ArticlePDF Available

Analytical method to identify the number of containers to inspect at U.S. ports to deter terrorist attacks

DOI:10.1007/s10479-009-0665-6
Authors:
Vicki M. Bier at University of Wisconsin–Madison
Vicki M. Bier
Naraphorn Paoprasert at Kasetsart University
Naraphorn Paoprasert
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

In this paper, we investigate how many containers would need to be screened in order to deter attackers from attempting to smuggle weapons into a defending country in container freight. We hypothesize that with a sufficiently high probability of being detected, attackers might be deterred from smuggling attempts. Thus, our goal is to identify the optimal proportion of containers to inspect in order to minimize the defender’s expected loss, using game theory to reflect the fact that attackers are simultaneously trying to maximize their expected rewards. Moreover, our model recognizes that the container-screening policy must simultaneously protect against different types of threats (such as nuclear bombs, dirty bombs, and assault rifles). Finally, our model also suggests that threatening to retaliate against attacks may be beneficial to defenders, as long as the threat is credible.
Figures - uploaded by Naraphorn Paoprasert
Author content
All figure content in this area was uploaded by Naraphorn Paoprasert
Content may be subject to copyright.
Content uploaded by Naraphorn Paoprasert
Author content
All content in this area was uploaded by Naraphorn Paoprasert on Jul 22, 2020
Content may be subject to copyright.
Reliability Engineering and System Safety 92 (2007) 1155–1161
Methodology for identifying near-optimal interdiction strategies for
a power transmission system
Vicki M. Bier
a,
, Eli R. Gratz
a
, Naraphorn J. Haphuriwat
a
, Wairimu Magua
a
,
Kevin R. Wierzbicki
b
a
Department of Industrial and Systems Engineering, University of Wisconsin-Madison, Madison, WI 53711, USA
b
Department of Electrical and Computer Engineering, University of Wisconsin-Madison, Madison, WI 53711, USA
Available online 18 October 2006
Abstract
Previous methods for assessing the vulnerability of complex systems to intentional attacks or interdiction have either not been
adequate to deal with systems in which flow readjusts dynamically (such as electricity transmission systems), or have been complex and
computationally difficult. We propose a relatively simple, inexpensive, and practical method (‘‘Max Line’’) for identifying promising
interdiction strategies in such systems. The method is based on a greedy algorithm in which, at each iteration, the transmission line with
the highest load is interdicted. We apply this method to sample electrical transmission systems from the Reliability Test System
developed by the Institute of Electrical and Electronics Engineers, and compare our method and results with those of other proposed
approaches for vulnerability assessment. We also study the effectiveness of protecting those transmission lines identified as promising
candidates for interdiction. These comparisons shed light on the relative merits of the various vulnerability assessment methods, as well
as providing insights that can help to guide the allocation of scarce resources for defensive investment.
r2006 Elsevier Ltd. All rights reserved.
Keywords: Vulnerability assessment; Transmission systems; Greedy algorithm; Interdiction; Hardening
1. Overview
Electric power transmission grids are an important
component of the modern economy [1]. We rely on
electricity for communications, light, water, transporta-
tion, heating, and industry, among other critical uses of
power. As a result, numerous researchers have studied the
risk of electric blackouts. For example, Carreras et al. [2]
and Chen et al. [3] studied blackouts in the North
American electric power transmission system from 1984
to 1999 and found that blackout sizes show a power law
distribution. At a more theoretical level, Carreras et al. [2]
and Liao et al. [4] studied the probability of cascading
failures in simple models of electric power networks; Mili et
al. [5] proposed methodologies and algorithms to assess the
conditional probability of catastrophic failure in electric
transmission systems; and Phadke [6] described possible
mechanisms of hidden (i.e., undetected or latent) failures in
electric power systems.
Vulnerability studies have been recognized as being
important in assessing the reliability of critical infrastruc-
ture and helping to guide defensive investments since even
before the terrorist attacks on September 11, 2001 [7]. See
for example Guzie [8] for an application of vulnerability
analysis to military systems, and Ezell et al. [9–11] for
applications to water systems. Methods for assessing and
improving the vulnerabilities of critical infrastructure have
also been the focus of substantial government research
programs; see for example Los Alamos National Labora-
tory [12].
One of the most promising approaches for vulnerability
assessment is that proposed by Apostolakis and Lemon
[13], who present a methodology to identify critical
locations in infrastructure. In particular, this methodology
explicitly takes into account the complex networked
structures of many infrastructure systems. However, their
ARTICLE IN PRESS
www.elsevier.com/locate/ress
0951-8320/$ - see front matter r2006 Elsevier Ltd. All rights reserved.
doi:10.1016/j.ress.2006.08.007
Corresponding author. Tel.: +1608 262 2064; fax: +1608 262 8454.
E-mail address: bier@engr.wisc.edu (V.M. Bier).
URL: http://www.engr.wisc.edu/ie/faculty/bier_vicki.html.
approach is limited to distribution systems (with one-
directional flows), in which the consequences of interdict-
ing a given line can be determined in a straightforward
manner.
The method of Apostolakis and Lemon [13] has a
different purpose than ours, since it is designed to identify
the geographic locations of key vulnerabilities in numerous
collocated infrastructures. Still, it would be worthwhile to
extend this methodology to transmission systems, since
Zimmerman et al. [14] (in a study of the risks, con-
sequences, and economic impacts of electricity system
problems) state that the majority of electricity outages and
terrorist attacks on electricity systems involve damage to
transmission equipment. This will require some method of
accounting for the fact that transmission systems can have
bi-directional flows, and that flows can therefore be
reconfigured dynamically after one or more transmission
lines have been removed.
