homeland security preparedness: balancing protection with resilience in emergent systems

Homeland SecurityPreparedness: BalancingProtection with Resiliencein Emergent SystemsYacov Y. Haimes,* Kenneth Crowther, and Barry M. Horowitz

Center for Risk Management of Engineering Systems, University of Virginia, PO Box 40076, Charlottesville, VA 22904

HOMELAND SECURITY PREPAREDNESS: BALANCING PROTECTION WITH RESILIENCE

Received 20 September 2006; Revised 27 October 2007; Accepted 8 February 2008, after one or more revisionsPublished online 16 June 2008 in Wiley InterScience (www.interscience.wiley.com)DOI 10.1002/sys.20101

ABSTRACT

The report of the President’s Commission on Critical Infrastructure Protection [PCCIP, Execu-tive Order 13010, The White House, Washington, DC, 1997] which was issued in October 1997set in motion a revolutionary and expensive national homeland security initiative under therubric of critical infrastructure protection. The PCCIP addressed a plethora of sources of riskto the nation’s critical infrastructures, along with numerous risk management options. Forsimplicity, we partition solution possibilities into two major types: protecting system assetsand adding resilience to systems. Much of government research efforts focus on analyzingcomponent systems and their assets. Systems engineers are particularly interested in char-acteristics that emerge from the system design, which are affected by changes to componentsystems, but also by changes that reflect the way systems are constructed and integrated.Adding resilience to a system expands the focus beyond component systems to include astudy of emergent, system-level attributes for homeland security consideration. Balancingprotective and resilience actions through system-level analysis will provide a means toimprove the overall efficiency of regional and national preparedness. This paper exploresconcepts of emergence, resilience, and preparedness as a foundation for establishing aframework to assess the balance between the two areas of infrastructure risk mitigation. Wepropose several considerations that must be included in a framework to assess protection

Regular Paper

*Author to whom all correspondence should be addressed (e-mail: [email protected]).

Contract grant sponsors: National Science Foundation; Virginia Governor’s Office for Commonwealth Preparedness; Virginia TransportationResearch Council (VTRC); and the Institute for Information Infrastructure Protection (I3P).

Systems Engineering, Vol. 11, No. 4, 2008© 2008 Wiley Periodicals, Inc.

287

and resilience tradeoffs, and we present a simple illustrative study that demonstrates severalof the framework concepts and provides a means for further discussion about the complexinteractions that are faced when evaluating the resilience of a system. © 2008 Wiley Peri-odicals, Inc. Syst Eng 11: 287–308, 2008

Key words: emergence; resilience; preparedness; risk management; homeland security asemergent system

1. INTRODUCTION

The report of the President’s Commission on CriticalInfrastructure Protection (PCCIP) [1997] issued in Oc-tober 1997 set in motion a revolutionary and expensivenational homeland security initiative under the rubricof critical infrastructure protection. The PCCIP identi-fied a plethora of sources of risk to the nation’s criticalinfrastructures, along with numerous risk managementoptions. The recently released National InfrastructureProtection Plan (NIPP) [DHS, 2006] supersedes thePCCIP and highlights the protection of critical infra-structure and key resources (CI/KR). For simplicity, wepartition homeland security solution possibilities intotwo major types: protecting assets and adding resilienceto systems. In this paper, the protection of assets is theset of risk management actions that reduce the vulner-ability of specific system components or specific assets.Alternatively, adding resilience to systems encom-passes those risk management actions that tend toemerge from changes that impact the overall systemstructure and properties. The NIPP describes both atvarying levels of detail. This paper seeks to illustrateimportant system principles necessary to establish ap-propriate balance between the two infrastructure riskmitigation solutions.

Traditional system analysis is of the top-down typethat decomposes a system into components for analysis;it enables analysts to understand what asset vulnerabili-ties may result in adverse losses when exploited byspecific threats. Naturally, traditional system analysisfrequently results in a set of protective actions to hardenor otherwise protect identified assets against specificsets of threats. As systems engineers, we are also inter-ested in system characteristics that emerge from theoverall system design and its integration, includinginteractions and interdependencies among and betweenvarious component systems. These system charac-teristics are affected by changes to components, includ-ing protective actions, but more importantly they areaffected by system-wide changes that impact the waythe system components interact. Analysis of protectiveactions alone through system decomposition and theengineering of component systems (as detailed, for

example, in the NIPP [DHS, 2006]) can lead to subop-timal system-level regional or national homeland secu-rity. Adding resilience to a system expands the focusbeyond only component systems to include a study ofemergent system-level attributes for homeland security.As mentioned in the NIPP [DHS, 2006: 45]:

In situations where robustness and resiliency are keysto CI/KR protection, providing protection at the systemlevel rather than at the individual asset level may bemore effective and efficient (e.g., if there are manysimilar facilities, it may be easier to allow other facili-ties to provide the infrastructure service rather than toprotect each facility). Both are possible approaches tomeeting NIPP objectives.

Balancing protective and resilience actions throughsystem-level analysis will provide a means to improvethe overall efficiency of regional and national prepared-ness. This paper explores concepts of emergence, resil-ience, and preparedness as a foundation for establishinga framework to assess the balance between the two areasof infrastructure risk mitigation. We propose severalconsiderations that must be included in a framework toassess protection and resilience tradeoffs, and present asimple illustrative study that demonstrates several of theframework concepts.

2. EMERGENT PROPERTIES OF LARGESYSTEMS

The subject of large-scale, complex systems and emer-gent, multiscale systems has been on the agenda ofresearchers for at least half a century. The seminal bookCybernetics was published by Norbert Wiener [1948];in the second edition [Wiener, 1961], he credited Leib-niz with extensive early work on systems. Von Bertalan-ffy [1968] coined the term general systems theoryaround 1950. The Society for General Systems Re-search was organized in 1954 by the American Associa-tion for the Advancement of Science. Buckley [1968]stated that despite the fact that modern systems theoryseemed to spring de nouveau out of the last war effort,it could be seen as a culmination of a broad shift in

288 HAIMES, CROWTHER, AND HOROWITZ

Systems Engineering DOI 10.1002/sys

scientific perspective over the last few centuries. Areport by the National Research Council [NRC, 2002]maintained that a systems approach that encompassesthe multiple visions and perspectives inherent in anyvast pool of data and information is imperative in orderto successfully understand and address the complexityof a system of systems.

Several philosophies and methods have been devel-oped over the years to address the complexity of mod-eling large-scale systems and to offer various modelingschema. They include: Methodology for Large ScaleSystems [Sage, 1977]; Systems Theory: Philosophicaland Methodological Problems [Blauberg, Sadovsky,and Yudin, 1977]; Hierarchical Analyses of Water Re-sources Systems: Modeling and Optimization of Large-Scale Systems [Haimes, 1977]; and MultifacetedModeling and Discrete Event Simulation [Zigler,1984]. In his book Metasystems Methodology, Hall[1989] developed a theoretical framework to capture themultiple dimensions and perspectives of a system.Maier and Rechtin [2000] defined a process for systemdesign or “architecting” multidimensional, complexsystems. Warfield [1976], Blanchard and Fabrycky[1990], and Sage [1992, 1995, 2006] among othersdefine a system as an integrated set of components orelements that support achievement of specific purposes.These components consist of hardware, software, peo-ple, organizations, and processes. An extensive reviewof interdependency analysis literature will follow inSection 5.3. Sage and Cuppan [2001: 326] provide thefollowing definition of emergent behavior in the contextof a system of systems:

The system of systems performs functions and carriesout purposes that do not reside in any componentsystem. These behaviors are emergent properties of theentire system of systems and not the behavior of anycomponent system. The principal purposes supportingengineering of these systems are fulfilled by theseemergent behaviors.

In this paper, we emphasize that component systemsare typically designed independently (not as a part of alarger system), controlled autonomously, and then inte-grated in a distributed and loosely coordinated process.The emergent properties of systems of systems aretherefore measurable to some extent, but only throughknowledge of both component systems and their inte-gration. The US homeland, under analysis for home-land security, is such a system of systems. Componentsystems such as technologies, businesses, organiza-tions, infrastructures, sociopolitical realities, and re-gions are interconnected into a networked systemrequiring one another for continued efficient nominal

operation and homeland security. Each of the compo-nent systems was designed and constructed inde-pendently, and is generally operated and controlledautonomously. Although the component systems werenot necessarily created for integration, they are inte-grated, organized, and controlled in a distributed fash-ion. Methods of control for such systems differ greatlywith traditional centralized large systems. Acquiringand consolidating data representing these componentsystems and their overlapping interconnections resultsin a multiscale and multidimensional database of infor-mation. This is necessary to support a network of publicand private decisionmakers who themselves are charac-terized by interconnected and overlapping decision do-mains, interests, and responsibilities. Behaviors of landuse, economic activities, and other aspects of societyemerge from the structure of system components thatotherwise might have remained unpredicted, but mustbe accounted for when assessing and managing the risksinherent in the homeland security of an open nation.

Research in the area of emergent systems has beengrowing by leaps and bounds in recent years. Note, forexample, recent comprehensive publications on emer-gent systems, such as the special December 2006 issueof the journal Reliability Engineering and SystemsSafety. Therefore, from the perspectives of emergentsystems, the purpose of this paper is to introduce thechallenges associated with understanding the balancebetween system resilience and protection. We defineemergent properties of systems as those system featuresthat are not designed in advance, but evolve, based onsequences of collected events that create the motivationand responses for properties that ultimately emerge intosystem features. Systems that are more likely to resultin emergent properties include those with some of thefollowing characteristics:

1. broad missions to fulfill;2. created through the cooperation of many stake-

holders who have overlapping, but not identical,objectives;

3. low capital-cost structures of components thatreduce the financial obstacles related to emergingproperties; and

4. subject to significant events that, should theyoccur, can stimulate the emergence of propertiesthat otherwise might not be anticipated.

