapedfunction for deterrence, based on interview data from seriousadolescent offenders. By contrast, in Anthony’s work on imprisoneddrug dealers [30], the deterrence probability is zero when the dealerhas a success probability close to 1; even if a drug dealer has a zerochance of success, he still cannot be deterred for sure. Moreover,decrements in success probability have less effect on deterrencewhen the success probability is low than it is high. Unlike bothAnthony and Loughran, we believe that for terrorism, the prob-ability of deterrence should be close to 1 when the probability ofsuccess is sufficiently low, since launching a terrorist attack is costly,so may not be undertaken at all when the probability of success isbelow some threshold. Thus, in the rest of this study, we will use anS-shaped deterrence function with parameter values α¼2, β¼2.
We treat the probability of attack success as either an expo-nential or a Rayleigh function of the level of defensive investment.When the initial investment is expected to be more cost-effectivethan subsequent investments (e.g., representing decreasing mar-ginal return), then the success probability function is assumed tobe exponential.
By contrast, using the Rayleigh distribution, investment isinitially relatively ineffective, than becomes highly effective nearthe mode of the distribution, and then reflects diminishing marginalreturns after that. This might be a useful model for situations inwhich some minimal level of investment is required in order forinvestment to be highly cost effective (e.g., if the most cost-effectivedefensive options are also quite costly).
Pd Ps xð Þð Þ ¼ 1� PsðxÞð Þα� �β ðKumaraswamyÞ ð7Þ
Ps xð Þ ¼ e�λx ðexponentialÞor Ps xð Þ ¼ e� ðλxÞ2=2ð Þ Rayleighð Þ
(ð8Þ
The results for a single component are shown below. Increasing αresults in a higher deterrence probability for a given success prob-ability (see Fig. 7). This means that large values of α encourage non-zero spending even for low values of cost effectiveness (i.e., evenwhen a given investment does not have much effect on the successprobability of an attack), as shown in Figs. 8 and 9. At high costeffectiveness, high values of α permit deterrence to be achieved evenwith modest investment. As a result, larger values of α also lead tohigher deterrence probabilities at optimality for a given level of costeffectiveness (see Figs. 10 and 11). By contrast, increasing β results in alower deterrence probability for a given success probability. Thus, as βincreases, the defender demands a higher level of cost effectiveness
0
20
40
60
80
0.01 0.1 1 10λ (log scale)
x*
Fig. 5. Optimal defensive investment in a single component as a function of costeffectiveness of defense for Rayleigh distribution (where L¼100).
0
20
40
60
80
0.01 0.1 1 10
x*
1/β (log scale)
Fig. 6. Optimal defensive investment in a single component as a function of costeffectiveness of defense for Weibull distribution (where L¼100, α¼2).
0
0.2
0.4
0.6
0.8
1
0 0.2 0.4 0.6 0.8 1
1-P(
dete
rren
ce)
P(success)
Fig. 7. The Kumaraswamy distribution with different shape parameter values.
V.M. Bier, F. Kosanoglu / Reliability Engineering and System Safety 136 (2015) 35–4638
05101520253035
0.00001 0.001 0.1 10
x*
0
10
20
30
40
50
60
0.0001 0.001 0.01 0.1 1 10
x*
a (logarithmic scale) a (logarithmic scale)
Fig. 8. Optimum investment level as a function of a in single-component systems where Ps(x) is exponential (L¼100).
0
20
40
60
80
100
0.01 0.1 1 10
x*
a (logarithmic scale)
010203040506070
0.001 0.01 0.1 1 10
xa (logarithmic scale)
Fig. 9. Optimum investment level as a function of a in single-component systems where Ps(x) is Rayleigh (L¼100).
0
0.2
0.4
0.6
0.8
1
0.0001 0.001 0.01 0.1 1 10
P(de
terr
ence
)
a (logarithmic scale)
0
0.2
0.4
0.6
0.8
1
0.00001 0.001 0.1 10
P(de
terr
ence
)
a (logarithmic scale)
Fig. 10. Probability of deterrence as functions of a in single-component systems where Ps(x) is exponential (L¼100).
0
0.2
0.4
0.6
0.8
1
0.01 0.1 1 10
P(de
terr
ence
)
a (logarithmic scale)
0
0.2
0.4
0.6
0.8
1
0.001 0.01 0.1 1 10
P(de
terr
ence
)
a (logarithmic scale)
Fig. 11. Probability of deterrence as functions a in single-component systems where Ps(x) is Rayleigh (L¼100).