Salmeron et al. [15] model interdiction of lines and/or
nodes in an electricity transmission system using a non-
linear program. However, their formulation of the problem
is difficult to solve, since it involves a nested optimization
(minimization of costs to determine power flows on the
network, with maximization of damage to identify an
interdiction strategy), with the outer loop entailing max-
imization of a convex rather than a concave function. They
are able to solve their model only using a heuristic
algorithm, so the resulting interdiction strategies are not
known to be optimal. The non-linear programming
approach also seems impractical for use on large problems,
so we based our methodology on that of Apostolakis and
Lemon [13].
In extending the work of Apostolakis and Lemon [13] to
transmission systems, we initially considered the option of
taking out transmission lines randomly, in an approach
similar to that applied by Schaefer and Bajpai [16,17] (see
also [18]) in the context of load-bearing members of
buildings or other structures. However, while potentially
useful in anticipating ‘‘unforeseen hazards’’ in general, that
approach did not seem adequate for modeling the effects of
terrorist actions or other intentional malevolent acts, where
presumably some intelligence is devoted to determining
which elements to attack. It also had the potential to be
computationally costly, if large numbers of random
‘‘attacks’’ were needed to identify a few that were seriously
damaging. Therefore, we decided to take out transmission
lines in decreasing order of load. Albert et al. [19] indicated
that ‘‘connectivity loss is significantly higher’’ when
interdiction of transmission-system components is in
decreasing order of load rather than random.
The resulting method offers a viable way of identifying
strategies that result in substantial unmet demand for
electricity. Our method extends the work of Apostolakis
and Lemon [13] from distribution networks to transmission
networks, yielding results that compare favorably to those
of Salmeron et al. [15]. The methodology reflects the
dynamic nature of transmission grid power flow, but is
simple enough to implement in practice even for relatively
complex systems. We use the same nested optimization
approach as Salmeron et al. [15], but our method avoids
their computational difficulties, since in our method the
outer maximization loop is trivial and can be solved by
inspection.
2. Case study and approach
We apply our method to the IEEE Reliability Test
System—1996 [20], which is designed to be representative
of typical transmission systems. We analyze both the IEEE
One Area RTS-96, and the IEEE Two Area RTS-96 (which
combines two separate areas using three interconnections).
We model the IEEE One Area RTS-96 using 24 nodes and
38 arcs, and the IEEE Two Area RTS-96 as a network
consisting of 48 nodes and 79 arcs.
We base our analysis on DC power flow, with optimal
dispatch of the generators. DC power flow is a linearized,
static model of the real power flows on the network; this is
a standard and useful simplification. Generators, loads,
transformers, transmission lines, and other specialized
devices have more elaborate models that are needed in
some situations; actual power networks also exhibit
reactive power flows, manual and automatic control
actions, nonlinear and transient dynamics, and hybrid
system effects due to protection and control system limits
that can affect the consequences of network attacks. For
example, an attack on a highly stressed network could lead
to loss of an equilibrium solution, collapsing voltages, and
a widespread blackout. We do not model these more
elaborate effects in this paper. One might expect terrorists
to also begin their analysis with the most essential and
basic system model.
Our approach is based on three nested algorithms: a
load-flow algorithm; a Max Line interdiction algorithm;
and a hardening algorithm. The load-flow algorithm is
used to determine optimal DC power flow dispatch on the
transmission network, both before and after any interdic-
tion of transmission lines. The Max Line interdiction
algorithm identifies the transmission line transporting the
most DC flow (to be removed from the network by
supposed malevolent attackers), after which flows are re-
optimized using the load-flow algorithm. We refer to each
cycle of interdiction and re-optimization as an iteration.
The hardening algorithm then simulates a system upgrade
by hardening (making invulnerable) some of the transmis-
sion lines identified for interdiction by the Max Line
algorithm. After hardening has been implemented, the Max
Line algorithm can then be applied in successive iterations
to identify ‘‘next best’’ interdiction strategies. These
algorithms are described in Sections 3–5, respectively.
For simplicity, we consider only the interdiction of
electric transmission lines (arcs), not nodes (such
as transformers). We compare our methods and results
to those of Salmeron et al. [15] and Apostolakis and
Lemon [13].
ARTICLE IN PRESS
V.M. Bier et al. / Reliability Engineering and System Safety 92 (2007) 1155–11611156
We now introduce the following notation used in
describing our algorithms:
Bset of nodes in the network, indexed by i
Lset of lines in the network, indexed by k
G
i
generation at node i
L
i
load supply at node i
L
i, demand
load demand at node i
L
i
(t) load supply at node iafter iteration tof the
Max Line algorithm
F
k
negative or positive power flow on line k(to
reflect bi-directional flow)
F
k, max
maximum power flow permitted on line k(in
absolute value)
Fvector of F
k
for all kAL
P
i
total power at node i(given by G
i
-L
i
)
Pvector of P
i
for all iAB
W
gen, i
cost of generation at node i
W
shed, i
cost of load shedding at node i
MDC load flow matrix relating the line flows F
to the power levels P
k*(t) index of the line with the highest absolute
value of power flow at iteration tof the Max
Line algorithm
K(t)set of lines attacked in iteration tof the Max
Line algorithm
Aordered set of (sets of) attacked lines, K(t)
A(s)ordered set of (sets of) attacked lines after
iteration sof the hardening algorithm
Hset of hardened lines
3. Load-flow algorithm
To simulate power flows on the network, we use a DC
load-flow model (Salmeron et al. [15]; Carreras et al. [2]).
This optimization problem minimizes the cost function
XðGiWgen;iLiWshed;iÞ(1)
subject to the following constraints:
0pGipGi;max (2)
Li;demandpLip0 (3)
Fk;maxpFkpFk;max (4)
F¼MP (5)
For any given set of available lines, both generation and
load flows are assumed to be determined as the solution to
the above optimal dispatch problem. The objective is to
minimize the combined cost of generation and unmet
demands. Constraint (2) ensures that no generator exceeds
its maximum power output. Constraint (3) ensures that the
load supplied at any given node does not exceed the
corresponding demand. Constraint (4) ensures that power
flows on the lines remain within safe margins. Constraint
(5) is a matrix equation relating the vector of power levels
at each node with the vector of power flows on each line
through the constraint matrix M. For details, consult
Carreras et al. [2] or Salmeron et al. [15].