Systems that are less likely to result in emergent prop-erties include some of the following characteristics:

1. centralized management and control (i.e., con-trolled by a single organization);

2. relatively narrow missions;

HOMELAND SECURITY PREPAREDNESS: BALANCING PROTECTION WITH RESILIENCE 289


3. high capital-cost infrastructures that impedechange due to excessive cost; and

4. less subject to single significant events stimulat-ing major changes to features of the system.

To illustrate these factors, consider two familiar large-scale systems: the Internet and the US Air Traffic Con-trol systems. The Internet is recognized as emergent innature. It is a system with many properties that haveemerged due to (1) the low cost of entry for users, (2)the availability of technology from a multitude ofcompeting companies that serve those users, (3) thebroad mission of providing information to users, and(4) the initial driving forces of early informationsources and corresponding demand for those sources,ranging from company Web sites to pornography.Nonetheless, parts of the Internet, such as the routingtechnology and corresponding protocols, are far lessemergent, as they require significant investment andsupport from technology companies. In this case,standards groups and sponsored research efforts mustcreate the new solutions and technologies in antici-pation of stakeholder demands. This part of the In-ternet, as evidenced by the long lead-time for theintroduction and full-scale use of advanced routingprotocols, is not nearly as emergent as new applica-tions that use existing technology. Moreover, system-level security implementation is complicated by thevariance in technologies, decision-makers, owners,and users, and makes it difficult to predict the costsand effectiveness of risk mitigation efforts.

The Air Traffic Control system is far less emergentthan the Internet. A single organization (the FederalAviation Administration) with a specifically definedmission is principally responsible for the system. Thesystem is capital-intensive, has important reliability andsafety assurance features that require significant testand evaluation before replacing, and, although singleevents such as midair collisions can cause large publicresponses, does not change itself at a pace that is at allsimilar to the pace of Internet changes. However, theapplication of security is more straightforward becausethe costs and effectiveness of risk mitigation actions canbe predicted with greater confidence.

The system characteristics described above gener-ally stimulate or dampen emergence; they do not defineit. Brilliant designers and system architects will design,build, and integrate systems with flexibilities that canbe appropriately exploited for desired adaptation andemergence. Such foresight and planning can result insystems that can emerge and adapt better than systemsthat are designed without such thoughtfulness. This isevidenced, for example, by the simple and flexibleprotocol that was designed by a small centralized group

and resulted in a great driving force that emerged as theInternet. Such is the hope of homeland security: toincorporate flexible designs that will enable systems ofsystems to be resilient. In this sense, single-organiza-tion control is not antithetical to homeland security.Instead, single organizations can improve resilience byadhering to principles of control that stimulate appro-priate emergence in systems of systems.

3. RESILIENCE IN EMERGENT SYSTEMS

Resilience has been defined in the literature as an emer-gent property of systems. Consider some example defi-nitions: (1) Resilience is the ability of a system toabsorb external stresses [Holling, 1973]. (2) Resilienceis a system capability to create foresight, to recognize,to anticipate, and to defend against the changing shapeof risk before adverse consequences occur [Woods,2005, 2006; Hollnagel, Woods, and Leveson, 2006]. (3)Resilience refers to the inherent ability and adaptiveresponses of systems that enable them to avoid potentiallosses [Rose and Liao, 2005]. (4) Resilience is the resultof a system (i) preventing adverse consequences, (ii)minimizing adverse consequences, and (iii) recoveringquickly from adverse consequences [Westrum, 2006].

To better appreciate the concept of resilience and itsapplication to emergent systems, we define the follow-ing three terms: redundancy, robustness, and resilience.Note that because of the coupling among the varioussystem attributes, redundancy and robustness are sup-porting attributes of resilience.

Redundancy refers to the ability of certain compo-nents of a system to assume the functions of failedcomponents without appreciably affecting the perform-ance of the system itself [Haimes et al., 1998; Matalasand Fiering, 1977]. In a physical infrastructure such asa transportation system, redundancy may manifest itselfby adding alternative routings. In an information sys-tem, hardware redundancy may take the form of multi-ple backups of critical components such as the centralprocessing unit (CPU), memory, disks, and power sup-plies. Similarly, information redundancy is achieved bybacking up databases and data exchanges by way of, forexample, disk mirroring. Software redundancy can beenhanced through replication, distribution of decision-making, voting schemes, and so forth. A high overheadcost usually is associated with enhancing a physical oran information system’s redundancy. Thus, a com-pletely redundant system is often too expensive oroperationally infeasible to build and maintain withinresource and budget limits. It can be modeled as aconstrained optimization problem from which tradeoffscan be identified and Pareto-optimal policies formu-



lated (in the context of a multiobjective tradeoff analy-sis).

Robustness refers to the degree of insensitivity of asystem’s performance to errors in the assumptions ofdesign parameters and variations in the operationalenvironment that may result in adverse operating con-ditions. Design errors propagated by imprecise estima-tion of the design model’s parameters may result frommiscalculation or improper statistical sampling[Haimes et al., 1998; Matalas and Fiering, 1979]. Hard-ening a physical infrastructure or an information systemagainst terrorism or natural disasters involves modify-ing or enhancing a system’s design or, in effect, choos-ing a new optimal design. A system is hardened if thenew or modified design is more robust than the originaldesign. Both redundancy and robustness are examplesof protective actions to harden system assets and com-ponent systems.

Resilience is the ability of the system to withstand amajor disruption within acceptable degradation pa-rameters and to recover within an acceptable cost andtime. Resilience builds on and is a function of redun-dancy and robustness; however, whereas redundancyand robustness can be incorporated into a systemthrough component systems design, resilience requiresattention to the system structure, architecture, and com-ponent system interdependencies. Resilience may beviewed from two overlapping perspectives. The firstrefers to the ability of a system, after an adverse event,to be operated over the short run close enough to itstechnical design and institutional performance objec-tives such that the resulting economic or operationallosses are held within manageable limits. The secondperspective recognizes that the resilience of criticalinfrastructures is a function of many related factors thatcan be impacted by the same adverse situation as thesystem itself (e.g., shortages of needed supplies to thesystems, and of logistics support, planning support,communications, information assurance, and the timelyavailability of specialized workforce). This perspectivebuilds on the premise that a period of unavoidable andundesirable degradation will occur following an attackor natural disaster, and defines resilience as achievingan acceptable systems recovery time at an acceptablecost. Rose and Liao [2005] have also acknowledged anddescribed these two perspectives of resilience and la-beled them static and dynamic resilience, respectively.Because of the interdependence among component sys-tems, redundancy and robustness are excellent modesfor improving resilience. In other words, although pro-tective actions such as hardening and increasing theflexibility and adaptability of component systems areexcellent ways to improve system resilience, other

modes that focus on system-level integration or archi-tecture may be even more effective.

For many regions and infrastructure systems, re-silience is highly dependent on the ability of theoperational workforce to recognize disruptions andquickly coordinate responses to them. For example,a study performed for the Commission on High-Al-titude Electromagnetic Pulse (HEMP) attacks againstthe United States [Haimes et al., 2005] concludedthat rapidly reestablishing normal workforce opera-tions after a HEMP attack is essential to reducingvery serious impacts on the nation’s economy. TheHEMP study revealed that significant economic losscan result from the lack of timely availability ofskilled workers. The importance of coordinatedworkforce recovery in supporting a system’s resil-ience has been validated by many recent events (e.g.,the 4-day suspension of the New York Stock Ex-change trading activity following the September 11,2001 attacks [Santos, 2006]; the August 2003 black-out in the Northeast [Anderson, Santos, and Haimes,2007]; and the August 2006 planned terrorist attackagainst airliners flying from the United Kingdom tothe United States). However, the availability ofskilled workers across a system of systems is theresult of a complex systems architecture that includesland use, media, communications, and transporta-tion, among other infrastructure systems in a region.

One approach to measuring the resilience of aninfrastructure is to predict the trajectory of recoverytime following a catastrophic event. In other words,how long would it take to achieve recovery from 10%to 90% of full capability, and at what level of resources?Tsang, Lambert, and Patev [2002] modeled the resil-ience of the navigation system of the Mississippi Riversubject to disruptions of navigation locks, consideringboth the time and the costs to recovery for earthquakesand barge-collision disruption of a major lock wall. Insome sense, cost and recovery time become synony-mous with the resilience of the system and its interde-pendent systems (infrastructures). Consider, forexample, the possibility of developing a nationallyshared, very secure information infrastructure (separatefrom the Internet) dedicated to supporting the automat-ion of critical infrastructure systems and their recovery.Such a system could add resilience to the nation’scritical infrastructures, particularly utilities and finan-cial institutions that rely heavily on secure cyberspaceto conduct their business automation. It could alsopotentially be a cost-effective vehicle for reducing risksto critical interdependent infrastructures when com-pared to the alternative of hardening each of themindividually. Ways that such a system could be used toenhance resilience include automation support, distrib-



uted decisionmaking, information sharing, remote hu-man monitoring and control, automated sensing andcontrol, machine-to-machine communication, and real-time network reconfiguration, among others. This pointis also promoted in the NIPP [DHS, 2006], which notesthat resilience of critical infrastructure and key re-sources may be more important than CI/KR protectionin ensuring continuity of operations.

4. STRATEGIC PREPAREDNESS,PROTECTION, AND RESILIENCE

Strategic preparedness connotes a set of policies, plans,and supporting infrastructure that is implemented inadvance of a natural or man-made disaster. It is aimedat reducing adverse consequences (e.g., response/re-covery time and cost) and/or consequence likelihoodsto a level considered acceptable. Preparedness thusrefers both to actions performed before a disaster andalso to the level of risk that results from such actions.Such acceptable levels of risk are obtained throughdecisionmakers’ implicit and explicit tolerance of vari-ous risks and tradeoffs.