0
0.2
0.4
0.6
0.8
1
0.0001 0.01 1
P(su
cces
s)
a (logarithmic scale) a (logarithmic scale)
0
0.2
0.4
0.6
0.8
1
0.0001 0.001 0.01 0.1 1 10
P(su
cces
s)
Fig. 12. Probability of success as functions of a in single-component systems where Ps(x) is exponential (L¼100).
V.M. Bier, F. Kosanoglu / Reliability Engineering and System Safety 136 (2015) 35–46 39
before beginning to invest at all (see Figs. 8 and 9). Moreover, forsufficiently high levels of cost effectiveness, high values of β alsorequire higher levels of investment at optimality (see Figs. 8 and 9), tocompensate for the smaller effect of attack success probabilities ondeterrence (see Figs. 10–13).
At moderately low cost effectiveness, high values of α alsoresult in a reduced probability of success (see Figs. 12 and 13),because they encourage investment. However, at higher costeffectiveness, high values of α are associated with increased valuesof the probability of success, because deterrence can be achievedeven with moderately high probabilities of success. Conversely, forrelatively low cost effectiveness, high values of β result in anincreased probability of attack success, since no investment ismade in protection. However, for higher cost effectiveness, highervalues of β result in a reduced probability of attack success, tocompensate for the reduced effect of the success probability onattack deterrence.
3.1. Components in parallel
In parallel systems, the attacker must disable all components toensure failure of the entire system, since only one component issufficient to ensure system functionality. An intelligent attackerhoping to fail the entire system would presumably not botherattacking only a single component. Therefore, for multi-componentparallel systems, we assume that the attacker makes his decisionabout whether to attack based on the probability of successfullydisabling the entire system, and define the probability of deterrenceto be a function of that success probability. The resulting problemformulation for components in parallel is as follows:
Z ¼ min L 1�Pd Ps xð Þð Þ½ �PsðxÞþR ð9Þ
Pd Ps xð Þð Þ ¼ 1� PsðxÞð Þα� �β ðKumaraswamyÞ ð10Þ
PsðxÞ ¼∏iPs xið Þ ð11Þ
Ps xið Þ ¼ e�λixi exponentialð Þor Ps xið Þ ¼ e� ðλixiÞ2=2ð Þ Rayleighð Þ
(ð12Þ
where R is the total investment in protection of entire system(summation of defensive investment on each individual component),PsðxÞ is the probability of successfully disabling the entire system,PsðxiÞ is the probability of successfully disabling component i.
We present results for parallel system with two components.We note that in a parallel system with two identical components,the success probability of an attack on the entire system does notdepend on the investment in individual components when thesuccess probability is exponential; it depends only on the totalinvestment in the entire system. Fig. 14 shows the optimal totalinvestment level in the entire system. For the non-identical case,
the defender chooses to invest only in the component that is morecost effective to defend (see Fig. 15).
When the success probability of an attack is given by theRayleigh distribution in a parallel system with two identicalcomponents, the defender chooses to invest in at most a singlecomponent. Total investment is initially zero, then positive anddecreasing in the cost effectiveness λi (see Fig. 16). We also notethat the probability of success Ps is decreasing in λi, and theprobability of deterrence Pd is increasing in λi, as for a single-component system (see Fig. 17). As shown in Fig. 18, for the non-identical case, the defender always chooses to invest in only thecomponent with the higher cost effectiveness λi..
3.2. Components in series
In series systems, a successful attack on even a single componentwould be enough to cause system failure. In some cases, this could bebecause the components are physically in series (such as electricitylines or pipelines); in other systems, components may be physicallyin parallel, but if both components are necessary for the system to
0
0.2
0.4
0.6
0.8
1
0.01 0.1 1 10
P(su
cces
s)
a (logarithmic scale)
0
0.2
0.4
0.6
0.8
1
0.001 0.01 0.1 1 10
P(su
cces
s)
a (logarithmic scale)
Fig. 13. Probability of success as functions a in single-component systems where Ps(x) is Rayleigh (L¼100).
0
10
20
30
40
50
0.001 0.01 0.1 1 10
R*
ai (logarithmic scale)
Fig. 14. Optimum investment level as a function of a in parallel systems where Ps(x)is exponential (L¼100 and α¼2, β¼2).