In general, the costs or weights, W
gen, i
and W
shed, i
, can
take on different values at each node, representing different
prices at each generator and different levels of importance
of each load respectively. However, in our case, we set each
generator price to 1 and each load importance to 100, as in
Carreras et al. [2].
4. The Max Line interdiction algorithm
We assume that the attacker uses a greedy algorithm
where, at each iteration, the line with the maximum flow is
effectively disabled or removed from the system. The load-
flow algorithm is then run to compute the optimal power
dispatch on the revised system. The interdiction algorithm
is terminated after a predetermined number of steps. The
algorithm can be summarized as follows:
Step 1: The system is initialized at iteration t¼0, at which
time the sets Aand K(t) are empty. The set His
also empty, unless the hardening algorithm has
already been run one or more times, in which case
Hcontains the lines selected for hardening as a
result of that algorithm.
Step 2: The load-flow algorithm is run, and optimal
dispatch is determined. The resulting load shed or
unmet demand (which may be zero), L
i, demand
L
i
(t), at each bus iABis recorded.
Step 3: The line k*(t) whose absolute value of power flow
is given by {max|F
k
(t)|: kALH} is found, and
k*(t) is added to K(t). In the case where there is
more than one such line, k*(t) is chosen at random
from those lines whose absolute value of power
flow is equal to {max|F
k
(t)|: kALH}. Any lines in
close geographical proximity to k*(t) are also
added to K(t).
Step 4: The lines in K(t) are removed from the network by
setting F
k, max
to zero for all kAK(t). These changes
remain in effect through all subsequent iterations
of the interdiction algorithm. The set K(t) is also
added as the tth element of the ordered set A.
Step 5: The index tis incremented by 1, and the algorithm
returns to Step 2, unless it has reached the pre-
determined maximum number of iterations.
5. Hardening algorithm
The hardening algorithm can be run after the Max Line
interdiction algorithm to simulate an ‘‘improvement’’ of
the system to reduce the consequences of an attack. In this
case, the interdiction algorithm is rerun after each
successive run of the hardening algorithm to investigate
the effectiveness of the postulated system hardening.
ARTICLE IN PRESS
V.M. Bier et al. / Reliability Engineering and System Safety 92 (2007) 1155–1161 1157
The hardening algorithm is summarized below:
Step H-1: The system is initialized at iteration s¼0, with
the set Hempty.
Step H-2: The Max Line interdiction algorithm is run for
some number of iterations t, resulting in an
ordered set A(s) consisting of tsets of attacked
lines.
Step H-3: The first nelements of A(s), K(1) through K(n),
are chosen for hardening, and added to the set
of hardened lines H. (In the application of this
algorithm in Section 6, we choose n¼5 for the
one-area network and n¼10 for the two-area
network.) The hardened lines are no longer
candidates for interdiction, as shown in Step 3
of the Max Line interdiction algorithm.
Step H-4: The hardening index sis incremented by 1, and
the program returns to step H-2, unless it has
reached the maximum number of hardening
iterations.
6. Results
In Fig. 1, we graph the load shed pattern that would
result from the first 14 iterations of the Max Line algorithm
applied to the one-area system. Each of the iterations on
the horizontal axis represents the removal of a line or two
or more lines in close geographical proximity as described
in RTS-96 from the network. The corresponding value on
the vertical axis shows the unmet load after optimal re-
dispatch of power flow on the remaining lines.
In our proposed interdiction plan, the first three
iterations of the algorithm (leading to the interdiction of
four transmission lines) in the one-area system result in a
44% loss of load, indicating that attacking only 11% of the
transmission lines in the system would result in significant
unmet demand. The first nine iterations (corresponding to
11 transmission lines, and roughly a third of the lines in the
system) result in a 56% loss of load. Removing additional
lines does not result in substantial additional loss of load,
because the system is already largely unconnected and
serving primarily local loads by this point.
We now compare the results of our methodology with
those obtained by Salmeron et al. [15], who developed two
candidate interdiction plans for the IEEE One Area RTS-
96. Since we do not consider the interdiction of substations
in our method, we therefore compare our results only to
the line interdiction strategy (Plan 2) developed by
Salmeron et al. [15]. Nine lines are interdicted in Plan 2
(corresponding to six sets of lines in close geographical
proximity).
As illustrated in Fig. 1, Plan 2 of Salmeron et al. [15]
results in shedding about 48% of the total system demand
after six sets of lines have been removed (Salmeron et al.
[15] do not provide intermediate results showing the load
shed when smaller numbers of lines are removed). By
contrast, the Max Line algorithm results in a 50% load
shed after six iterations (corresponding to eight lines). Note
that the transmission lines interdicted in the strategy
proposed by Salmeron et al. [15] differ somewhat from
those interdicted by our strategy.
We also study the IEEE Two Area RTS-96. Plan 3
proposed by Salmeron et al. [15] sheds approximately 44%
of the system load after the removal of 11 sets of lines in
close geographical proximity (corresponding to 17 trans-
mission lines). By contrast, the Max Line algorithm results
in 45% load shed after 11 iterations (corresponding to 15
lines) (Fig. 2).
Thus, the Max Line interdiction strategy reasonably
approximates the load shed by the near-optimal attack
plan developed by Salmeron et al. [15]. Note, however that
Salmeron et al. [15] do not weight all transmission-system
components equally. Therefore, it is possible that their
ARTICLE IN PRESS
0 2 4 6 8 10 12 14
0
10
20
30
40
50
60
70
80
90
100
Iterations
Load Shed as Percentage of Total
System Demand
Max Line Interdiction
Salmeron Plan 2
Fig. 1. Load shed comparison between the Max Line interdiction strategy
and Plan 2 of Salemeron et al. for the One Area RTS-96.
