Friday, December 12, 2008

Characterizing terrorism
Vinay Deshmukh

Terrorism has emerged as one of the most dangerous hazards in recent times. The risk of terrorism carries with it the potential to destroy civilian life , disrupt businesses and the global economy and cause untold suffering to innocent citizens. This article attempts to characterize terrorism by taking a “systems” approach.

First and foremost, the threat of terrorism is adaptive which means if you plug one part of the system , the other part is rendered vulnerable. Terrorists diverted their attention to the seas and the railways once they realized that airports and aircrafts became virtually impgrenable. With railway security having been tightened , it is likely that they may focus their attention on the other means of transport. The adaptive nature of terrorism implies that governments have to identify the soft spots in the system apriori and deploy adequate resources to mitigate the risk. Techniques like failure modes and effects analysis (FMEA) developed during the second world war could be utilized to identify such soft spots. FMEA attempts to enumerate various risks and prioritize them using what is called a risk priority number (RPN).

RPN = probability of occurrence * severity of impact * detectability

The probability, likelihood and detectability of a risk is assigned a value from say 1 to 5 ,
1 being least likely and 5 being most likely for probability. A value of 1 would imply negligible impact and 5 would imply total devastation. Similarly a value of 1 would imply low detectability and 5, a high detectability. If an event can be detected apriori, it is detectable. For example, a full scale attack on the country is often a detectable event (detectability=5)
while an guerilla attack is often undetectable (detectability). In the case of 11/26 , one would have assigned a probability of 5 (strictly speaking , probability can only take a value from 0 to 1.) , a severity of 5 and a detectability of 3 ; thus giving an RPN = 75. Detectability is directly related to the efficiency of the country’s intelligence.
A highly efficient intelligence ensures high detectability and thus helps the internal and external security agencies take this risk on the highest priority.
Also the probability of occurrence is directly related to the branding of the establishment being targeted. Well known Indian brands like TATA, RELIANCE, BIRLA or well known tourist brands such as The GATEWAY OF INDIA carry a greater risk of being attacked compared to little known brands. After all , terrorists perform a cost-destructivity analysis of their missions and only undertake those that are likely to provide maximum destruction.

Power Law
Power law is often used to characterize earthquakes. For every 1000 earthquakes of magnitude 4 on the Richter scale, there are a 100 of magnitude 5 and 10 of magnitude 6 and 1 of magnitude 7 on the same scale. If we observe the pattern of terrorist attacks in the last few years , power law becomes evident. The bombings carried out in multiple cities in India were analogous to 10 earthquakes of magnitude 6 and the attack of 11/26 was analogous to an earthquake of magnitude 7. A corollary to this law is often expressed as follows.
“We have not had a major attack for a while now. Therefore something must be on the anvil.”

To be successful , security forces must win 100% of the time. However to be successful , terrorists need win only 1% of the time. Terrorists want to die , citizens want to live – that’s the fundamental asymmetry. Citizens create, terrorists destroy. The asymmetrical nature of the war against terrorism puts enormous strain on limited government and private resources. The keys to mitigating this asymmetry are prioritization and critical parameter management. While we discussed prioritization using RPN above , critical parameter management is another effective technique. All systems are overloaded today – be it the government, business, finance or technology. The key to managing them is identifying the critical parameters governing security in each of these systems and managing them. For example, the issue of cell phones , the sale or lease of property, the issue of credit cards are processes that need to be tightly controlled. The source, usage and purpose (SUP) of financial instruments such as credit cards need to be assessed rigorously. Financial institutions that fail to do so should be held responsible for not having adequate anti money laundering safeguards. One major obstacle to critical parameter management in India is the lack of a national identification number along the lines of a social security number in the US. In lieu of a national identification number, governmental/private agencies need to verify the individual’s criminal, credit and rental histories using every source of information.

Creativity (destructivity)
It sounds macabre but there is no denying that terrorists have a creative brain.
They have a battery of thinkers and an equally strong battery of doers. The attack of 11/26 was planned meticulously and executed precisely. They are adaptive because they are highly creative. Governments will have to employ professional risk consultants to forecast risk scenarios. The job of a risk consultant is to assess risks, prioritize and suggest ways to mitigate them. Risk consultants are equipped with techniques such as “what if simulation” , “mind mapping” , state of the art risk and process modeling techniques and above all some well known and time tested “heuristics”. Since terrorists often think out of the box , it is likely that the next attack may not be conventional but could be chemical, biological or nuclear. It is also likely that they might attempt to bleed India and other countries using what is called “death by a thousand wounds”. Such attempts could include attacks on the country’s IT networks or subtle cultural invasions. The other element of terrorist creativity is their impeccable sense of time and space. They choose their “time” and “space” such that people are caught by surprise while ensuring that their missions attract the most international attention. Hardly would anybody have expected an attack at 10 p.m on a working day on one of the busiest railway stations or one of the best hotels in the country. However since it was night time , they could sneak into lanes and alleys quite easily and ensure maximum devastation .

Support networks
Terrorists have a global support network which ensures that there is not a single point of failure. Indeed terrorists think and act like global multinationals . They think globally and act locally through their local henchmen . Their global network ensures continuous replenishment of their resources such as men, material, money, motivation and machinery.

In the ultimate analysis , it is important to take a holistic view of all systems operating within the country , identify the soft spots and mitigate them to deter future attacks. Professional risk consultants could be employed to assess and prioritize these risks and suggest actions that would mitigate them in close coordination with various agencies as well as the public.

The author , an alumnus of the MIT Sloan School of Management and the MIT School of Engineering and the Indian Institute of Technology,Roorkee has served several multinational companies at senior management levels.