Several homeland security presidential directives(HSPD) have been issued to establish a system forstrategic national preparedness. HSPD-8 formulates theUniversal Task List (UTL) and Target Capabilities List(TCL), which provide a consistent approach for dealingwith all of the National Planning Scenarios [DHS,2003a]. The UTL is arranged according to four prepar-edness missions: Prevent, Protect, Respond, and Re-cover, which are decomposed into objectives, functions,and tasks [DHS, 2003c]. According to the DHS, thenation’s level of preparedness lies in the ability tosuccessfully complete each UTL function, thus achiev-ing each objective of the four mission areas. The TCLhelps regions to assess their capabilities to fulfill themost important preparedness tasks [DHS, 2003b]. Con-templating the missions and objectives of preparednessfrom the UTL reveals the various levels of systemdetail/abstraction necessary to evaluate a region’s pre-paredness capability. For example, the Prevent missionis likely to focus on specific threats, the specific mate-rials and skills needed for those threats to be realized,and the collection of specific information concerningthe movement of those materials and skills. Alterna-tively, the Recovery mission is likely to focus on generalmeasures of regional growth, the interrelationshipsamong various sectors of the economy required to ac-complish that growth, and general incentives that mightbenefit those interrelationships. A review of the UTLand TCL illuminates why it is challenging to find theappropriate balance between investments in protective

measures (i.e., those that prevent and protect againstadverse consequences with a focus on component sys-tem specifics) and investments in resilience measures(i.e., those that reduce the impact and recovery to anacceptable time and cost with a focus on system-levelfeatures).

As stated, resilience measures can sometimes beobtained by implementing protective measures, but atother times they must be obtained through system re-definition and/or reconstruction. Given the premise thatresilience is an emergent system property related toterrorism and natural disasters, a question arises con-cerning the control or influence of such emergent prop-erties. Tools for influencing emergent propertiesinclude the use of:

1. punitive regulation or the threat of regulation;2. incentive-based regulation (e.g., tax-cut incen-

tives);3. technology that reduces the cost of particular

aspects of resilience (e.g., interoperable commu-nication);

4. analyses that influence the value systems ofstakeholders;

5. results of actual events such as 9/11 or hurricaneKatrina used as analogies that can influence be-havior related to other possible scenarios; and

6. improvements in information management andforecasting technologies that reduce forecast un-certainty.

Figure 1 illustrates how the process of risk managementmust integrate the development of protective and resil-ience measures. As shown, the common goal is todecrease the total possible impact from all possible risksin the most cost-effective manner. This is representedby the scale, which is labeled common risk scenariosand integrated cost/benefit analysis. The risks are miti-gated most effectively by a strategy including bothprotective and resilience measures. The figure showsthat an overly zealous focus on one or the other willresult in a decrease in the efficacy with which overallrisk can be reduced. For example, spending most re-sources on hardening through burying power lines orreinforcing flood walls and pumping systems will neverbe effective without improving event forecasting, train-ing and cross-training of response personnel, improve-ment of the response communication infrastructure, anda calculated distributed strategy for emergency materi-als handling.

Figure 1 illustrates the premise that protective meas-ures need to be adopted based on some accounting forthe emergent risk management steps that stakeholdersare taking to improve resilience. The figure also illus-



trates that promoting resilience measures through pol-icy and creating new solutions/technologies need to beharmonious with the specific protective measures thatare being promoted. The following discussion elabo-rates on this concept by identifying approaches tostimulate resilience efforts that have the potential togrow into important parts of the overall preparednessplans.

An important factor in understanding the behaviorof the private and public sectors regarding preparednessis the nonproductive and shortsighted nature of protec-tion—it is an expensive response to uncertain threatsthat has no associated product value. Moreover, opera-tions are interconnected and therefore transfer (or im-plicitly share) risk due to the structure of theirinterdependence. The result is frequently referred to asthe Tragedy of the Commons (discussed in detail inSection 0), wherein the resulting state of homelandsecurity is inferior. On the other hand, when protectionis balanced with proactive investments that add resil-ience—through better maintenance coupled with addedrobustness and appropriate redundancy—the tragedy ofthe commons syndrome may be reduced, and corporateleaders may be brought to a more effective partnershipwith government in the quest to create more securecritical infrastructures. This raises several interestingquestions: What is an appropriate and acceptable bal-ance between preparedness efforts focused on resil-ience on the one hand and prevention, deterrence, andprotection on the other hand? How can this balance beachieved? Research is needed to develop basic princi-ples to guide risk assessment and management and shedlight on these and related questions. A start at develop-ing needed principles is presented below.

5. FRAMEWORK COMPONENTS FORBALANCING PROTECTIVE ANDRESILIENCE MEASURES

Executives and regional policymakers in charge of pri-vately and publicly owned critical infrastructures arelikely to have sufficient answers to the three risk assess-ment questions posed by Kaplan and Garrick [1981]:(1) What can go wrong? (2) What is the likelihood? (3)What are the [direct and indirect] consequences? Prob-lems typically arise during the risk management proc-ess, namely, when answering the following threequestions [Haimes, 1991, 2004]: (1) What can be done,and what options are available? (2) What are the trade-offs in terms of all relevant costs, benefits, and risks?(3) What are the impacts of current decisions on futureoptions? Combining and paraphrasing the last twoquestions in risk management might provide answersfor the appropriate and acceptable balance betweenresilience and protection: What are the tactical andstrategic, short- and long-term tradeoffs associated withbalancing protection with resilience, and what are theassociated future impacts on the enterprise and theregion? This change in our perspectives about the trade-offs between protection and resilience invites a searchfor solutions that provide values in normal, everydaybusiness situations and added resilience in disaster situ-ations. The following sections describe componentsthat must exist in a framework to evaluate the balanceof protective and resilience measures in all risk man-agement options available for strategic preparednesspolicies.

5.1. Basic Systems EngineeringFramework ComponentsThis section describes several fundamental systemsengineering principles that provide an essential founda-

Figure 1. An integrated process for risk management.



tion for a framework to balance protective and resil-ience activities.

5.1.1. Metrics of Effective Risk ManagementStrategiesIt is essential for metrics to be effective in characterizingthe costs, risks, and benefits of the strategies, includingphysical security, cyber security, integral hardening,and emergency protocols. Comparing the response andrecovery times of several risk management strategiesrelative to the status quo is a challenging undertaking,but it can provide a process for evaluating the net benefitor efficacy of implementing those strategies. The TargetCapability List [DHS, 2003a] published recently by theDHS provides several broad categories of metrics, butmany of them are too generic and vague to build adecision framework. An evaluation of these metricsaccompanied by their decomposition to fit specific re-gional attributes will provide the measurement founda-tion to ground a study that will result in capabilities tobalance protective and resilience methods. Moreover,other studies on measuring adversarial and defenderadaptation, general city vulnerability, or other essentialelements have begun defining metrics (see, for exam-ple, Bier and Winterfeldt [2007], Haimes [2006], Bier[2007], Keeney [2007], Willis [2007], and DHS [2003b,2000c]).

5.1.2. Data for Characterizing Risk-Assessment andRisk Management StrategiesTo develop an assessment of regional system risk, ap-propriate data must be collected, whether in preexistingdatabases or gathered with a support system. This is acostly undertaking whose efficacy cannot be accuratelyassessed. Similarly, appropriate data must be collectedfor comparing risk management strategies by theircosts, risks, and benefits. However, many data are avail-able, and, when integrated, may provide a solid andcomplete understanding of a system. Methods must bedeveloped that integrate large-scale databases throughthe use of models, and analytical methods must provideinsight into risk management challenges and the effec-tiveness of resulting options.

5.1.3. Adaptive Frameworks for Action, GivenEver-Changing Threats, Objectives, and StakeholdersRisk management strategies for large-scale and com-plex publicly and privately owned systems must bedeveloped with such attributes and characteristics asagility, modularity, adaptability, robustness, and resil-ience. This is a challenge, due to the fact that changesare inevitable in the objectives, functionalities, andstakeholders of these systems. Improvisation as a potentstructure of spontaneity is an example of a powerful risk

management strategy [Gladwell, 2005]. RAND hassuggested a capabilities-based approach to planningunder uncertainty that might provide for a wide rangeof threats and circumstances within economic con-straints [Davis, 2002].

5.1.4. Impact Analysis of Current Risk ManagementStrategies on Future OptionsPublic and private organizations and their operatingenvironments and risk concerns are ever-changing.Thus, an essential role of risk management is to addressthe impacts of current decisions on future options.Recognizing an uncertain future is a necessary part ofselecting desired solutions and the corresponding re-quirements for the associated assets and infrastructures.Risk management analysts and decision-makers mustassess and evaluate plausible future threat scenarios thatwould require changes, and adapt appropriate strate-gies.

5.1.5. Analyzing the Effectiveness of Hard versus SoftPowerPlatow, Haslam, and Reicher [2007] describe how ef-fective, systematic change among people with diverseobjectives, goals, and characteristics comes from lead-ers who are perceived to create a commonly acceptedidentity that is appealing. They cite Lincoln, Gandhi,and others as effective leaders through their use ofso-called soft power. Understanding the effectivenessof soft power is important to controlling change in arealistic, loosely federated system of systems. Nye[2004: 5] in his book Soft Power writes:

We know that military and economic might often getothers to change their position. Hard power can rest oninducements (“carrots”) or threats (“sticks”) . . . . Softpower rests on the ability to shape the performance ofothers. At the personal level, we are all familiar withthe power of attraction and seduction. . . . and in thebusiness world, smart executives know that leadershipis not just a matter of issuing commands, but alsoinvolves leading by example and attracting others to dowhat you want.

Friedman [2007] expresses concern that we are notpublicizing events that could help brand our enemies asrepulsive and despicable. Indeed, systems’ attributes,such as preparedness, resilience, and protection, cannotbe effectively achieved in the US solely by hard power.Rather, developing trust; defining identity; enablinginformation sharing, communication, collaboration,and cooperation among the various principal players atall levels of governmental organizational and institu-tional infrastructure constitute the essence of soft poweras envisioned by Nye [2004]. Recently, not-for-profit



organizations, such as the Commonwealth HomelandSecurity Foundation,1 have seen some success. Theypromote research, information sharing, preparedness,and security through philanthropic giving by the privatesector in support of directed funding of research andsecurity initiatives that are not currently funded throughpublic financial support.