0 5 10 15 20
0
10
20
30
40
50
60
70
80
90
100
Iterations
Load Shed as Percentage of Total
System Demand
Max Line Interdiction
Salmeron Plan 3
Fig. 2. Load shed comparison between the Max Line interdiction strategy
and Plan 3 of Salmeron et al. [15] for the Two Area RTS-96.
V.M. Bier et al. / Reliability Engineering and System Safety 92 (2007) 1155–11611158
algorithm would perform better than ours if both
algorithms were applied using the same weights. However,
Salmeron et al. [15] specifically state that the weights are
chosen to improve the efficiency of their algorithm. In any
case, we find the performance of the two approaches to be
remarkably close.
We now compare the Max Line strategy against random
removal of lines from the one-area transmission system. In
this example, the first five iterations (corresponding to
seven randomly chosen transmission lines) shed only 9% of
the total system demand. By contrast, the first five
iterations of the Max Line algorithm (corresponding to
seven transmission lines) result in a loss of approximately
46% of the total system demand, as shown in Fig. 3.We
conclude that random interdiction appears to be an
inefficient strategy for identifying vulnerabilities (although
even random interdiction can have a significant effect on
system connectivity if a sufficiently large number of lines
are interdicted, as shown in Fig. 3).
Next, we apply the hardening algorithm to simulate an
upgrade of the system, as described in Section 5. This
examines the impact of protecting attractive targets in both
the IEEE One Area RTS-96 and the IEEE Two Area RTS-
96. H0 represents the original interdiction strategy, as
shown in Figs. 4 or 5, as appropriate. Strategies H1, H2,
and H3 show the interdiction strategies obtained after each
of three iterations of the hardening algorithm.
For the IEEE One Area RTS-96, strategy H0 (with no
hardening) results in a loss of 56% of the total system
demand. By contrast, strategy H3, after hardening 15 sets
of transmission lines in close geographical proximity
(approximately 39% of all lines in the system) still results
in a loss of 42% of the total system demand.
We now study the same cycle of hardening and
interdiction for the IEEE Two Area RTS-96. The results
are shown in Fig. 5. Strategy H0 results in a loss of 56% of
total system demand. Strategy H3, after hardening 39% of
the transmission lines in the system, results in a loss of 39%
of total system demand.
In fact, hardening can even have a negative impact on
the system, resulting in slight increases in the amount of
load shed for a given number of iterations. Presumably,
this is because the greedy nature of our Max Line
algorithm does not always identify the optimal interdiction
strategy. Thus, applying the Max Line algorithm to a
hardened transmission network may fortuitously result in
identification of a better interdiction strategy than that
found by applying the algorithm to the original non-
hardened network.
Overall, our results cast doubt on the observation by
Salmeron et al. [15] that ‘‘By considering the largest possible
disruptions, our proposed plan will be appropriately
ARTICLE IN PRESS
0 2 4 6 8 10 12 14
0
10
20
30
40
50
60
70
80
90
100
Iterations
Load Shed as Percentage of Total
System Demand
Max Line Interdiction
Random Interdiction
Fig. 3. Load shed comparison between the Max Line interdiction strategy
and random removal of transmission lines for the One Area RTS-96.
0 2 4 6 8 10 12 14
0
10
20
30
40
50
60
70
80
90
100
Iterations
Load Shed as Percentage of Total
System Demand
H0
H1
H2
H3
Fig. 4. Interdiction strategies generated after hardening of the One Area
RTS-96.
0 5 10 15 20
0
10
20
30
40
50
60
70
80
90
100
Iterations
Load Shed as Percentage of Total
System Demand
H0
H1
H3
H3
Fig. 5. Interdiction strategies generated after hardening of the Two Area
RTS-96.
V.M. Bier et al. / Reliability Engineering and System Safety 92 (2007) 1155–1161 1159
conservative.’’ In fact, we observe that hardening even a
significant percentage of the transmission lines in the
system does not dramatically diminish the load that can be
shed as the result of an intelligent attack. Thus, while our
results compare favorably with those of Salmeron et al.
[15], it is not clear that either approach will be a helpful
guide to system hardening, mainly because hardening of
lines seems unlikely to be cost effective.
7. Conclusions and directions for future research
In this paper, we developed a relatively simple,
inexpensive, and viable method of identifying promising
attack strategies. The impacts of our Max Line interdiction
strategies for two sample transmission grids are compar-
able to interdiction strategies developed by Salmeron et al.
[15]. However, our method and that developed by
Salmeron et al. [15] identify different sets of vulnerable
transmission lines. Therefore, a single run of either method
will likely not be sufficient to identify all critical
vulnerabilities. Moreover, our results suggest that hard-
ening transmission lines is not likely to be cost effective,
since interdiction can still cause substantial unmet demand
even after significant system hardening.
Our work so far does have some important caveats.
First, we considered transmission lines to be the only
vulnerable components of a transmission system. More-
over, our interdiction and load-flow algorithms consider
only power flows, and not the criticality of particular loads
or demands.
In future research, this method could be extended to
address other components of transmission systems, such as
transformers (which would be represented as nodes rather
than arcs). This is an important extension, since Zimmer-
man et al. [14] note that transformers are especially difficult
and time consuming to replace. It would also be desirable
to extend the algorithm to identify additional complexities
of transmission networks (such as reactive power), and the
possibility that some types of interdiction strategies may
trigger cascading power failures. The possibility of cascad-
ing power failures was not considered in our algorithm, but
could obviously amplify the effectiveness of line interdic-
tion, as shown in the blackout of August 2003 [1].
Finally, it would be helpful to adapt our algorithm to
take into account the importance of different loads, as
done by Salmeron et al. [15]. In particular, Zimmerman et
al. [14] note that disrupting electrical supply to certain
demand sectors (for example, transportation, or other
types of critical infrastructure that depend on electricity)
could have disproportionate impacts. Such prioritization of
customers, which we have not yet considered, could well
provide greater justification for hardening lines serving
high priority loads.