0
0.5
1
1.5
2
2.5
0 5 10
a2/a1
x1
x2
Fig. 15. Optimum investment level as a function of a2/a1 in parallel system wherePs(x) is exponential (L¼100 and α¼2, β¼2).
V.M. Bier, F. Kosanoglu / Reliability Engineering and System Safety 136 (2015) 35–4640
function, they are still conceptually in series [1]. In attacking a seriessystem, the attacker can choose to attack only one component ormultiple components. An attacker may prefer to attack only a singlecomponent if his only goal is disabling the entire system, or an attackon that component has an adequate chance of succeeding. Underother circumstances, an attacker might prefer to attack multiplecomponents depending on the attack cost, the probability of success,and the attacker’s budget. Since our model does not explicitlyconsider attack cost and attacker budget, here we consider twotypes of attackers: the first one attacks either all components ornone; the second type attacks only the component with the highersuccess probability of attack (if attacking is worthwhile at all). In bothcases, we model the probability of deterrence as a function of theattacker’s probability of disabling the entire system, not the prob-ability of disabling an individual component.
3.2.1. Attacker attacks all componentsIn this case, the attacker attacks either all components or none.
For example, the attacker may attack all components even when a
single component failure would be sufficient to disable the systemin order to increase the success probability of the attack, if attacksare sufficiently low in cost. The resulting problem formulation is asfollows:
Z ¼ min L 1�Pd Ps xð Þð Þ½ �PsðxÞþR ð13Þ
PsðxÞ ¼ 1�∏i
1�Ps xið Þ½ � ð14Þ
Pd Ps xð Þð Þ ¼ 1� PsðxÞð Þα� �β ðKumaraswamyÞ ð15Þ
PsðxiÞ ¼ e�aixi ðexponentialÞor PsðxiÞ ¼ e� ðaixiÞ2=2ð Þ Rayleighð Þ
(ð16Þ
We first present results for two identical components. In this case,the levels of investment in defense of the two components will beequal. For low values of the cost effectiveness λi, no investment insecurity is optimal, since investment would not have enough effecton the probability of success to be justified. When λi is sufficiently
0
20
40
60
80
100
0.01 0.1 1 10 100
R*
a i (logarithmic scale)
Fig. 16. Optimum investment level as a function of a in parallel systems where Ps(x)is Rayleigh (L¼100 and α¼2, β¼2).
0
0.2
0.4
0.6
0.8
1
0.01 0.1 1 10 100ai (logarithmic scale)
p(d)
p(s)
Fig. 17. Probability of success and probability of deterrence as functions a inparallel systems where Ps(x) is Rayleigh (L¼100 and α¼2, β¼2).
0
0.5
1
1.5
2
2.5
0 2 4 6 8 10a2/a1
x1x2
Fig. 18. Optimum investment level as a function of a2 /a1 in parallel systems wherePs(x) is Rayleigh (L¼100 and α¼2, β¼2).
0
20
40
60
80
100
0.01 0.1 1 10ai (logarithmic scale)
R
x
Fig. 19. Optimum investment level as a function of a in series systems where Ps(x)is exponential and the attacker attacks both components (L¼100 and α¼2, β¼2).
0
20
40
60
80
100
0.01 0.1 1 10 100ai (logarithmic scale)
Rx
Fig. 20. Optimum investment level as a function of a in series systems where Ps(x) isRayleigh and the attacker attacks both components (L¼100 and α¼2, β¼2).
0
0.2
0.4
0.6
0.8
1
0.01 0.1 1 10ai (logarithmic scale)
pd
ps
Fig. 21. Probability of success and probability of deterrence as a function of a inseries systems where Ps(x) is exponential and the attacker attacks both components(L¼100 and α¼2, β¼2).
V.M. Bier, F. Kosanoglu / Reliability Engineering and System Safety 136 (2015) 35–46 41
large, the defender starts to invest; as the cost-effectiveness λi getslarger, lower levels of investment would still be enough to deter theattacker (see Figs. 19 and 20). Figs. 21 and 22 show the probability ofsuccess (dashed line) and the probability of deterrence (solid line) asfunctions of the cost effectiveness λi.
For a system with two non-identical components, the defenderinvests more in the component with the lower cost-effectivness ofdefensive investment, as shown in Figs. 23 and 24. Here, sinceboth components are equally important to system functionaltiy,the defender attemps to make them equally vulnerable (or equallywell protected).
