Counterterrorism policymakers face a constant challenge: how to allocate and prioritize scarce security resources based on their best (almost imperfect) assessments of risk. Such assessments have traditionally focused on multiple criteria, who the likely perpetrators of terror might be, what kind of terrorist acts might be attempted, and how they’d be carried out.

Unfortunately those criteria are generally considered in isolation from one another.

A just released report from Rand Corporation outlines an alternative approach, arguing that prospective success or failure of a terrorist operation can be best understood by thinking about the match or mismatch between three key sets of characteristics: terrorist group capabilities and resources, the requirements of the operation it attempted or is planning to attempt, and the relevance and reliability of security countermeasures.

“For a terrorist attack to have the greatest chance of success,” the report says, “ there needs to be a match between its capabilities and resources and the operational requirements of the attack it is seeking to carry out and a mismatch of security countermeasures and intelligence/investigative efforts with both the group and its plans.

“Focusing more attention on a small set of practical relationships in this manner, how different characteristics do or do not match one another, could help to guide analysis of why past terrorist operations went as they did, and, more importantly, could help to identify opportunities to shape the chance of success or failure of future operations,” the report adds.

“Probability of success of terrorist operations is usually not driven by the absolute value of particular factors,” the report explains, “ but rather by how those levels compare with what the terrorist group needs to bring its plans to fruition.”

What this means in general, according to the report, is that the chances of an attack succeeding increase when : (1) the characteristics of the attackers closely match the characteristics of what they are attempting and (2) when there is a mismatch between those characteristcs and the security or protective measures the attack must overcome.

If a group is attempting an operation that is well matched to its operational skills, knowledge of its intended targets and technical capabilities, for instance, then its chances of success are higher than if it was attempting something mismatched to its skills and capabilities (e.g., that same group is attempting a chemical weapons attack at a target type it has never attacked before).

Likewise, when there is a mismatch between a terrorist group and the security forces opposing it (e.g., the police force lacks sufficient technical or other ability to penetrate the group’s operational security measures), the terrorist’s chances of success are much better than if there is a match between them (e.g., the police force—through whatever means—can routinely identify the group’s members.)

Yet another implication of the new model is that success is more likely if there is a mismatch between its planned operation and the relevant security forces or protective measures (e.g., the group is using an attack mode that intelligence and security measures have not been designed to detect or defeat) than if there is a match between them (e.g., the group is using weapons and tactics that are already addressed in security and defensive plans).

“For a group to successfully execute any action, it must have the capabilities and resources that are necessary to carry out its plans,” the report says. “The resources that shape the success or failure of individual terrorist attack operations consist of the tools the group has (e.g., weapons and other technology), information needed to plan and execute the attack, and access to people with different types of necessary skills.

In assessing the potential likelihood of success of specific operations, the report explains further, both the number and the quality of the people available to the group are important.

“ The overall quantity of individuals available to a group determines the pool from which they can draw when deciding how many members are devoted to a particular attack,” the report says. “Large groups (e.g., PIRA, Hezbollah, or the Liberation Tigers of Tamil Eelam [LTTE]) have flexibility in making choices about how many people are devoted to particular attacks. Small groups (e.g., many of the left-wing groups that operated in Europe in the 1970s and 1980s, individual cells of al Qaeda, or other loosely networked groups) can be forced by the size of the pool of members available to have all their members participate in a planned attack, and their total membership represents a hard upper constraint on their operational capability.”

According to this model the challenge of intelligence is to understand the characteristics of different operations that make them difficult or risky—and also therefore must raise the bar for group skills, technology, and so on.

“ The requirements of an operation are driven in large part by the tactical outcome the group wants and the type of target they are attacking,” the report says. “Groups have attempted to destroy targets, to cause mass casualties in various ways, to take and control sites, to seize and hold individuals, and so on. Some operations have sought to kill as many people as possible with little discrimination, while others have sought to kill some but not others, or avoid killing anyone at all.”

The methodology laid out in the report has practical ramifications for security.

“Skilled and capable security organizations that are well matched with current threats will cut those attackers’ chances of success, it says. “The efficacy of protective measures that do not require the detection of a specific attack to affect terrorists’ chance of success depends only on how well such measures match what the attackers are trying to do.”

For example blast hardening that makes a target more difficult to damage with explosives will perform its intended function whether or not the security guards of the facility know a bomb has been planted. But if the measure does not match the threat, it will not help. Blast hardening in a subway system will not affect the chances of a successful chemical or incendiary attack because it is not matched to either of those threats, but a water sprinkler system might if it were designed such that it could both put out fires created by the incendiaries and help decontaminate after the chemical release.

Achieving this optimal “match” between intelligence and security operations depends on how much the measures can reduce an attack’s effects; e.g., robust blast hardening may make very small bombs irrelevant at some targets (essentially a 100 percent match between measure and threat) but only partially reduce the damage from larger devices (a less complete match).

Organizing thinking in this manner, the report concludes, must get “ beyond analyzing factors in isolation to focus on key relationships. “In many cases, it is the nature of the relationship, rather than the absolute values of any of the factors, that truly contributes to a terrorist attack going as its authors planned. This is important for developing accurate threat assessment because focusing on the factors rather than relationships could lead to either artificially high or low assessments of the threat posed by the group.”