We also believe that the general approach outlined in
this paper (the Max Line greedy interdiction algorithm)
could be extended to identify critical components in other
types of systems, such as structures ([16, 17]; see also [18]),
water distribution systems [21], and ground transportation
systems. Of course, the algorithm for re-optimizing load (in
structures) or flow (in water or transportation systems)
would be different from the load-flow algorithm used here
for electricity transmission systems. However, we believe
that the general approach embodied in the Max Line
algorithm could still be applied to such systems with
reasonable results.
Acknowledgements
This material is based upon work supported in part by
the US Army Research Laboratory and the US Army
Research Office under grant number DAAD19-01-1-0502,
the US National Science Foundation under grant number
ECS-0214369, and the Department of Homeland Security
under grant number EMW-2004-GR-0112. Any opinions,
findings, and conclusions or recommendations expressed in
this material are those of the authors and do not
necessarily reflect the views of the sponsors. The authors
would also like to acknowledge Prof. Ian Dobson of the
Department of Electrical and Computer Engineering at the
University of Wisconsin-Madison for his guidance and
helpful contributions to this study.
References
[1] Electricity Consumers Resource Council. The economic impacts of
the August 2003 blackout. Washington, DC, 2004.
[2] Carreras BA, Lynch VE, Dobson I, Newman DE. Critical points and
transitions in an electrical power transmission model for cascading
failure blackout. CHAOS 2002;12(4).
[3] Chen J, Thorp JS, Parashar M. Analysis of electric power system
disturbance data. Hawaii international conference on system sciences,
Maui, HI, 2001.
[4] Liao H, Apt J, Talukdar S. Phase transitions in the probability of
cascading failures. Working paper 04-08, Carnegie Mellon Electricity
Industry Center, 2004.
[5] Mili L, Qiu Q, Phadke AG. Risk assessment of catastrophic failures
in electric power systems. Int J Crit Infrastruct 2004;1(1).
[6] Phadke AG. Hidden failures in electric power systems. Int J Crit
Infrastruct 2004;1(1).
[7] North American Electric Reliability Council. An approach to action
for the electricity sector. Working Group Forum on critical
infrastructure protection, Princeton, NJ, 2001.
[8] Guzie GL. Vulnerability risk assessment, US Army Research
Laboratory, 2000.
[9] Ezell BC, Farr JV, Wiese I. Infrastructure risk analysis model. J
Infrastruct Syst 2000;6(3).
[10] Ezell BC, Farr JV, Wiese I. Infrastructure risk analysis of municipal
water distribution system. J Infrastruct Syst 2000;6(3).
[11] Ezell BC, Haimes YY, Lambert JH. Cyber attack to water utility
supervisory control and data acquisition (SCADA) systems. Mil Oper
Res 2001;6(2).
[12] Los Alamos National Laboratory. Critical infrastructure protection
decision Support system (CIP/DSS) project overview. LA-UR-04-
5319, Los Alamos, NM, 2004.
[13] Apostolakis GE, Lemon DM. A screening methodology for
the identification and ranking of infrastructure. Risk Anal
2005;25(2).
[14] Zimmerman R, Restrepo CE, Dooskin NJ, Hartwell RV, Miller JI,
Remington WE, et al. Electricity case: main report—risk, conse-
ARTICLE IN PRESS
V.M. Bier et al. / Reliability Engineering and System Safety 92 (2007) 1155–11611160
quences, and economic accounting. Preliminary report, 2005, http://
www.usc.edu/dept/create/reports/Report05014.pdf.
[15] Salmeron J, Wood K, Baldick R. Analysis of electric grid security
under terrorist threat. IEEE Trans Power Syst 2004;19(2).
[16] Schafer BW, Bajpai P. Stability degradation and redundancy in
damaged Structures. annual technical session and meeting. Structural
Stability Research Council, Long Beach, CA, 2004.
[17] Schafer BW, Bajpai P. Building structural safety decision-making for
severe unforeseen hazards. Proceeding of the 2005 NSF DMII
grantees conference, Scottsdale, AZ, 2005.
[18] Bajpai P, Schafer BW. Progress towards structural design of
unforeseen catastrophic events. ASME National Congress, Washing-
ton, DC, 2003.
[19] Albert R, Albert I, Nakarado GL. Structural vulnerability of the
North American power grid. Phys Rev E 2004;69(2).
[20] Reliability Test System Task Force of the Application of Probability
Methods Subcommittee. The IEEE reliability test system—1996.
IEEE Trans Power Syst 1999;14(3).
[21] Michaud DE, Apostolakis GE. A Methodology for ranking the
elements of water-supply networks. J Infrastruct Syst 2006;12(4).
ARTICLE IN PRESS
V.M. Bier et al. / Reliability Engineering and System Safety 92 (2007) 1155–1161 1161
... In these cases, the model has not specified how deterrence is achieved, only that it is achieved. Finally, deterrence has been calculated through known attacker costs and payoffs [31,32]. If these quantities can be specified, and if the effects of defender actions on attacker payoffs and costs is known, then it is possible to say when the costs outweigh the payoffs for an attacker and thus when that potential attacker will not attack. ...
... However, they also highlighted the need for an audit mechanism to ensure compliance by program participants. Bier and Haphuriwat [32] and Merrick and McLay [31] also studied the deterrence effects of container screening at domestic ports. Merrick and McLay specifically considered Radiation Portal Monitors (RPMs) and the effects of multiple layers of screening as well as false negative rates. ...
... Currently, the various screening probabilities are simply fixed a priori by the defender. It may by possible, though, to draw from related work such as [32,41] to make those screening percentages risk-based and thus calculated via an optimization process. Given the existing model dependencies, it may be difficult to incorporate this into the existing shipper-receiver model; the shipper-received model currently just accepts static parameters from the CSA model. ...