3.2.2. Attacker attacks the most vulnerable componentIn this case, the attacker chooses to attack the component with
the highest probability of successful attack. This may be morerealistic when the attacker has a limited budget or limited attackcapabilities. The model formulation for this case is as follows:
Z ¼ min L 1�Pd Ps xð Þð Þ½ �PsðxÞþR ð17Þ
PsðxÞ ¼maxiPs xið Þ ð18Þ
Pd Ps xð Þð Þ ¼ 1� PsðxÞð Þα� �β ðKumaraswamyÞ ð19Þ
Ps xið Þ ¼ e�aixi ðexponentialÞor Ps xið Þ ¼ e� ðaixiÞ2=2ð Þ Rayleighð Þ
(ð20Þ
As in the previous subsection, we first present results for asystem with two identical components. As expected, the defenderinvests in both components equally, as shown in Figs. 25 and 26.For low values of the cost effectiveness λi, it is not worth investingat all, and the success probability of attack equals 1 (see Figs. 27and 28). When the cost effectiveness λi is big enough to justify
investing, then the success probability of attack is decreasing in λi,and the probability of deterrence is increasing.
We also present results for series systems with two compo-nents where each component has a different cost-effectiveness. Asbefore, Figs. 29 and 30 show that the defender invests more in thecomponent that is less cost effective to defend. This is because thedefender aims to have equal success probabilities of attack on bothcomponents, so must invest more in the component with smallercost effectiveness.
4. Comparison of target-oriented utility model to aconventional game-theoretic model
As mentioned before, conventional game-theoretic models ofhomeland security can result in wasted resources when a lowerlevel of investment would be sufficient for deterrence. Therefore, we
0
0.2
0.4
0.6
0.8
1
0.01 0.1 1 10 100ai (logarithmic scale)
pdps
Fig. 22. The probability of success and the probability of deterrence as a function ofa in a series system where Ps(x) is Rayleigh and the attacker attacks bothcomponents (L¼100 and α¼2, β¼2).
0
5
10
15
20
0.1 1 10 100a2/a1(logarithmic scale)
x1
x2
Fig. 23. Optimum investment level as a function of a2/a1 in series systems wherePs(x) is exponential and the attacker attacks both components.
0
5
10
15
20
0.1 1 10 100a2/a1(logarithmic scale)
x1
x2
Fig. 24. Optimum investment level as a function of a2/a1 in series systems wherePs(x) is Rayleigh and the attacker attacks both components.
0
10
20
30
40
50
0.005 0.05 0.5 5a (logarithmic scale)
R
x
Fig. 25. Optimum investment level as a function of a in series systems where Ps(x)is exponential and the attacker attacks the most vulnerable component (L¼100and α¼2, β¼2).
0
20
40
60
80
100
0.01 0.1 1 10 100a (logarithmic scale)
R
x
Fig. 26. Optimum investment level as a function of a in series systems where Ps(x)is Rayleigh and the attacker attacks the most vulnerable component (L¼100 andα¼2, β¼2).
V.M. Bier, F. Kosanoglu / Reliability Engineering and System Safety 136 (2015) 35–4642
now compare the target-oriented utility model to a conventionalgame-theoretic model that does not take into account the probabilityof deterrence. In the conventional model, the defender’s objective issimply to minimize the expected loss (the actual loss L, times thesuccess probability of an attack), plus the defense cost, assuming thatan attack will take place regardless of the level of investment.
In the previous section, the success probability of an attack wasassumed to be either an exponential or a Rayleigh function ofdefensive investment. Here, we will show only the exponentialcase and omit the Rayleigh, since the results for the Rayleighdistribution are similar. The formulation of the non-deterrencemodel is as follows:
ZN ¼minxN
LPs xNð ÞþxN ð21Þ
where
Ps xNð Þ ¼ e�λðxN Þ ðexponentialÞ ð22ÞLet xnN be the optimal investment level in the non-deterrencemodel.By contrast, the formulation of the target-oriented utility model
for a single component is;
ZD ¼minxD
L 1�Pd Ps xDð Þð Þ½ �Ps xDð ÞþxD
where
Ps xDð Þ ¼ e�a xDð Þ ðexponentialÞor Ps xDð Þ ¼ e� axDð Þ2=2ð Þ Rayleighð Þ
(
Pd Ps xð Þð Þ ¼ 1� PsðxÞð Þα� �β ðKumaraswamyÞLet xnD the optimal investment level in the deterrence model.First, we explore the impact of the cost-effectiveness λ in the
exponential case. When the cost-effectiveness λ is zero, theoptimum investment levels xD n and xNn are both zero. As λ getslarger, xD n is initially greater than xNn for small values of λ, and
0
0.2
0.4
0.6
0.8
1
0.005 0.05 0.5 5a (logarithmic scale)
pdps
Fig. 27. The probability of success and the probability of deterrence as a function ofa in a series system where Ps(x) is exponential and the attacker attacks the mostvulnerable component (L¼100 and α¼2, β¼2).