5.2. Infrastructure and Economic SectorInterdependencies

In order to model systems and their associated riskseffectively, it is necessary to understand how and towhat degree the component systems are interdependent,and the structure in which decisions are made to governthe infrastructure systems. Rinaldi, Peerenboom, andKelly [2001: 14] underscore the need to enhance inter-dependency analysis when they state that “it is clearlyimpossible to adequately analyze or understand thebehavior of a given infrastructure in isolation from theenvironment or other infrastructures; rather, we mustconsider multiple interconnected infrastructures andtheir interdependencies in a holistic manner.” For anygiven analysis, a subset of particularly relevant interde-pendencies will tend to dominate the modeling activity,depending on the questions that have been asked andthe decision-maker who will ultimately use the analyti-cal results for policy formulation.

Most systems exhibit multiple interdependencies.Zimmerman [2001] describes the social implicationsfrom infrastructure interactions. For the purposes ofanalysis, the modeler’s role is to isolate the relevantinterdependencies and build analytical tools to addressthe questions asked by decisionmakers to aid in formu-lating policy. Each coupling mode is characterized bydifferent functional and structural relationships. In ad-dition, each is subject to risk in different ways. Researchinitiatives to model interdependent systems could begrouped into four classes. They include approachesinvolving (1) object- or agent-based models, (2) systemdynamics models, (3) statistical, optimization, and ex-pert-based models, and (4) input-output-based models.

Marsh [2004] and Bagheri and Ghorbani [2007]model operational units of infrastructures as agentswhose objectives are to maintain operability in the faceof disruption and interdependence. The adverse conse-quences and associated likelihoods are estimatedthrough simulating the agents’ interactions. Other mod-els given object- or agent-based treatments include theMultilayer Infrastructure Network (MIN) [Zhang,Peeta, and Friesz, 2005], the Net-centric Effects-basedOperations Model (NEMO) [Goodwin and Lee, 2005],

and the Interdependent Energy Infrastructure Simula-tion System (IEISS) [Visarraga et al., 2005], amongothers, [Harp et al., 2000; Tolone et al., 2004; Outkinand Flaim, 2006; Macal and North, 2005; Panzieri,Setola, and Ulivi, 2004, 2005; and Hopkinson et al.,2006].

Brown, Beyeler, and Barton [2004] published resultsfrom the National Infrastructure Simulation and Analy-sis Center (NISAC) model, which is a large-scale pro-ject by several national labs to model and simulate thephysical interconnectedness of the US infrastructure fordecisionmaking. These identify various states of thesystem that can be measured as stocks and characterizesystem flows and feedbacks that impact those stocks.Other related simulation modules include the UrbanInfrastructure Suite (UIS) [Barrett et al., 2004] and theCritical Infrastructure Protection Decision SupportSystem (CIP-DSS) [Bush et al., 2005]. In addition,Houck et al. [2003], Johnson and Michelhaugh [2003],Beyeler et al. [2004], Conrad [2004], O’Reilly et al.[2004], Lee et al. [2005], Tam and Broadwater [2005],O’Reilly et al. [2006], and Kujawski [2006], amongothers, have published related work in internal andtechnical publications. These are based on a systemdynamics modeling paradigm that is flexible, extensi-ble, and able to capture system complexities throughincorporating both causal and statistical modeling [For-rester, 1969], but is largely limited by an extensive needfor immense data and computational resources.

Zimmerman [2005] gathered extensive varieties ofdata from news and other reports about infrastructureoperations after natural and man-made disasters. Thesedata collection efforts result in databases that are usedfor statistical analyses, building models that answerspecific questions about interdependencies. Similar in-terdependency assessment approaches supplementavailable data with expert judgment. These include theFast Analysis Infrastructure Tool (FAIT) [Stamber,Brodsky, and Detry, 2005] and the CARVER2 method[Peimer, 2006], among others, that further complementthis research with network or optimization models[Chakrabarty and Mendonqa, 2004; Abdalla, Tao, andAli, 2005; Dodrill et al., 2007; Buzna, Peters, andHelbing, 2006; Buzna et al., 2007].

Haimes and Jiang [2001] presented a more rigidmodeling schema whose results are derived analyticallyand whose structure is driven by available databases.Using large-scale databases by the Bureau of EconomicAnalysis (BEA) of the US Department of Commerce,and other federal agencies, and building on a NobelPrize-winning economic model by W. Leontief (1951a,1951b, 1966), the input-output based econometric mod-els have become quick, inexpensive, holistic methodsfor estimating economic impacts and sector interde-1 See http://hsfva.org/ for more information.



pendencies [Santos and Haimes, 2004; Haimes et al.,2005]. More than 60 countries maintain current input-output accounts of their economies [Dietzenbacher andLahr, 2004]. Additional Leontief-based interdepen-dency models include those by Okuyama [2004],Okuyama, Hewings, and Sonis [2004], and Issacharoffet al. [2006].

These are a limited sample, but describe the set ofwork that is moving forward to fill the NIPP declaredneed [DHS, 2006: 19]: “[M]athematical tools that com-pute cross-sector analytical results are insufficient be-cause they do not currently include quantitative andobjective interdependency information that can signifi-cantly impact the vulnerability or consequence-of-lossvalues assigned to an individual [critical infrastructuresector]. . . .” Improved knowledge and quantitativecapabilities to model interdependencies will help re-gions to design improved regional preparedness strate-gies.

5.3. Decision Interdependencies and theTragedy of the Commons

Effective preparedness requires planning for multipledecisionmaking perspectives, as depicted in the Hierar-chical Holographic Model (HHM) [Haimes, 1981].This includes factors such as human resources, technol-ogy, and policies; interface arrangements among agen-cies at all levels [readiness must involve the public andthe private sector, not only government and nongovern-ment organizations (NGOs)]; and interoperability andinformation-sharing that transcend security (such aspolice, fire, and emergency management services),health and safety, transportation, and critical utilitiesand infrastructures, among others.

One view of what might be a DHS perspective forpreparedness is presented in Figure 2. This can bedecomposed into three levels: (1) the Federal Emer-gency Management Agency (FEMA) and other federalagencies, (2) state and local emergency response agen-cies, and (3) other NGOs, such as the Red Cross andvolunteers.

Each agency can be decomposed according to ageographic scope of interest. For example, the nationcan be subdivided into ten regions that span severaladjacent states. For example, the Boston region hasMaine, New Hampshire, Massachusetts, and others. Foreach state, the decision-makers need to (effectively andefficiently) allocate Equipment, Materials, Commodi-ties, and Emergency Responders, among others. Thislevel of the hierarchy shows what might be the DHSview on preparedness as seen from the perspective offederal, state, and other emergency responders. Theseagencies need to coordinate their efforts based on their

geographic and jurisdictional boundaries in order togenerate efficient ways to allocate critical resourcessuch as equipment, materials, commodities, and re-sponders. In the next level of subtopics, the responders,for example, include Emergency Management Agency,Public Safety Communications, and Law Enforcement.For each responder, a number of critical infrastructuresneed special attention during the emergencies, includ-ing Information Technology, Telecommunications, andEnergy. The bottom level of the hierarchy shows analternate view of preparedness, with the major focus oncritical resources. More often than not, emergency re-sources are limited; hence, they must be properly inven-toried for efficient distribution to multiple agencies,taking into consideration geographic and jurisdictionalpolicymaking factors.

Using the HHM’s flipping feature [Haimes, 1981],many other views of this response structure are possi-ble. For example, in another view the first layer mightshow the types of critical infrastructures, as identifiedby the DHS, located in each of the ten geographicalregions. Underneath these geographical subtopicsmight be the agencies that work to allocate resourcesshown, such as Equipment, Materials, Commodities,and Emergency Responders. Other layers of subtopicsdecompose the responders, and alternative views of theHHM may be further explored. This flipping revealsthat various forces that impact decisions (ownership,federal regulatory agencies, and regional demand) sendmultiple messages that can result in the tragedy of thecommons scenario.

Garrett Hardin’s [1968] paper on the tragedy of thecommons describes how the equal use of commonlyowned property is jeopardized when individuals takeunequal actions. This principle applies to regions ofhighly interdependent infrastructure systems becauseoperational decisions applied to a particular sector havea large impact on more than its specific assets, indeedon the entire region. In two books, Bromley [1992] andBaden and Noonan [1998] provide extensive elabora-tions on the broad implications of the tragedy of thecommons. Heal and Kunreuther [2007] describe severaleconomic forces that interconnect decision incentivesthrough security externalities of interdependent deci-sions. In the present case, the “commons” is the securityof our infrastructures against risks of terrorism. In theUnited States today, a significant percentage of thephysical and cyber infrastructures are owned and oper-ated by the private sector. However, their uneven tacti-cal and strategic investments in the protection of theseinfrastructures against risks of terrorism are analogousto the tragedy of the commons. Although it is recog-nized that different infrastructures face different risksand have different degrees of economic freedom, there



Fig

ure

2. A

n H

HM

for

DH

S pr

epar

edne

ss.



is no shared view of appropriate accountability for thewhole from each of the parts. Corporate leaders natu-rally focus on their companies’ specific needs and donot view themselves as the guardians of our nation’scritical infrastructures.

In a pertinent article in the April 7, 2006 issue ofScience, titled “Cooperation, Punishment, and the Evo-lution of Human Institutions,” Henrich [2006: 60], ananthropologist, addresses the “commons” syndromefrom a fresh perspective explaining that the scale anddiversity of human cooperation is increasingly bringingtogether diverse empirical and theoretical approaches,and has energized evolutionary and economic re-searchers to ask: “Under what conditions will decision-makers sacrifice their own narrow self-interest to helpothers?”