Multi-Game Modeling for Counter-Smuggling
Article
International trade provides an avenue for terrorists to smuggle illicit materials into a target country. Policymakers need models and decision support tools that are both reliable and germane to inform their responses to this. Game theoretic approaches have been used in the analysis of counterterrorism strategies, but the models involved have often been small and abstracted. To address this need, we have developed a multi-game model to account for both security-related and economic aspects of counter-smuggling interdiction efforts. We use different games to represent different types of interactions, and these games are then coupled to each other to form an integrated model. In this paper, we demonstrate the model’s capabilities on a representative system of ports (both foreign and domestic), trade routes, and commodities. We specifically investigate the impacts of changes in screening policies at domestic ports, detection device capabilities, shipping subsidies, and worldwide corruption levels. In these studies, we find that economic factors play a large role in the interdiction task and provide correspondingly important tools for deterrence.
View
... The authors found that more efficient passenger screening strategies could be obtained with two classes of security risks. Similarly, in the model proposed by McLay et al. (2010), passengers sequentially enter a security checkpoint and a pre-screening Port Security and Container Screening (Bakir 2011;Bier and Haphuriwat 2011;Concho and Ramirez-Marquez 2012;McLay and Dreiding 2012;and Bagchi and Paul 2017) Baggage Screening (Virta et al. 2003;Candalino et al. 2004;Feng et al. 2009) Cost Implications of Screening Systems (Cavusoglu et al. 2010;Majeske and Lauer 2012;Bagchi and Paul 2014;and Song and Zhuang 2017) ...
... Bakır (2011) exploits a leader-follower game, whereas, Bier and Haphuriwat (2011) study the same problem using a simultaneous game. The authors identify the right proportion of containers to be screened to minimize the defender's loss. ...
Prevention of Terrorism–An Assessment of Prior POM Work and Future Potentials
Article
  • May 2020
In this paper, we review POM‐based research related to prevention of terrorism. According to the Federal Emergency Management Agency (FEMA) terrorist attacks have the potential to be prevented. Consequently, the focus of this paper is on security enhancement and improving the resiliency of a nation to prevent terrorist attacks. Accordingly, we review articles from the 25 top journals, [following procedures developed by Gupta et al. (2016)], in the fields of Production and Operations Management, Operations Research, Management Science and Supply Chain Management. In addition, we searched some selected journals in the fields of Information Sciences, Political Science and Economics. This literature is organized and reviewed under the following seven core capabilities defined by the Department of Homeland Security (DHS): (1) Intelligence and Information Sharing, (2) Planning, (3) Interdiction and Disruption, (4) Screening, Search, and Detection, (5) Forensics and Attribution, (6) Public Information and Warning, and (7) Operational Coordination. We found that POM research on terrorism is primarily driven by the type of information that a defending country and a terrorist have about each other. Game theory is the main technique that is used in most research papers. Possible directions for future research are discussed.
View
... In the context of network security, several models have been proposed for the strategic allocation of defense resources (Zhuang and Bier 2007, Baykal-Gürsoy et al. 2014, Goyal and Vigier 2014. For instance, Brown et al. (2006), Bier and Haphuriwat (2011), and Alderson et al. (2015, 2018 consider bilevel and trilevel optimization problems to model defender-attacker interactions where each player selects a pure strategy. In contrast, our setting involves randomized strategies, and the combinatorial size of the sets of players' actions does not enable us to solve problem (P) using mixed-integer linear programming techniques. ...
Network Inspection for Detecting Strategic Attacks
Article
  • Jan 2022
Ensuring the security of critical infrastructures is crucial for the society’s welfare and prosperity. However, these infrastructure networks are inherently vulnerable to both intentional and unintentional threats. In “Network Inspection for Detecting Strategic Attacks,” Dahan, Sela, and Amin study a strategic network inspection problem, formulated as a large-scale bilevel optimization problem, in which a utility seeks to determine an inspection strategy with minimum number of smart detectors that ensures a desirable expected detection performance under worst-case attacks. The authors derive structural properties of optimal solutions and show that the problem can be solved using Nash equilibria of a large-scale zero-sum game. Their analysis leads to a computationally tractable and operationally feasible solution approach with theoretical guarantees based on combinatorial objects that capture the nature of equilibrium inspection and attack strategies. Their computational study indicates that utilities can achieve a high level of protection in large-scale networks by strategically positioning a small number of detectors.
View
... Agarwal, Hunt, Srinivasan, & Zhuang (2020) developed centralized and decentralized game-theoretic models to study the strategic behaviors of fire inspection agencies and building owners in the process of fire safety code inspection and compliance. Bier & Haphuriwat (2011) ;Bier, Haphuriwat, Menoyo, Zimmerman, & Culpen (2008) ; Shan & Zhuang (2014) developed game-theoretic models to analyze the retaliation efforts of defenders (official agencies) and attack strategies of smugglers (individual/groups of people) in the context of nuclear smuggling. Strategic interactions between the hackers and defenders in the context of cyber security problems have also successfully attracted the attention of game theory enthusiasts ( Rao et al., 2016;Ten, Manimaran, & Liu, 2010 ). ...
Interplay of Rumor Propagation and Clarification on Social Media during Crisis Events - A Game-Theoretic Approach
Article
For a rapid dissemination of information during crisis events, official agencies and disaster relief organizations have been utilizing social media platforms, which are susceptible to rumor propagation. To minimize the impact of rumors with limited time and resources, the agencies and social media companies not only need to wisely choose the cases to clarify amongst the numerous cases, but they should also make an informed decision on the timing of clarification. Reacting fast can be misjudged as an obvious best policy as partial/imprecise information may fail to contain the impact of the rumors. On the other hand, investment in terms of time, effort, and money to clarify with more complete information also allows the rumors to spread with their full force during the learning phase, thereby making the process of decision-making very challenging. The objective of this paper is to determine the optimal strategies for the official agencies and social media companies by developing two novel sequential game-theoretic models, namely “Rumor Selection for Clarification” and “Learning for Rumor Clarification”, that can help decide which rumor to clarify and when to clarify, respectively. Results from this study indicate that posting verified information on social media reduces the uncertainties involved in rumor transmission, thereby enabling social media users to make informed decisions on whether to support or oppose the rumor being circulated. This verification needs to be obtained within reasonable limits of time and cost to keep the learning process worthwhile.