0
0.2
0.4
0.6
0.8
1
0.01 0.1 1 10 100a (logarithmic scale)
pd
ps
Fig. 28. The probability of success and the probability of deterrence as a function ofa in a series system where Ps(x) is Rayleigh and the attacker attacks the mostvulnerable component (L¼100 and α¼2, β¼2).
0
10
20
30
40
50
0.01 0.1 1 10a2/a1
x1x2
Fig. 29. Optimum investment level as a function of a2/a1 in series systems wherePs(x) is exponential and the attacker attacks the most vulnerable component(L¼100 and α¼2, β¼2).
0
5
10
15
20
0.1 1 10 100a2/a1 (logarithmic scale)
x1x2
Fig. 30. Optimum investment level as a function of a2/a1 in series systems wherePs(x) is Rayleigh and the attacker attacks the most vulnerable component (L¼100and α¼2, β¼2).
0
10
20
30
40
50
0.005 0.05 0.5 5a (logarithmic scale)
xN*
xD*
Fig. 31. Optimum investment levels as a function of cost effectiveness a for non-deterrence and deterrence models where Ps(x) is exponential (L¼100 and α¼2,β¼2).
0
20
40
60
80
100
0.005 0.05 0.5 5a (logarithmic scale)
zN
zD
Fig. 32. Value of objective function as a function of cost effectiveness a for non-deterrence and deterrence models where Ps(x) is exponential (L¼100 and α¼2,β¼2).
V.M. Bier, F. Kosanoglu / Reliability Engineering and System Safety 136 (2015) 35–46 43
then becomes less than xNn (see Fig. 31). Fig. 32 shows that theobjective-function value for the model with deterrence ðZDÞ isalways better than for the model without deterrence ðZNÞ, as wewould expect. However, that is for two different reasons; theability to spend less when cost effectiveness is high, and thegreater effectiveness of defense (due to the possibility of deter-rence) when cost effectiveness is low.
We now explore what results would be achieved in the modelwith deterrence, if the optimum investment level from the modelwithout deterrence ðxNnÞwere chosen (e.g., if the defender was notaware of the possibility of deterrence). Naturally, of course, x n
Dgives better results than x n
N , as illustrated in Fig. 33, but fordifferent reasons in different regions. At first, xDn is greater thanxNn, but the defender benefits from a smaller expected loss,EL ðx n
DÞ oELðxNnÞ (see Fig. 34). When λ gets larger, and investmentbecomes more cost effective, xNn becomes greater than xDn, andtherefore gives a worse value of the objective function, eventhough the expected loss when choosing xNn is less.
We now compare how the models with and without deterrenceperform with regard to the loss L. For small values of L, bothmodels choose zero investment in security, so that x n
N ¼ x nD ¼ 0.
As L becomes larger, the model without deterrence eventuallybegins spending too much, as shown in Fig. 35. Therefore, asshown in Fig. 36, the target-oriented utility model always resultsin a better objective-function value.
5. Probability of deterrence as a function of both loss andattack success probability
In our initial model, we assumed that the probability ofdeterrence was a function only of the investment level. Then, wemodified our model to allow the probability of deterrence to be afunction of the success probability of an attack. However, these arenot the only factors that may influence the probability of deter-rence. In particular, an attacker may be more easily deterred from
an attack on a low-valued target. Therefore, we now modify theprevious model to allow the probability of deterrence to be afunction of both the loss L and the success probability of an attack.This is realistic, since the attacker may be much more motivated tolaunch an attack when the consequences of a successful attackwould be severe, and hence, it may be more difficult to deter anattack when the loss L from a successful attack is high.
