Welcome to the PSAM 16 Conference paper and speaker overview page.
Lead Author: Richard John
Framework for Estimating the Value of Deterrence
This paper presents a framework for calculating the value of deterrence related to countermeasures implemented to mitigate an attack by an adaptive adversary. We present a methodology for adapting Defender-Attacker Decision Trees to partition the utility of countermeasures into three components: (1) threat reduction (deterrence), (2) vulnerability reduction, and (3) consequence mitigation. The Expected Utility of Imperfect Control (EUIC) attributable to a specific implementation of the countermeasure is based on calculations from decision analysis and is defined as the difference in the expected utilities of the no countermeasure branch and the branch representing the countermeasure variant (Johnson & Tani, 2013; McNamee & Celona, 2009). The EUIC represents the net benefit of implementing the countermeasure, including all costs associated with development, implementation, and operation. Benefits largely derive from three sources: (1) changes in attack probability (threat reduction (2) changes in detection probability (vulnerability reduction), and (3) changes in the distribution of attack outcomes (consequence mitigation). We partition the EUIC and estimate the unique portion attributable to threat reduction, vulnerability reduction, and consequence mitigation. Calculations follow a subtraction logic, similar to those used to calculate the value of information (VOI). We provide example applications of the value of Deterrence in an airport security domain and a cybersecurity domain. The proposed framework provides a methodology for explicitly accounting for deterrence in benefit-cost analyses (BCA).
Paper RI210 Preview
Author and Presentation Info
"
Lead Author Name: Richard John (richardj@usc.edu)
Bio: Richard John is a Professor of Psychology, area head for quantitative methods and computational psychology, and Associate Director at the Center for Risk and Economic Analysis of Threats and Emergencies (CREATE) at the University of Southern California. His research focuses on normative and descriptive models of human judgment and decision making and methodological issues in the application of decision analysis and probabilistic risk analysis (PRA). Richard has consulted on a number of large projects involving expert elicitation, including analysis of nuclear power plant risks (NUREG 1150) and analysis of cost and schedule risk for tritium supply alternatives. Richard received his PhD. in quantitative psychology and M.S. in applied mathematics from the University of Southern California, and B.S. in applied mathematics (summa cum laude) from the Georgia Institute of Technology.
Country: United States of America Company: University of Southern California Job Title: Professor of Psychology