Gürech, Irlenbusch, and Rockenbach [2006] rein-force the above thesis; they argue that altruistic punish-ment can, indeed, change the behavior of corporationstoward more cooperation. Although the perspective ofthe tragedy of the commons is compelling, it also mustbe recognized that the contribution to spreading andreducing risks is different for each company; thus,developing a “fair” rule for community action is nosimple matter. Nonetheless, it is important to under-stand the human and corporate dynamics from theperspectives of the tragedy of the commons, and to dothe work necessary to develop concepts that are under-stood by the various stakeholders as fair and practical.In addition, the role of regulation is likely to be a criticalpart of the solution. Efforts to develop concepts forregulation that are compatible with the concepts forcommunity action are a necessary part of treating resil-ience in a coherent manner.

5.4. Protective Strategies Complementedby Resilience Strategies

Infrastructure protection strategies must address theinterdependencies of preparedness plans; the dimen-sions of robustness, redundancy, and security; and theschedule and cost of recovery.

5.4.1. Evaluating and Publicly HighlightingShortfalls of Preparedness Plans for Response andRecoveryPreparedness is aimed at coping effectively with uncer-tainties that can lead to surprises, while minimizingrecovery time and cost. Hardening of critical systemsby adding robustness and redundancy are forms ofactionable preparedness plans. Preparedness planningaddresses resources (e.g., human resources and fund-ing), technology, and policies for the entire organizationthat operates and maintains the physical infrastructure

and the interface arrangement among agencies at alllevels. Thus, it strengthens the organizational resilienceof the system. Highlighting shortfalls can both createan understandable demand for new solutions (e.g., tech-nology and policy), and sensitize stakeholders to theirrole in providing resilience.

5.4.2. Schedule and Cost of Recovery of Assets andInfrastructuresIn spite of a considerable investment in protection, therestill may be a period during which unavoidable andundesirable degradation of infrastructure performancewill occur. Therefore, decision-makers are often chal-lenged to determine acceptable recovery times andcosts for restoring assets and operations to sufficientworking order and to develop risk management strate-gies that achieve those standard recovery times andcosts. Resources allocated to the risk management ofcritical publicly and privately owned assets and infra-structures must account for the hierarchical and holo-graphic features of the problem (multiple stakeholders,multiple perspectives). Across regional and functionalorganizations, the approach to resource allocationneeds to be repeatable and uniform, but neverthelessable to be particularized to local needs. The technicalanalyses of risk management strategies must be cogni-zant and supportive of the broader organizational andpolitical considerations in decision-making.

6. ILLUSTRATIVE EXAMPLE—BALANCINGHURRICANE PROTECTION ANDRESILIENCE

The components of the framework in Section 5 can beintegrated to study the balance between the implemen-tation of protective and resilience risk-mitigation ef-forts for any region. To illustrate the integration of someof these framework components, consider the followingexample for hurricane risk-mitigation efforts associatedwith unavailable potable water supply following a hur-ricane. Risks associated with unavailable potable waterare mitigated by contingent supply chains that are dy-namically created from existing component systems inthe region, including: post-hurricane transportationmobility, regional operating points of distribution,availability of contracts (e.g., a memorandum of under-standing), and availability of private resources of cor-poration (e.g., supermarket chains) and of manyregion-specific system resources. Protective options tomitigate risks include storage and maintenance of pota-ble water inventories, hardening of transportation as-sets, and the hardening of the potable water distributioninfrastructure. Resilience options include integratingpublic and private resources to prestage emergency



potable water in response to a forecast and distributingit through a coordinated strategy, educational strategiesthat result in a personally owned and maintained inven-tory of potable water, and improved forecasting andwarning methods, among others. This example illus-trates how an integrative modeling approach can pro-vide a means of quantifying some of the tradeoffsbetween protective options and resilience options in anemergent region. Consider the following three metricsas measures of the regional resilience:

a. cost of post-hurricane emergency potable waterdistribution (in US dollars)

b. quantity of potable water demand shortfall eighthours after a hurricane strike (in US gallons)

c. time required after a hurricane strike to reducepotable water demand shortfall to 10% (inhours).

Resilience measures (b) and (c) reflect the capability ofa region both to absorb the strike through hardenedinfrastructure and to recover from it through emergencypotable water distribution strategies (such as the distri-bution of bottled water). The capability to performpotable water distribution is one aspect of the region’sresilience with respect to potable water availability.Each of the resilience measures (a)–(c) are reflectionsof the way the emergent regional system behaves fol-lowing disruptions. Resilience measure (a) is in compe-tition with the other two. Because (c) can be derivedfrom (b) with some additional effort, for simplicity wewill focus on (a) and (b) only. In this example, theresilience of a region is the set of nondominated(Pareto-optimal) resilience measures (a, b) that resultfrom various available decision strategies. This set ofnondominated measures reflects the system-level capa-bility of a region, as explained below.

Evaluating resilience measures (a)–(c) requires anunderstanding of many components in the regionalsystem, including the process by which hurricanethreats exploit infrastructure vulnerabilities to result inthe adverse loss of potable water supply. Furthermore,it requires the capability to predict potable water de-mand based on population, tourism, and populationbehaviors (such as voluntary evacuation). Potable watersupply shortfall is the difference between the demandfor and available supply of potable water in US gallons.Once the a priori level of resilience has been establishedfor a region, protective options that change the vulner-abilities of assets can be modeled by reevaluating theprior model with posterior parameters of asset vulner-ability to hurricane wind, rain, and surge. However,evaluating resilience options requires integrating infor-mation, decision criteria, system understanding, and

associated uncertainties. This section illustrates howthis might be accomplished to compare the protectiveoption of facility hardening against the resilience optionof pre-staging emergency water supplies. Because thissummary is only for illustration, actual facility andregional data have been removed. Subsections 6.1–6.5briefly summarize the component system models inte-grated for this illustration. Subsection 0 presents somebasic results from the model as the basis for a discussionand for an illustration of how the general frameworkintegrates regional data; it also demonstrates the trade-offs among various resilience and protective methods.

6.1. Evaluating Potential Demand forEmergency Water

Crowther and Lee [2007] use 2006 Census Bureauestimates of population distributions by region and age.In addition, data were gathered describing various po-table water facilities in the region of interest. The ex-pected potential demand for emergency water wastherefore based on the population (plus estimated tour-ists minus expected number of evacuees) compared tothe capacity of expected operational water distributionfacilities. Several regional surveys [Bacot, Taylor, andLupari, 2006; Urban, 2005; McGhee and Grimes, 2006;VDOT, 2006] parameterized various aspects of themodeling to determine what portion of the populationwould evacuate and to ascertain whether those desiringto evacuate would be capable, given transportation ca-pacity from the region.

6.2. Evaluating Building Asset Damageswith HAZUS

Estimated water facility damages were gathered from acomputer simulation program, HAZUS-MH (hazardUS—multihazard), a geographic information systems(GIS)-based tool that estimates damages due to hurri-canes, earthquakes, and floods [NIBS, 2007]. Themodel assumes each water facility to have a low-risecharacteristic engineered commercial building(CECBL). The CECBL is a generic building type,where the damage-due-to wind-speed data are stored inHAZUS. Crowther and Lee [2007] use these data toestimate damage levels, measured in expected days oflost operation.

6.3. Decision Objectives

The objectives of prestaging emergency materials is toensure an ample supply to meet the emergency demandat minimal cost. In this case, failure to preorder can leadto a shortage of water to distribute when needed, but atan increased cost. The expected water shortage is cal-



culated by estimating the net water demand (estimatedby population demographics, tourist demographics,and evacuation estimates) and subtracting the wateravailability (estimated by the sum of water productionfrom operable facilities and emergency supply waterordered at one of the decision nodes). Negative numbers(where water supply exceeds demand) are set to zero.The cost objective function is modeled to reflect anincrease in the cost to ship water as the hurricaneapproaches. Emergency water shortage is measured inperson-days of water shortage compared with the Vir-ginia benchmark of 1 gallon of potable water per personper day during an emergency [Crowther and Lee, 2007].

6.4. Calculating Forecast TransitionProbabilities

The capability of a region to forecast storms is a com-ponent of the regional preparedness system. The USNational Hurricane Center (NHC) uses analytical toolsto forecast the track and intensity of these storms towarn local authorities of approaching threats. Prestag-ing decisions are made in response to these forecasts.Thus, the certainty in the hurricane forecasts contrib-utes to the resilience of the region. To simplify themodel for this illustration, consider all hurricanes as oneof three strengths: stronger (more than 200-year fre-quency), medium (about 100-year frequency), andweak (less than 50-year frequency). In order to find theuncertainties from the forecasts, we analyzed data fromall forecasts of all Atlantic storms hitting the East Coast

for the past 15 years. This amounted to more than 6000forecasts.

Assuming that a storm forecast predicts a direct hitto the region of interest, we can use the data to predictapproximately the expected probability with which thestorm forecast will differ from later forecasts and actualstorms. (In reality, the agency responsible for forecast-ing has knowledge of whether a forecast is either moreor less certain than the expectation.) Based on thecharacteristics of hurricanes, it is important to analyzethe error both in wind speed and in the position of thehurricane. As one moves away from the center of thehurricane, the wind dissipates. Using data from priorregional hurricanes, the wind speed decreases at a meanrate of 0.144 knots per nautical mile away from thecenter. (Again, this number can be replaced if a particu-lar storm is considered rather than the average of allregional storms.) Therefore, if a storm shifts 100 nauti-cal miles from the region, the wind speed of the regioncan be changed by approximately 15 knots (0.144 ×100), thus changing the infrastructure impact to theregion.

A probability distribution describing the joint prob-ability of a forecast error resulting in either a wind speedor track error was partitioned according to the specificgeography of the region and the average characteristicsof hurricanes. The results produced probability esti-mates of a specific impact, given the 72-h forecast ofthe 200-year probabilistic storm. These data, coupledwith the rate of decay of wind speed away from thecenter of the hurricane, indicated that the wind willcross a threshold of frequency classification at approxi-

Figure 3. Transition probabilities for 24-h forecast of a 200-year storm. [Color figure can be viewed in the online issue, whichis available at www.interscience.wiley.com.]



mately 90 nautical miles. Figure 3 below shows theuncertainty of 24-h forecasts for a 200-year storm andthe partitions for probability counts based on hurricaneand region characteristics.