In this section, we assume that the deterrence function followsa Rayleigh distribution (instead of Kumaraswamy distribution),since the Kumaraswamy distribution is defined over a [0, 1] range,but the loss may take on arbitrarily large values. The new modelformulation is as follows:
Z ¼ min L 1�Pd Ps xð Þð Þ½ �PsðxÞþx ð23Þ
where
Pd Ps xð Þð Þ ¼ e� L Ps xð Þð Þ2=2s2ð Þ Rayleighð Þ ð24Þ
Ps xð Þ ¼ e�λx exponentialð Þ ð25Þ
EL¼ L 1�Pd Ps xð Þð Þ½ �Ps xð Þ ð26Þ
Fig. 37 shows how the optimum level of investment (xn), theoptimal objective value (Zn), and the expected loss (EL) change asthe loss L changes.
At low levels of the loss L, it is not cost-effective to invest indefense, so the defender chooses zero investment in security. Once Lis big enough to justify investing in security, the optimal investmentlevel xn is increasing in the loss L (see Fig. 37). The success probabilityof an attack is initially 1, and then is decreasing in L. The probabilityof deterrence is initially decreasing in L, because as L gets larger, thesystem becomes more attractive to the attacker; however, when thedefender starts investing, the probability of deterrence becomesincreasing in L (see Fig. 38). The objective-function value Z is alsoincreasing in L, due to the increasing investment cost xn. Note thatonce the optimal investment level becomes positive, the expected
0
20
40
60
80
100
0.005 0.05 0.5 5a (logarithmic scale)
EL(xN*)
EL(xD*)
Fig. 34. Expected loss as a function of a for non-deterrence and deterrence modelswhere Ps(x) is exponential (L¼100 and α¼2, β¼2).
0
20
40
60
80
100
0.005 0.05 0.5 5a (logarithmic scale)
zD(xN*)
zD(xD*)
Fig. 33. Optimum objective values as a function of a for non-deterrence anddeterrence models where Ps(x) is exponential (L¼100 and α¼2, β¼2).
0
5
10
15
20
25
0 20 40 60 80 100L
xN*
xD*
Fig. 35. Optimum investment as a function of the loss L from a successful attack fornon-deterrence and deterrence models (a¼0.1 and α¼2, β¼2).
0
10
20
30
40
0 20 40 60 80 100L
zN
zD
Fig. 36. Value of objective function as a function of the loss L from a successfulattack for non-deterrence and deterrence models (a¼0.1 and α¼2, β¼2).
V.M. Bier, F. Kosanoglu / Reliability Engineering and System Safety 136 (2015) 35–4644
loss EL stays approximately constant. In other words, the defenderinvests just enough to compensate for the expected loss.
These results indicate that as the target value increases, thedefender invests more in protection to reduce the success prob-ability of an attack, and consequently increase the probability ofdeterrence. Thus, higher-value targets can in general expect to getmore protection, pushing attacks down to lower-valued targets. Inother words, in a well-functioning system, there should be fewattacks on large targets, and more attacks on small targets.
This is consistent with much real-world experience. For exam-ple, in Israel, there have been many attacks, but so far nosuccessful attacks against truly critical targets (e.g., the Knessetbuilding). Table 1 shows that no bombing attack in Israel since2000 has led to more than about 30 fatalities. In other words,Israel has successfully prevented or deterred catastrophic attacks,
resulting in attacks with relatively modest (although still tragic)numbers of fatalities.
6. Conclusions and directions for future work
This article is an initial attempt to model attacker deterrenceusing target-oriented utility theory. The results provide the optimallevels of investment in security, taking into account the possibility ofdeterring an attacker. Our results indicate, not surprisingly, that thetarget-oriented model results in a better value of the defender’sobjective function than conventional game-theoretic models that donot consider deterrence. However, that improvement can arise forone of two different reasons; by spending less on defense when thecost effectiveness of defense is high, or by achieving improvedsecurity (due to the possibility of deterrence) when the cost effec-tiveness of defense is low. These results obviously depend on theassumption that an attacker might give up attacking for somefeasible level of defensive investment.
Our results also support the idea that defending series systemsis more difficult than defending parallel systems. In particular, forlow values of cost-effectiveness and loss, it is not worth investingin defense of series systems at all. However, when the cost-effectiveness of investment and the loss from a successful attackare large enough to justify investing in defense of a series system,series systems require higher levels of defensive investment thancomparable parallel systems.
Finally, the results indicate that target value is an importantinfluence on defensive resource allocation. In particular, as the targetvalue increases, the defender chooses to invest more in protection,to reduce the success probability of an attack, and consequentlyincrease the probability of deterrence. Therefore, targets with highervalues might in general be expected to get more protection, pushingattacks down to lower-valued targets. In other words, in a well-functioning system, there should be few if any successful attacks onlarge targets, and more attacks on small targets, which is exactlywhat we see in the Israeli experience, for example.
