Perhaps the two most common phrases in the emergency management lexicon these days are “risk-based planning” and “all-hazards preparedness.”

The challenge, of course, more complex than implied by such neat catch-phrases, is how to prioritize risks from the nearly infinite panoply of potential hazards.

A new paper from the Rand Corporation, Emerging Threats and Security Planning: How Should We Decide What Hypothetical Threats to Worry About? attempts to unpack some of these complexities, offering a model for assessing terrorist risk scenarios.

“In thinking about emerging threats, security planners are confronted by a panoply of possible future scenarios coming from sources ranging from the terrorists themselves to red-team brainstorming efforts to explore ways adversaries might attack in the future,” the report’s authors, Brian A. Jackson and David R. Frelinger, observe.

The question facing security planners in addressing the long list of hypothetical attacks is whether they should attempt to defend against all of them, producing a constant strain on security resources and potentially disrupting current security efforts, or whether they should they ignore most of them, focusing instead on “general-purpose” security approaches.

The prudent path, according to the report, clearly lies somewhere between these extremes, meaning that planners need systematic and defensible ways to decide which hypothetical or unusual threats to worry about and how to prioritize among them.

The report recommends that when addressing a particular novel threat emergency planners first ask whether such a threat represents a “niche threat” that should be addressed within existing security efforts?

The authors use the example of terrorists using UAVs to attack targets from the air.

At first look, they suggest, such a notion “seems like a challenge to security planning that might demand a major response—and a threat that would be difficult to treat as a subset of other threats.” To address it radical measures such as concrete barriers and posted security guards would need to be put in place around some potential targets such as public buildings or infrastructure targets to keep vehicle bombs from entering.

Such measures, they say, “are aimed at the difference between this threat and others (the fact that the weapon is being delivered from the air) and seek to directly neutralize that difference. The problem with this approach is that by focusing on an individual novel threat independent from all other threats and on those characteristics that set it apart from other threats, planners are only considering part of the picture.

“Terrorists,” they say, “ will not think about UAVs in isolation and security planners should not do so either. For the terrorist planning an attack, UAVs are one possible attack mode among many, and their use will be driven by how they compare to other options. Our analysis of the emerging UAV threat therefore included what we called a “red analysis of alternatives” in which we explicitly catalogued the many different ways terrorists could attack targets in addition to using UAVs so that we could systematically compare the advantages and disadvantages to terrorists of this attack mode.”

As a result, they explain, while it is certainly possible that some terrorists will pursue UAVs and even use them in attacks, there appear to be no factors that would lead to their broad adoption by many terrorist groups. Furthermore, even if they were, it does not appear that the consequences of such attacks would be significant for most potential terrorist targets.

This combination of likely modest use by a few groups and modest consequences from that use leads the authors to the conclusion that “UAVs should be largely viewed as simply one more means among many of delivering a moderately-sized bomb to a target rather than as a novel threat in their own right.”

“ Though they can provide attackers some advantages in some situations, they are neither game-changing nor impactful enough that they represent more than a small slice of the overall threat faced by a modern nation from terrorism.,” they add. “ Therefore, and because they are a small subset of a broader threat—in this case explosives use—UAVs are a niche threat. Given their niche status, security planning should then focus on how to address UAVs within broader counterterrorism efforts rather than consider specialized defenses designed to address them in particular.”

The authors then outline an approach that compares different terrorist operations by ranking them based on the estimated likelihood terrorist attackers will be able to carry them out successfully.

“This process,” they explain, “ includes asking questions about how easy or hard it would be for attackers to execute a specific attack scenario given its requirements and characteristics (an aspect of threat) and the potential effects of security measures on their likelihood of success (an aspect of vulnerability).”

This is accomplished, they add, by “drilling down into the details of each emerging threat scenario to uncover the practical elements of what would actually be involved in staging an attack using a novel weapon or tactic.”

Such an analysis will make clear that some attack modes are simply more likely to encounter problems than others. “For example,” they say, “ terrorists relying on improvised weapons (e.g., homemade mortars) would—in general—be more likely to encounter problems than groups using proven commercial weapons (e.g., mortars produced by an arms manufacturer).”

Similarly, very complicated operations (e.g., attacks dependant upon multiple events occurring in tight succession) would be more likely to break down than more-simple attack plans.

The authors outline several principles useful in assigning risk:

• Operations that rely on tried-and-true technologies involve fewer risks than those that rely on improvised or very complex technologies.
• Operations that rely only on general knowledge that attackers can develop on their own are less demanding than those that require very specialized skills that might require training to develop.
• Operations that require that actions occur either at the same time or in a specific order over a short period to be successful are riskier than those that do not.
• Operations that require overtly hostile action or are inherently detectable are more likely to fail than more-clandestine activities. Potential protective measures to prevent or disrupt the attack.
• Operations that are sensitive to the security and protective measures around a target are more likely to fail than those that are insensitive to them.
• Operations that rely on events (e.g., the exact time a target will arrive at a specific location) that are not under the attackers’ control involve more risk than those that do not.

The authors acknowledge that a ranking scheme does not provide absolute answers as to how far down that list of priorities security investments should be made as a hedge against possible future attacks. “Such resource-allocation decisions involve additional considerations, and the choice could be very different at some targets than at others.”

Nonetheless, they say, “starting from a prioritized list will always be better than attempting to deal piecemeal with threats as different as terrorist insects, exploding remote-controlled planes, and artificial lightning and making decisions in isolation as to whether resources should be diverted from threats we can reasonably expect tomorrow to hedge against a very uncertain future.”