The data indicate that over the past 15 years, a 24-hforecast of a 200-year storm results in approximately a40% chance that the storm will be weaker when itreaches the region of interest. Tables I and II show theestimates of transition probabilities given the NHC dataand the methodology described above.

Representing forecast uncertainty as forecast transi-tion probabilities enables us to integrate informationmodels with causal loss models to understand the effi-cacy of decisions. Decision efficacy will be representedas a frontier of available tradeoffs. Analysis-driven pre-paredness decisions that are implemented well in ad-vance of hurricane forecasts can change the shape orposition of the Pareto-optimal tradeoff frontier, asshown in the following section.

6.5. Model Integration for CalculatingResilience Measures

To integrate the available data and decision options tothe region, we build a multiple objective decision tree(MODT). In the following pedagogical application ofMODT, forecasts are given at 72 h and 24 h prior to astorm. At each time period the emergency planner de-cides how much water to order from outside corpora-tions (“order” or “no action” in this illustrative model).There exists a strong conditional relationship betweenthe 72-h and the 24-h forecasts, and as the trend forbetter forecasts continues, the correlation willstrengthen [Crowther and Lee, 2007]. At each node, thedecision-maker must weigh his decision based on twoobjectives: to minimize shipping costs and to minimizethe expected post-hurricane shortage of water.

6.6. Illustrative MODT Results andDiscussion

The results of this illustrative MODT analysis areshown in Figure 4. Sixteen courses of action (COAs)are possible across the two time frames, approximately50% of which were shown to be inferior because ofinformation uncertainty or unacceptable costs. Eachcourse of action is represented by one point on thegraph. The set of noninferior solutions, or the Pareto-optimal frontier, is highlighted by the line and repre-sents the tradeoffs that exist among the noninferiorforecast-responsive preparedness strategies, and pro-vides a measure of the region’s resilience capability.Three decision strategies are labeled in Figure 4 forillustration. The strategy to always order prestage ma-terials independent of hurricane forecast (labeled at thetop left of the figure) is dominated by strategies to orderonly in the event of a 100-year storm (labeled at themiddle left of the figure), and to never prestage emer-gency water supplies (labeled at the bottom right of thefigure).

The results from the MODT highlight the nonin-ferior courses of action (COAs) and provide the deci-sion-maker with quantifiable tradeoffs between twodifferent resilience objectives. To formulate an opera-tional strategy, a decision-maker must decide whatcosts or levels of potable water shortage are acceptable.If no shortage in potable water can be tolerated, then thebest strategy (according to the illustrative results in Fig.4) is to prestage emergency water at every forecast of a100-year storm, or worse. The cost of this strategy canbe compared against protective measures that woulddecrease the likelihood of potable water outage (e.g.,strategies that would prevent flooding into potablewater distribution facilities), decrease the costs of con-tingent distribution of potable water (e.g., better contin-gency contracts or available local inventories), orincrease effectiveness of contingent delivery (e.g., hard-ened transportation roadways). It is critical at this stageto underscore the fact that this tradeoff curve is ameasure of the resilience of the region with respect topotable water distribution. Figure 5 illustrates how thePareto-optimal frontier of noninferior solutions shiftsdownward with increased investments in protective pre-paredness measures. One such measure is infrastructurehardening, where activities may include storing andmaintaining potable water inventories, hardening trans-portation assets, or hardening the potable water distri-bution infrastructure.

Alternate views of the tradeoffs in Figure 5 providemore insight into the ability of a region to make trade-offs among forecast-responsive preparedness measuresand analysis-responsive measures. Other results can be

Table I. Transition Probabilities for 72-h Forecast ofa 200-Year Hurricane

Table II. Transition Probabilities for Various 24-hForecasts



evaluated similar to those shown in Figure 4, whereinthe noninferior decision strategies are graphed in mul-tiple objectives.

Figure 6(a) is the same as Figure 5 with more genericaxis labels to emphasize its general applicability tounderstanding resilience. These graphs indicate the setsof Pareto-optimal or noninferior decision strategies thatconstrain response behavior, given the system charac-teristics, component system functionality, and lossmechanisms built into the model schema. However, thedata in the graph may be “folded” or “flipped” to redrawthe axis with a different focus. Similarly, using the samedata presented in Figure 6(a), the tradeoffs betweenresponsive action costs and protective action costs canbe made explicit and graphed with a constant level oflines of a particular resilience measure as shown inFigure 6(b). Such analyses enable us to understand the

Figure 4. Result of MODT analysis with Pareto-optimal frontier.

Figure 6. Example charts representing model results with resilience measures graphed against responsive and protective actioncosts. [Color figure can be viewed in the online issue, which is available at www.interscience.wiley.com.]

Figure 5. Pareto-optimal frontier shifts as a result of analy-sis-responsive preparedness activities, such as protective in-frastructure hardening. [Color figure can be viewed in theonline issue, which is available at www.interscience.wiley.com.]



constrained resource allocation decisions a region mustmake to achieve a level of acceptable resilience. Figure7 illustrates a potential method for using the calculatedtradeoffs among protective and responsive action costsshown in Figure 6.

In Figure 7 a decision-maker can choose an accept-able level of loss. In the case of emergency water, forexample, a regional authority could decide to accept upto a 10% potable water shortfall for 72 h. This resultsfrom a set of tradeoffs that demonstrate the estimatedeffectiveness of various strategies that combine invest-ments in protective and responsive actions. Or, moregenerally, it could reflect the tradeoffs between invest-ments in resilience and the protection of a region.Because protective actions are set early, they are con-strained by a particular budget. The maximum expen-diture of this budget then yields an estimate ofemergency funding required for responsive actionswhen the hazardous event occurs. Understanding thetradeoff will enable better-directed efforts at protectiveaction costs that maximally reduce the responsive coststo within the acceptable level of loss tolerated by theregion.

This simple example has illustrated the complexityrequired for evaluating system resilience. It requiresintegrating such characteristics as component systemactions, decisions, constraints, information forces, anduncertainty. However, it cannot be ignored if we are toachieve effective and efficient management of ourhomeland security systems. Moreover, the results illus-trated in this example are reflective of only a small setof decision strategies, over a small time horizon, for alimited set of hazards. As the number of factors in-creases, the complexity of the computations expands.Currently this specific methodology yields insights foronly limited combinations of hazards, decision strate-gies, and time horizons. However, the principles illus-

trated here provide insight into the effectiveness ofconsidering broad tradeoffs between resilience and pro-tection in a regional preparedness framework for home-land security.

This simple example is intended to be pedagogicaland exploratory, not policy prescriptive. However, webelieve that similar analyses might have identified theinferiority of certain decisions that led to the NewOrleans disaster. They could have clearly illustrated aset of Pareto-optimal decisions and provided a quanti-tative method to evaluate levee maintenance and hard-ening compared to other regional investment choices.The greatest benefit to planners will be to developquantitative and justifiable systems methods as de-scribed in the previous section. This would enable es-tablishing a clear, specific, and regionally customizedconcept of operation for public servants, elected offi-cials, and component system owners and operators.Such methods would justify investments in protectiveactions and system-level actions for the efficient im-provement of strategic preparedness.

7. EPILOGUE

This paper introduces a concept for the system planningefforts related to large-scale systems that consist of arich mixture of formally designed subsystems andemergent subsystems. This refers to those parts of asystem that may or may not come into being based onsequences of events and system stakeholder responsesto those events. In turn, such events may or may notultimately lead to a transformation resulting in a newsubsystem that becomes a formal and supported part ofthe overall system). Planning methods and solutionpossibilities are presented for such systems so thatemergence of positive results is, at a minimum, notprevented, and where possible, is stimulated and sup-

Figure 7. Decision strategy given tradeoffs between protection and responsive costs. [Color figure can be viewed in the onlineissue, which is available at www.interscience.wiley.com.]



ported by the formally designed portion of the overallsystem. In order to make the proposed system-planningapproach tangible and to guide conceptual thinking, thepaper discusses various analytical areas that wouldresult in understanding emergent preparedness systemsand regional resilience. A very simple example illus-trates several of these concepts within this applicationarea.

The cost is extremely high to create a government-designed and -implemented national preparedness sys-tem that focuses on protection methods for significantlyreducing risks resulting from the wide range of possiblenatural and terrorist threats. We believe that this fact hasled to a period of relative stagnation in terms of select-ing solutions to be implemented. The focus on resil-ience has already increased in the last several years, andan appropriate balance between protective actions andthose that build system resilience will provide an effi-cient preparedness solution that our regional economieswill capably absorb. This paper recognizes that someparts of the preparedness system must emerge throughthe integrated outcomes of individual stakeholder deci-sions and efforts, and other parts can be systemicallycreated through organized and focused activities. At thistime, no approach has been developed to deal with thissubject as an integrated system planning activity. Inparticular, our analysis of a preparedness system di-vides the system properties into categories that are moreor less likely to be addressed through either formallydesigned or emergent subsystems. We define and dis-cuss the properties for resilience in the face of terroristattacks or natural disasters as principally dependent onemergent subsystems, and the properties for preventingor minimizing the consequences of attacks or naturaldisasters as more dependent on formally designed sub-systems. The integration into a balanced preparednesssystem is discussed as well. Research efforts are calledfor to enrich the ideas presented in this paper, and toapply them not only to a national preparedness system,but to other systems as well.

ACKNOWLEDGMENTS

We greatly appreciate the valuable comments of anony-mous reviewers that have helped to shape this manu-script. We value the contributions of the followingindividuals through numerous brainstorming sessions,seminars, and comments on various versions of thispaper: our colleagues, James Lambert and Joost Santos,and our graduate students, Kash Barker, Matt Henry,and Zhenyu Yan. We also thank George Foresman (dur-ing his tenure as Assistant to the Virginia Governor onPreparedness, and Undersecretary for Preparedness,

US Department of Homeland Security); RobertCrouch, Assistant to the Virginia Governor on Prepar-edness; Steve Mondul, Deputy Assistant to the VirginiaGovernor on Preparedness; and Wayne Ferguson, As-sociate Director, Virginia Transportation ResearchCouncil, for their stimulating discussion and guidance.We also thank Erika Evans for her tireless administra-tive support throughout the performance of this re-search, and Madelyn Lefkowitz, Joanne Foster, andGrace Zisk for their technical editorial assistance. Theviews presented in this paper represent only those of theauthors.