Our model can be extended in numerous ways. For example, inthis paper, we apply our model only to single-component and two-component systems in series and parallel, but these are obviously oflimited applicability in the real world. Thus, it would be worthwhileto extend this model to systems with more than two components,and to more complex systems consisting of multiple series andparallel subsystems (e.g., transportation or electricity networks).
Additionally, it might be worthwhile to extend our model toinclude retaliation for a successful attack as well as investment insecurity. When an attacker believes that the defender would retaliateafter an attack, it may be possible for the defender to deter an attackwith less investment, as long as the retaliation is considered a“credible threat” by the attacker [25,26]. Note also that retaliationmay be more important for systems where an attacker can attackrepeatedly at modest effort (e.g., attacks against computer networks).This is because the attacker might be expected to attack in such caseseven if the success probability of an attack is low, if he is notconcerned about retaliation.
Models where the perceived value of a successful attack to theattacker differs from the loss to the defender might be anotherimportant extension. In our model, we treat the loss from asuccessful attack as a constant, which is assumed to be the samefor both the defender and the attacker. However, the valuation ofthe target may be different for the attacker and the defender.Moreover, one could also treat the defender’s perception of theattacker’s valuation as being uncertain or probabilistic [22].
Finally, the assessment of parameter values for deterrence modelsis of crucial importance. As long as data directly relevant todeterrence of terrorism is sparse or unavailable, it will be difficult
0
5
10
15
20
25
0 20 40 60 80 100L
ZxEL
Fig. 37. Value of the objective function, optimum investment level, and expectedloss EL as functions of the loss from an attempted attack (a¼0.1, s¼2).
0
0.2
0.4
0.6
0.8
1
0 20 40 60 80 100L
P(success)
P(deter)
Fig. 38. Probability of success and probability of deterrence as a function of the lossfrom an attempted attack (a¼0.1, s¼2).
Table 1Attacks in Israel since 2000 (Source: Israel Ministry of Foreign Affairs).
Year Number ofbombingattacks
Number of deaths dueto bombing attacks
Maximum number of deathsin any one bombing attack
2000 100 10 22001 565 100 212002 767 269 302003 471 151 232004 653 69 322005 234 26 72006 271 16 112007 271 5 32008 178 5 12009 32 1 12010 0 0 02011 1 8 82012 1 6 6
V.M. Bier, F. Kosanoglu / Reliability Engineering and System Safety 136 (2015) 35–46 45
to estimate parameters of this model. However, interview methodscan be used to estimate the deterrence behavior of attackers [30,31].Another method that could be used to estimate deterrence para-meters, target values, etc. is expert opinion [33]. Numerous analyticalmethods for using expert opinion have been developed. Probabilisticinversion could also be used for parameter values that are difficult forthe experts to estimate directly [34,35].
Acknowledgements
This material based upon work supported in part by the NationalCenter for Risk and Economic Analysis of Terrorism Events (CREATE)under award number 2010-ST-061-RE0001 from the Department ofHomeland Security. Any opinions, findings, and conclusions or recom-mendations expressed in this material are those of the authors and donot necessarily reflect the views of the sponsor.
References
[1] V Bier, V Abhichandani. Optimal allocation of resources for defense of simpleseries and parallel systems from determined adversaries. In: Proceedings ofthe engineering foundation conference on risk-based decision making inwater resources X. American Society of Civil Engineers. Santa Barbara, CA;2002.
[2] Bier VM, Nagaraj A, Abhichandani V. Protection of simple series and parallelsystems with components of different values. Reliab Eng Syst Saf 2005;87(3):315–23.
[3] Levitin G, Dai Y, Xie M, Poh KL. Optimizing survivability of multi-state systemswith multi-level protection by multi-processor genetic algorithm. Reliab EngSyst Saf 2003;82(1):93–104.
[4] Levitin G, Lisnianski A. Optimizing survivability of vulnerable series–parallelmulti-state systems. Reliab Eng Syst Saf 2003;79(3):319–31.
[5] Levitin G, Lisnianski A. Optimal separation of elements in vulnerable multi-state systems. Reliab Eng Syst Saf 2001;73(1):55–66.
[6] Levitin G. Optimal multilevel protection in series–parallel systems. Reliab EngSyst Saf 2003;81(1):93–102.