View
... Fukuyama et al. (1994) analyzed the strategic relationship between environmental agencies and regulated firms and studied the policies that would effectively encourage voluntary compliance. The areas of research where inspection games have been applied to study the optimal strategies of the players include arms control (Kilgour and Brams 1992, Canty et al. 2001, Avenhaus and Canty 2011, smuggling (Sakaguchi 1994, Bier et al. 2008, Bier and Haphuriwat 2011, Hohzaki 2012, Hohzaki and Masuda 2012, Shan and Zhuang 2014, crime fighting (Andreozzi 2004, Pradiptyo 2007, Rauhut and Winter 2012, auditing (Holler and Nguyen 2007, Lu and Sapra 2009, Yim 2009), internal conflict (Fandel andTrockel 2013, Nosenzo et al. 2013), security screening (Wang and Zhuang 2011;Wang et al. 2015;Song and Zhuang 2017a,b), and environmental pollution (Fukuyama et al. 1994, Andreozzi 2002, Rothenstein and Zamir 2002, Cheung and Zhuang 2012. ...
Fire Code Inspection and Compliance: A Game-Theoretic Model Between Fire Inspection Agencies and Building Owners
Article
  • May 2020
Fire-code inspection and compliance are among the highest priorities for fire-inspection agencies to reduce the loss of life and property that can result from fire incidents. Requirements for code compliance and inspection vary throughout towns and states within the United States, and building owners who violate these codes can be penalized via fines and mandated compliance measures. To the best of our knowledge, no previous study has investigated the strategic behavior of players in a fire-code inspection process. This paper fills the gap by presenting the game-theoretic approach to modeling building owners’ behaviors with respect to fire-code compliance and the inspection strategies of fire-inspection agencies. Both a decentralized model (sequential game in which the fire-inspection agency moves first) and a centralized model (simultaneous game controlled by one central decision maker) are developed to identify the best inspection strategies for the agency and the best compliance strategies for the building owner. This study provides prescriptive insights that can enable policymakers to improve fire-code compliance and inspection by identifying the conditions that motivate the players to participate positively in the inspection and compliance processes. Numerical sensitivity analyses of the equilibrium strategies and the expected losses of the players are provided, along with a comparison of the results between the decentralized and centralized models.
View
... Particularly, seaports possess an extraordinary amount of hazards, which will lead to different types of risks that can be categorized into: environmental, natural, operational, security, technical and organizational (John et al., 2014;Arisha and Mahfouz, 2009).For instance, it has been demonstrated that ports are vulnerable to seismic motion and other natural disasters (Arisha and Mahfouz, 2009). After the latest terrorist attacks, concern has arisen regarding potential harms in ports (Bier, Haphuriwat, 2011;Rosoff, Winterfeldt, 2007). Moreover, employees in some seaports have expressed that they feel less prepared for rare events and organized crime (Quigley and Mills, 2014). ...
Risk Assessment Methods in Seaports: A Literature Review
Research
Full-text available
  • May 2018
Seaports are centers of trade which contribute significantly to sustaining growth and development of the economy. They generate business activity through their operations and are critical interfaces between sea and land supply infrastructures. Due to their complex operations, the heterogeneity of stakeholders and critical location, seaports are exposed to a wide range of developing and changing risks. Unforeseen or underestimated hazards can lead to complications that will most likely result in human, environmental, material or economic damages. This research work aims to identify suitable risk assessment methods that can be applied in seaports. The methodology for the literature review involves the consultation of two databases in an evaluation period from 1980 to 2017. The exploration is based on a set of keywords and phrases to extract significant data. After the data screening, refinement process and evaluation of the information, 58 research articles are acquired for the analysis. This study helps to summarize the hazard sources which are classified into: natural and man-made; factors of risk which are enlisted in different categories: climate, operational, safety, technical, organizational, environmental, socio-economic and political. Moreover, a review of the different qualitative, semi-quantitative and quantitative approaches to assess risks in port areas is presented in order to suggest a particular set of suitable methods that could be used by the different stakeholders at seaports. In addition, based on the results of the analysis, future research areas are recommended with a focus on an empirical study.
View
Fighting Pickpocketing using a Choice-based Resource Allocation Model
Preprint
Full-text available
  • Sep 2022
Inspired by European actions to fight organised crimes, we develop a choice-based resource allocation model that can help policy makers to reduce the number of pickpocket attempts. In this model, the policy maker needs to allocate a limited budget over local and central protective resources as well as over potential pickpocket locations, while keeping in mind the thieves' preferences towards potential pickpocket locations. We prove that the optimal budget allocation is proportional in (i) the thieves' sensitivity towards protective resources and (ii) the initial attractiveness of the potential pickpocket locations. By means of a numerical experiment, we illustrate how this optimal budget allocation performs against various others budget allocations, proposed by policy makers from the field.
View
Stackelberg production-protection games: Defending crop production against intentional attacks
Article
Inspired by recent terrorist attacks on cereal production fields in Iraq, we introduce and study two types of Stackelberg games. In these games, the leader wants to maximize its production (e.g., cereal), while the follower tries to destroy this production as much as possible. In the first model, the leader can protect its production by spreading his production resources over multiple regions. In the second model, the leader can also decide to allocate some extra protection resources to the regions. For both games, we are interested in a follower’s and leader’s optimal strategy. We characterise optimal strategies for the follower and present two linear time algorithms (one for each game) that find an optimal strategy for the leader.