The research in this paper has been partially sup-ported from the following grants and contracts: Na-tional Science Foundation; Virginia Governor’s Officefor Commonwealth Preparedness; Virginia Transporta-tion Research Council (VTRC); and the Institute forInformation Infrastructure Protection (I3P).

REFERENCES

R. Abdalla, V. Tao, and H. Ali, Location-based infrastructureinterdependency: New term, new modeling approach,Proc Geoinformatics, 2005.

C.W. Anderson, J.R. Santos, and Y.Y. Haimes, A risk-basedinput-output methodology for measuring the effects of theAugust 2003 northeast blackout, Econom Syst Res 19(2)(2007), 183–204.

H. Bacot, G. Taylor, and B. Lupari, Hurricane preparationamong Virginia residents: Exploring public opinion oncitizens’ perspectives of hurricane preparedness, plan-ning, experience, and government trust, Elon University,Department of Political Science, Elon, NC, 2006.

J.A. Baden and D.S. Noonan, Managing the commons, 2ndedition, Indiana University Press, Bloomington, Indian-apolis, 1998.

E. Bagheri and A.A. Ghorbani, 2007, Conceptualizing criticalinfrastructures as service oriented complex interdepend-ent systems, Int Conf Inform Technol Management(ICITM’07), ACM, Hong Kong, 2007.

C.L. Barrett, S. Eubank, V.S.A. Kumar, and M.V. Marathe,The mathematics of networks, understanding large-scalesocial and infrastructure networks: a simulation-basedapproach, SIAM News 37(4) (2004).

W.E. Beyeler, S.H. Conrad, T.F. Corbet, G.P. O’Reilly, andD.D. Picklesimer, Inter-infrastructure modeling—portsand telecommunications, Bell Labs Tech J 9(2) (2004),91–105.

V.M. Bier, Choosing what to protect, Risk Anal 27(3) (2007),607–620.

V.M. Bier and D. von Winterfeldt, 2007, Meeting the chal-lenges of terrorism risk analysis, Risk Anal 27(3) (2007),503–504.

B.S. Blanchard and W.J. Fabrycky, Systems engineering andanalysis, 2nd edition, Prentice-Hall, Englewood Cliffs,NJ, 1990.



I.V. Blauberg, V.N. Sadovsky, and E.G. Yudin, Systems the-ory: Philosophical and methodological problems, Pro-gress Press, Moscow, 1977.

D.W. Bromley (Editor), Making the commons work, ICSPress, Institute for Contemporary Studies, San Francisco,1992.

T. Brown, W. Beyeler, and D. Barton, Assessing infrastructureinterdependencies: The challenge of risk analysis for com-plex adaptive systems, Int J Critical Infrastruct 1(1)(2004), 108–17.

W. Buckley (Editor), 1968, Modern systems research for thebehavioral scientist: A sourcebook, Aldine, Chicago,1968.

B. Bush, L. Dauelsberg, R. LeClaire, D. Powell, S. DeLand,and M. Samsa, Critical infrastructure protection decisionsupport system (CIP/DSS) project overview, 3rd Int ConfSyst Dyn Soc, 2005.

L. Buzna, K. Peters, and D. Helbing, Modelling the dynamicsof disaster spreading in networks, Physica A Stat MechAppl 363(1) (2006), 132–140.

L. Buzna, K. Peters, H. Ammoser, C. Kuhnert, and D. Hel-bing, Efficient response to cascading disaster spreading,Phys Rev E 75 (2007), 056107.

M. Chakrabarty and D. Mendonqa, Integrating visual andmathematical models for the management of interdepend-ent critical infrastructures, Proc 2004 IEEE Int Conf SystMan Cybernet, 2004.

S.H. Conrad, The dynamics of agricultural commodities andtheir responses to disruptions of considerable magnitude,22nd Int Conf Syst Dyn Soc, Oxford, UK, July 25–29,2004.

K.G. Crowther and A.G. Lee, Risk analysis of an emergencywater distribution plan for Hampton Roads, Proc Manag-ing Eng Complex Situations Conf, Norfolk, VA, 2007.

P.K. Davis, Analytic architecture for capabilities-based plan-ning, mission-system analysis, and transformation,RAND, Santa Monica, CA, 2002.

DHS (Department of Homeland Security), Homeland Secu-rity Presidential Directive-8: National Preparedness,Washington, DC, http://www.whitehouse.gov/news/re-leases/2003/12/20031217-6.html, 2003a.

DHS (Department of Homeland Security), Target Capabili-ties List, Washington, DC, http://www.ojp.us-doj.gov/odp/docs/TCL1_1.pdf, 2003b.

DHS (Department of Homeland Security), Universal TaskList , Washington, DC, ht tp: / /www.ojp.us-doj.gov/odp/docs/UTL21.pdf, 2003c.

DHS (Department of Homeland Security), National Infra-structure Protection Plan, Washington, DC,http://www.dhs.gov/interweb/assetlibrary/NIPP_Plan.pdf, 2006.

E. Dietzenbacher and M.L. Lahr, Wassily Leontief and input-output economics, Cambridge University Press, Cam-bridge, 2004.

K. Dodrill, J.H. Garrett, Jr., S. Matthews, C.Y. Shih, and L.Soibelman, Knowledge management and visualization insupport of vulnerability assessment of electricity produc-

tion, Paper #07-2540, Transportation Res Board 86thAnnu Meet, 2007.

J. Forrester, Urban dynamics, Pegasus Communications,Waltham, MA, 1969.

T.L. Friedman, Swift-boated by Bin Laden, The New YorkTimes, August 26, 2007.

M. Gladwell, Blink: The power of thinking without thinking,Little, Brown, New York, 2005.

B.L. Goodwin and L. Lee, Planning and assessing Effects-Based Operations (EBO), 2005 Int Command Control ResTechnol Symp, 2005.

Ö. Gürerk, B. Irlenbusch, and B. Rockenbach, The competi-tive advantage of sanctioning institutions, Science 312(April 2006), 108, 1 p.

Y.Y. Haimes, Hierarchical analyses of water resources sys-tems: Modeling and optimization of large-scale systems,McGraw-Hill, New York, 1977.

Y.Y. Haimes, Hierarchical holographic modeling, IEEE TransSyst Man Cybernet 11(9) (1981), 606–617.

Y.Y. Haimes, Total risk management, Risk Anal 11(2) (1991),169–171.

Y.Y. Haimes, Risk modeling, assessment, and management,2nd edition, Wiley, New York, 2004.

Y.Y. Haimes, On the definition of vulnerabilities in measuringrisks to infrastructures, Risk Anal 26(2) (2006), 293–296.

Y.Y. Haimes, N.C. Matalas, J.H. Lambert, B.A. Jackson, andJ.F.R. Fellows, Reducing the vulnerability of water supplysystems to attack, J Infrastructure Syst 4(4) (1998), 164–177.

Y.Y. Haimes, B.M. Horowitz, J.H. Lambert, J.R. Santos, C.Lian, and K.G. Crowther, Inoperability Input-OutputModel (IIM) for interdependent infrastructure sectors:Theory and methodology, ASCE J Infrastruct Syst 11(2)(2005), 67–79.

Y.Y. Haimes and P. Jiang, Leontief-based model of risk incomplex interconnected infrastructures, ASCE J Infras-truct Syst 7(1) (2001), 1–12, 111–117.

Y. Haimes, J. Santos, K. Crowther, M. Henry, C. Lian, and Z.Yan, Risk analysis in interdependent infrastructures, In E.Goetz and S. Shenoi, Critical Infrastructure Protection,Springer, New York, 2008.

A.D. Hall III, Metasystems methodology, Pergamon, Oxford,1989.

G. Hardin, The tragedy of the commons, Science 162 (De-cember 1968), 1343–1348.

S.A. Harp, S. Brignone, B.F. Wollenberg, and T. Samad,SEPIA: A simulator for electric power industry agents,IEEE Control Syst Mag 20(4) (2000), 53–69.

G. Heal and H. Kunreuther, Modeling interdependent risks,Risk Anal 27(3) (2007), 621–634.

J. Henrich, Cooperation, punishment, and the evolution ofhuman institutions, Science 312 (April 2006), 60–61.

C.S. Holling, Resilience and stability of ecological systems,Annu Rev Ecol Systematics 4(1) (1973), 1–23.

E. Hollnagel, D.D. Woods, and N. Leveson, (Editors), Resil-ience engineering: Concepts and precepts, Ashgate Press,Aldershot, UK, 2006.



K.M. Hopkinson, R. Giovanini, X Wang, K.P. Birman, D.V.Coury, and J.S. Thorp, EPOCHS: A platform for agent-based electric power and communication simulation builtfrom commercial off-the-shelf components, IEEE TransPower Syst 21(2) (2006), 548–558.

D.J. Houck, E. Kim, G.P. O’Reilly, D.D. Picklesimer, and H.Uzunalioglu, A network survivability model for criticalnational infrastructure, Bell Labs Tech J 8(4) (2003),153–172.

L. Issacharoff, S. Bologna, V. Rosato, G. Dipoppa, R. Setola,and E. Tronci, A dynamical model for the study of com-plex systems’ interdependence, Proc Int Workshop Com-plex Network Infrastructure Protection, 2006.

P.E. Johnson and R.D. Michelhaugh, Transportation RoutingAnalysis Geographic Information System (TRAGIS)user’s manual, ORNL/NTRC-006, Oakridge, TN, 2003.

S. Kaplan and B.J. Garrick, On the quantitative definition ofrisk, Risk Anal 1(1) (1981), 11–27.

R.L. Keeney, Modeling values for anti-terrorism analysis,Risk Anal 27(3) (2007), 585–596.