[7] Levitin G. Optimal defense strategy against intentional attacks. IEEE TransReliab 2007;56(1):148–57.
[8] Levitin G, Hausken K. Protection vs. redundancy in homogeneous parallelsystems. Reliab Eng Syst Saf 2008;93(10):1444–51.
[9] Hausken K, Levitin G. Minmax defense strategy for complex multi-statesystems. Reliab Eng Syst Saf 2009;94(2):577–87.
[10] Levitin G, Hausken K. False targets efficiency in defense strategy. Eur J OperRes 2009;194(1):155–62.
[11] Hausken K, Levitin G. Protection vs. false targets in series systems. Reliab EngSyst Saf 2009;94(5):973–81.
[12] Levitin G, Hausken K. False targets vs. redundancy in homogeneous parallelsystems. Reliab Eng Syst Saf 2009;94(2):588–95.
[13] Kunreuther H, Heal G. Interdependent security. J Risk Uncertainty 2003;26(2):231–49.
[14] Heal G, Kunreuther H. Modeling interdependent risks. Risk Anal 2007;27(3):621–34.
[15] Miller GD. Terrorist decision making and the deterrence problem. StudConflict Terrorism 2013;36(2):132–51.
[16] W.L. McGill. Defensive dissuasion in security risk management. In: IEEEinternational conference on systems, man and cybernetics. San Antonio; 2009.
[17] Sandler T, Arce DG. Terrorism & game theory. Simul Gaming 2003;34(3):319–37.
[18] Arce DG, Kovenock D, Roberson B. Weakest-link attacker-defender games withmultiple attack technologies. Naval Res Logist 2012;59(6):457–69.
[19] Powell R. Sequential, nonzero-sum Blotto: allocating defensive resources priorto attack. Games Econ Behav 2009;67(2):611–5.
[20] Hausken K. On the impossibility of deterrence in sequential Colonel Blottogames. Int Game Theory Rev 2012;14(2).
[21] Bier V, Oliveros S, Samuelson L. Choosing what to protect: strategic defensiveallocation against an unknown attacker. J Publ Econ Theory 2007;9(4):563–87.
[22] Bier VM, Haphuriwat N, Menoyo J, Zimmerman R, Culpen AM. Optimalresource allocation for defense of targets based on differing measures ofattractiveness. Risk Anal 2008;28(3):763–70.
[23] Hausken K, Zhuang J. The timing and deterrence of terrorist attacks due toexogenous dynamics. J Oper Res Soc 2012;63(6):726–35.
[24] Azaiez M, Bier VM. Optimal resource allocation for security in reliabilitysystems. Eur J Oper Res 2007;181(2):773–86.
[25] Bier V, Haphuriwat N. Analytical method to identify the number of containersto inspect at U.S. ports to deter terrorist attacks. Ann Oper Res 2011;187(1):137–58.
[26] Haphuriwat N, Bier VM, Willis HH. Deterring the smuggling of nuclearweapons in container freight through detection and retaliation. Decis Anal2011;8(2):88–102.
[27] Bordley RF, Kirkwood CW. Multiattribute preference analysis with perfor-mance targets. Oper Res 2004;52(6):823–35.
[28] Hausken K, Levitin G. Review of systems defense and attack models. Int JPerform Eng 2012;8(4):355–66.
[29] Coolen FP. Parametric probability distributions in reliability. Encycl Quant RiskAnal Assess 2008.
[30] Anthony R. A calibrated model of the psychology of deterrence. Bull Narc2004;LVI:49–64.
[31] Loughran TA, Pogarsky G, Piquero AR, Paternoster R. Re-examining thefunctional form of the certainty effect in deterrence theory. Justice Q2011;10:1–30.
[32] Jones M. Kumaraswamy’s distribution: a beta-type distribution with sometractability advantages. Stat Methodol 2009;6(1):70–81.
[33] Cooke R. Experts in uncertainty: opinion and subjective probability in science.New York & Oxford: Oxford University Press; 1991.
[34] Du C, Kurowicka D, Cooke R. Techniques for generic probabilistic inversion.Comput Stat Data Anal 2006;50(5):1164–87.
[35] Kraan B, Bedford T. Probabilistic inversion of expert judgments in thequantification of model uncertainty. Manage Sci 2005;51(6):995–1006.
V.M. Bier, F. Kosanoglu / Reliability Engineering and System Safety 136 (2015) 35–4646