View
Effects of Credibility of Retaliation Threats in Deterring Smuggling of Nuclear Weapons
Chapter
  • Feb 2021
The prevalence of global supply chains demands speediness of freights moving across borders between nations. However, nuclear weapon smuggling still poses a significant risk to the United States, which requires a trade‐off between cargo inspection and speedy transition. Retaliation threats and partial inspection could be used together to effectively deter such smuggling attempts. As a nontechnical version of Shan, X. and Zhuang, J. (2014a). Modeling credible retaliation in deterring smuggling of nuclear weapons: a three‐stage game. Decision Analysis 11(1) 43–62, this chapter models credibility of retaliation threats against smuggling of nuclear weapons within the context of an attacker–defender game and find that a rational defender would not always carry out retaliation activities under the condition that (i) the reputation loss from non‐credible retaliation threats is low, (ii) the reward for carrying out retaliation is low, or (iii) the retaliation costs are too much. In addition, we study the required inspection level in order to deter smuggling of nuclear weapons when the retaliation threats are non‐credible. This research highlights the importance of studying the credibility of retaliation threats in attacker–defender interactions and provides some insights on strategic integration of partial inspection and retaliation threats in deterring nuclear smuggling.
View
Target-Oriented Utility for Interdiction of Transportation Networks
Article
Optimal resource allocation in security has been a significant challenge for critical infrastructure protection. We study an optimal resource-allocation model for more cost-effective protection of critical targets on a transportation network. We apply target-oriented utility theory and use mixed-integer programming to determine the optimal level of investment needed to interdict an attacker on a transportation network. We assume that the attacker will choose one target among multiple targets to attack based on factors such as the attractiveness of targets to the attacker and the attack success probabilities, and will be deterred for sufficiently low attack success probabilities. Sensitivity analyses are conducted to illustrate how the optimal defensive strategy depends on parameters such as attacker success probabilities, attacker deterrence, target values, number of targets, and effectiveness of defensive investment.
View
Secrecy in Defensive Allocations as a Strategy for Achieving More Cost-Effective Attacker Detterrence
Article
Full-text available
  • Jan 2009
We discuss strategic interactions between an attacker and either centralized or decentralized defenders, and identify conditions under which centralized defender decision making is preferred. One important implication of our results is that partial secrecy about defensive allocations (disclosure of the total level of defensive investment, but secrecy about which resources are defended) can be a strategy for achieving more cost-effective attack deterrence. In particular, we show that such partial secrecy can be potentially beneficial when security investments are discrete (e.g., as in the use of air marshals to counter threats to commercial aviation).
View
View
View
View
Playing for time: A sequential inspection game
Article
Inspections for timely detection of illegal activity on a finite, closed time interval and subject to first and second kind errors are modelled as a sequential, two-person game. The utilities of the players, inspector and inspectee, are assumed to be linear in the detection time with time-independent false alarm costs. Sets of Nash equilibria are obtained in which the inspectee behaves illegally or legally with probability one.
View
View
Inspection Games in Arms Control
Article
An inspection game is a mathematical model of a situation in which an inspector verifies the adherence of an inspectee to some legal obligation, such as an arms control treaty, where the inspectee may have an interest in violating that obligation. The mathematical analysis seeks to determine an optimal inspection scheme, ideally one which will induce legal behavior, under the assumption that the potential illegal action is carried out strategically; thus a non-cooperative game with two players, inspector and inspectee, is defined. Three phases of development in the application of such models to arms control and disarmament may be identified. In the first of these, roughly from 1961 through 1968, studies that focused on inspecting a nuclear test ban treaty emphasized game theory, with less consideration given to statistical aspects associated with data acquisition and measurement uncertainty. The second phase, from 1968 to about 1985, involves work stimulated by the treaty on the non-proliferation of nuclear weapons (NPT). Here, the verification principle of material accountancy came to the fore, along with the need to include the formalism of statistical decision theory within the inspection models. The third phase, 1985 to the present, has been dominated by challenges posed by such far-reaching verification agreements as the intermediate range nuclear forces agreement (INF), the treaty on conventional forces in Europe (CFE) and the chemical weapons convention (CWC), as well as perceived failures of the NPT system in Iraq and North Korea. In this connection, the interface between the political and technical aspects of verification is being examined from the game-theoretic viewpoint.
View
View
Electricity Case: Main Report Risk, Consequences, and Economic Accounting
Article
  • Jan 2005
As a critical infrastructure sector, electricity enables numerous other critical infrastructures to function, and in many cases is the critical path for their operation. This is underscored by the fact that historically, electric power outages have played a central role in disruptions of many other infrastructures. As a consequence of the centrality of its role, electricity is potentially a key target for terrorist attacks. This case sets forth risks in terms of hypothetical alternative attack scenarios in the form of various grid configurations that are vulnerable based on both natural events in the U.S. and terrorism internationally as well as in terms of the odds that outages will occur and other characteristics of outages will change. Consequences are then identified based on hundreds of events and other records that portray the effects that electric power outages have on key public services and businesses. Economic accounting is conducted in terms of human premature death and injury and business loss for some of the key consequence areas, using a wide range of economic factors. The work presented in this report is complemented by the work of other team members. In the risk area, Bier’s study at the University of Wisconsin portrays the effect on the capacity of hypothetical grids to carry and redistribute electricity under alternative interdiction scenarios. For consequences, the work of Chen at USC identifies electric power system performance following a catastrophic event. As consequences and economic accounting, Greenberg, Laer, and Mantell, part of the NYU team, are conducting a model of effect of electricity outage on the economy of New Jersey, the densest and wealthiest state in the U.S.
View
Deterrence and Bargaining
Article
Recent disputes about whether nuclear superiority still has any meaning raise the question of what relation exists between threats of nuclear punishment and bargaining power. This article argues that deterrence theory has provided little assistance in discussing that question. It has often focused exclusively on the defender's influence on the decision calculus of the aggressor or on the problem of avoiding a “reciprocal fear of surprise attack.” When it has touched on the question of bargaining advantage, it has used inappropriate models and failed to draw correct conclusions from the models it has used. The article outlines the main ways in which deterrence theory must be corrected, focusing especially on the distinction between two kinds of threats whose implications for bargaining are quite different.
View