Modeling terrorismGame theory helps corporate risk manage analyze terrorism risks

Published 9 December 2013

The challenges of modeling and analyzing terrorism risk are based on the reality that the adversary is one who can alter where and when to strike and has the capability to counter-attack. Before 9/11, the science of risk modeling and analysis for corporations was primarily based on data accumulated from Mother Nature, a less responsive actor. Risk models have become more precise, but this increased precision notwithstanding, terrorists are likely to act in unexpected ways. To anticipate those unexpected ways, risk managers are relying on game theory, with the assumption that exploring hypothetical situations will prepare risk managers for the unexpected.

The challenges of modeling and analyzing terrorism risk are based on the reality that the adversary is one who can alter where and when to strike and has the capability to counter-attack. Before 9/11, the science of risk modeling and analysis for corporations was primarily based on data accumulated from Mother Nature, a less responsive actor.

“We understand wind storms, we understand surf. We understand that they’re pretty particular. They like the coast,” says Richard Rabs, vice president of insurance and risk at Veolia Environnement North America, a water, waste, and energy management company. “But terrorism doesn’t have any of those types of things.  We can make some assumptions, but we just don’t have the data,” he adds.

CFO quotes Rabs to claim that the information accessible to corporations regarding their exposure to terror is based on a sample too limited to allow for “charting out probabilities,” much less manage risks based on the assumptions from the sample. “I don’t think the average risk manager does a lot with terror risk modeling,” Rabs says. “Not because we don’t care about it, but because, at least in my case, we’re not 100 percent convinced that there’s really a good model out there.”

As limited as the sample may be, however, different forms of data offer some concrete certainty. Whether as a direct attack or indirect and part of a broader target, terror acts can hurt employees, operations, and financial structure. The attackers and the attack itself may be domestic based or foreign. The weaponry may be digital — in the form of a cyberattack — chemical, nuclear, biological, or radiological.

For the property-casualty insurance industry, risk modeling is based on data with historical figures and predesigned factors. A risk manager can analyze the probabilities of a natural disaster based on data from a client’s portfolio. The portfolio, however, will not contain sufficient data about terrorism risk because such data has only been effectively accumulated since the 9/11 attacks. For risk managers, terror acts remain unpredictable outliers.

“Given the paucity of historical data and diversity and shifting nature of expert opinions, catastrophe models used to estimate terrorism risk are relatively undeveloped compared to those used to assess natural hazard risks,” said Robert Hartwig, president and economist of the Insurance Information Industry, in testimony prepared for a U.S. House subcommittee hearing a few weeks ago. “The bottom line is that estimating the frequency of terror attacks with any degree of accuracy … is extraordinarily challenging, if not impossible in many circumstances.”

According to CFO, analyzing probability may be a solution for risk managers to assess terrorism risk. Probabilities can be applied to computer-simulation models, allowing risk managers to determine the chances that a terror act will occur under certain scenarios. Yet, despite the precision of risk models, terrorists are likely to act in unexpected ways. To anticipate those unexpected ways, risk managers are relying on game theory, with the assumption that exploring hypothetical situations will prepare risk managers for the unexpected.

Game Theory helps us model the implications of the complex dynamics between… conflicting factors,” said Gordon Woo, a mathematician with Risk Management Solutions (RMS) who had just created RMS’s first terrorism risk model. “On one hand, we have al-Qaeda’s desire to maximize the utility of their attacks, and on the other hand, we have to consider their rational response to stepped-up security and counter-intelligence efforts and the constraints of their technological and logistical capacities.”

Game theory will enable risk managers to focus on protecting high-level targets like the Sears (Willis) Tower in Chicago, but risk managers must also analyze terrorists’ response to counter-terrorism initiatives. Woo, testifying in September before the House Financial Services Committee, said terrorism risk has become “as much about counter-terrorism action as about terrorists themselves. U.S. terrorism insurance is essentially insurance against the failure of counter-terrorism.”

As counter-terrorism initiatives continue to prevent terror acts, game theory must also assume scenarios in which counter-terrorism efforts may fail. Applying game theory to assess terrorism risk will help risk managers discover unexpected ways in which terrorists may act either as part of a plan or in response to counter-terror initiatives.