E. Kujawski, Multi-period model for disruptive events ininterdependent systems, Syst Eng 9(4) (2006), 281–295.

E.E. Lee, W.A. Wallace, J.E. Mitchell, and D. Mendonca,Decision technologies for protection of critical infrastruc-tures, Proc Working Together: R&D Partnerships inHomeland Security, 2005.

W.W. Leontief, Input-output economics, Scientific Amer185(4) (October 1951a), 15–21.

W.W. Leontief, The structure of the American economy,1919–1939: An empirical application of equilibriumanalysis, 2nd edition, International Arts and SciencesPress, New York, 1951b.

W.W. Leontief, Input-output economics, Oxford UniversityPress, New York, 1966.

C.M. Macal and M.J. North, Validation of an agent-basedmodel of deregulated electric power markets, North AmerAssoc Comput Social Org (NAACSOS) Conf, 2005.

M.W. Maier and E. Rechtin, The art of systems architecting,2nd edition, CRC Press, New York, 2000.

S. Marsh, Critical infrastructure interdependencies, Natl ResCouncil Canada 2004–2005 Coll Ser, November 4, 2004.

N.C. Matalas and M.B. Fiering, “Water-resource systemsplanning,” Studies in geophysics: Climate, climatechange, and water supply, National Academy of Sciences,Washington, DC, 1977, pp. 99–110.

C. McGhee and M. Grimes, An operational analysis of theHampton Roads Hurricane Evacuation Traffic ControlPlan, Vol. VTRC 06-R15, Virginia Transportation Re-search Council, Richmond, 2006.

NIBS (National Institute of Building Sciences), HAZUS:Multihazard Loss Estimation Methodology Program over-view. http://www.nibs.org/hazusweb/overview/over-view.php, accessed April 28, 2007.

NRC (National Research Council), Making the nation safer:The role of science and technology in countering terror-ism, Committee on Science and Technology for Counter-ing Terrorism, National Research Council of the National

Academies, The National Academies Press, Washington,DC, 2002.

J.S. Nye, Jr., Soft power: The means to success in worldpolitics, Public Affairs Press, New York, 2004.

Y. Okuyama, Modeling spatial economic impacts of an earth-quake: Input-output approaches, Disaster PreventionManagement 13(4) (2004), 297–306.

Y. Okuyama, G.J.D. Hewings, and M. Sonis, “Measuringeconomic impacts of disasters: Interregional input-outputanalysis using a sequential interindustry model,” Model-ing the spatial economic impacts of natural hazards, Y.Okuyama and S. Chang (Editors), Springer, Heidelberg,2004, pp. 77–102.

G.P. O’Reilly, D.J. Houck, E. Kim, T.B. Morawski, D.D.Picklesimer, and H. Uzunalioglu, Infrastructure simula-tions of disaster scenarios, IEEE Telecommun NetworkStrategy Plan Symp, June 13–16, 2004.

G.P. O’Reilly, A. Jrad, T. Brown, and S. Conrad, Criticalinfrastructure analysis of telecom for natural disasters,IEEE Telecommun Network Strategy Plan Symp, Novem-ber 2006.

A. Outkin and S. Flaim, FinSim: Financial infrastructure as acomplex decentralized system, 26th Annu Conf CenterNonlin Stud, Socio-Tech Syst: Bridging the scales, 2006.

S. Panzieri, R. Setola, and G. Ulivi, An agent-based simulatorfor critical interdependent infrastructures, Proc 2nd IntConf Critical Infrastructures, 2004.

S. Panzieri, R. Setola, and G. Ulivi, An approach to modelcomplex interdependent infrastructures, Proc 16th Int FedAutomat Control World Cong, 2005.

R. Peimer, Target analysis, Emergency Management, Novem-ber 27, 2006. Avai lable online at http://www.ni2cie.org/targetanalysis.php.htm

M.J. Platow, S.A. Haslam, and S.D. Reicher, The new psy-chology of leadership: recent research in psychologypoints to secrets of effective leadership that radicallychallenge conventional wisdom, Scientific Amer Mind18(4) (2007), 22–29.

PCCIP (President’s Commission on Critical InfrastructureProtection), Establishing the President’s Commission onCritical Infrastructure Protection (PCCIP), Executive Or-der 13010, The White House, Washington, DC, July 15,1997.

S.M. Rinaldi, J.P. Peerenboom, and T.K. Kelly, Identifying,understanding, and analyzing critical infrastructure inter-dependencies, IEEE Control Syst Mag 21(6) (2001), 11–25.

A. Rose and S. Liao, Modeling regional economic resilienceto disasters: A computable general equilibrium analysis ofwater service disruptions, J Regional Sci 45(1) (2005),75–112.

A.P. Sage, Methodology for large scale systems, Wiley, NewYork, 1977.

A.P. Sage, Systems engineering, Wiley, New York, 1992.A.P. Sage, Systems Management for information technology

and software engineering, Wiley, New York, 1995.A.P. Sage, Personal communication, 2006.



A.P. Sage and C.D. Cuppan. On the systems engineering andmanagement of systems of systems and federations ofsystems; Information, Knowledge, and Systems Manage-ment 2(4) (2001), 325–345.

J.R. Santos, Inoperability input-output modeling of disrup-tions to interdependent economic systems, Syst Eng 9(1)(2006), 20–34.

J.R. Santos and Y.Y. Haimes, Modeling the demand reductioninput-iutput inoperability due to terrorism of intercon-nected infrastructures, Risk Analysis, 24(6) (2004), 1437–1451.

K.L. Stamber, N.S. Brodsky, and R.J. Detry, Fast turnaroundanalysis of critical infrastructure and tool development tosupport analytic efforts, Proc Working Together: R&DPartnerships in Homeland Security, 2005.

K.S. Tam and R. Broadwater, A framework to model interde-pendent engineering systems, Proc Model IdentificationControl, 2005.

W.J. Tolone, D. Wilson, A. Raja, W. Xiang, H. Hao, S. Phelps,and E.W. Johnson, 2004, Critical infrastructure integra-tion modeling and simulation, Proc Second Symp IntellSecurity Informatics, Springer, Berlin, 2004.

J.L. Tsang, J.H. Lambert, and R.C. Patev, Extreme eventscenarios for planning of infrastructure projects. J Infra-structure Syst 8(2) (2002), 42–48.

D.J. Urban, Virginians’ attitudes towards emergency prepar-edness, Virginia Commonwealth University, School ofBusiness and Center for Public Policy, Richmond, 2005.

VDOT (Virginia Department of Transportation), HamptonRoads Hurricane Traffic Control Plan, http://www.vir-giniadot.org/travel/resources/Hurricane2006.pdf, June2006.

D. Visarraga, B. Bush, S. P. Linger, and T. N. McPherson,Development of a JAVA based water distribution simula-tion capability for infrastructure interdependency analy-

ses. Proceedings of Environmental and Water ResourcesInstitute 2005: Impacts of Global Climate Change, 2005.

L. von Bertalanffy, General system theory, George Braziller,New York, 1968.

J.N. Warfield, Societal systems, Wiley, New York, 1976.R. Westrum, “A typology of resilience situations,” Resilience

engineering: Concepts and precepts, E. Hollnagel, D.D.Woods, and N. Leveson (Editors), Ashgate Press, Alder-shot, UK, 2006, pp. 49–60.

N. Wiener, Cybernetics, or control and communication in theanimal and the machine, Wiley, New York, 1948.

N. Wiener, Cybernetics, or control and communication in theanimal and the machine, 2nd edition, Wiley, New York,1961.

H.H. Willis, Guiding resource allocations based on terrorismrisk, Risk Anal 27(3) (2007), 597–606.

D.D. Woods, “Creating foresight: Lessons for resilience fromColumbia,” Organization at the limit: NASA and theColumbia disaster, M. Farjoun and W.H. Starbuck (Edi-tors), Blackwell, New York, 2005, pp. 289–308.

D.D. Woods, “Essential characteristics of resilience,” Resil-ience engineering: Concepts and precepts, E. Hollnagel,D.D. Woods, and N. Leveson (Editors), Ashgate Press,Aldershot, UK, 2006, pp. 21–34.

P. Zhang, S. Peeta, and T. Friesz, Dynamic game theoreticmodel of multi-layer infrastructure networks, NetworksSpatial Econom 5(2) (2005), 147–178.

B.P. Zigler, Multifaceted modeling and discrete event simu-lation, Academic, New York, 1984.

R. Zimmerman, Social implications of infrastructure networkinteractions, J Urban Technol 8(3) (2001), 97–119.

R. Zimmerman, “Critical infrastructure and interdependen-cies,” McGraw-Hill handbook of homeland security, D.Kamien (Editor), McGraw-Hill, New York, 2005.



Yacov Y. Haimes is the Lawrence R. Quarles Professor of Systems and Information Engineering, andFounding Director (1987) of the Center for Risk Management of Engineering Systems at the Universityof Virginia. He received his M.S. and Ph.D. (with Distinction) degrees in Systems Engineering fromUCLA. On the faculty of Case Western Reserve University for 17 years (1970–1987), he served as Chairof the Systems Engineering Department. As AAAS-AGU Congressional Science Fellow (1977–1978),Dr. Haimes served in the Office of Science and Technology Policy, Executive Office of the President, andon the Science and Technology Committee, US House of Representatives. He is a Fellow of seven societies,including the IEEE, INCOSE, and the Society for Risk Analysis, where he is a past President. The secondedition of his most recent book, Risk Modeling, Assessment, and Management, was published by JohnWiley & Sons in 2004 (the first edition was published in 1998). Professor Haimes is the recipient of the2001 Norbert Weiner Award, the highest award presented by the Institute of Electrical and ElectronicsEngineers; Systems, Man, and Cybernetics Society, the 2000 Distinguished Achievement Award, thehighest award presented by the Society for Risk Analysis, the 1997 Warren A. Hall Medal, the highestaward presented by Universities Council on Water Resources, the 1995 Georg Cantor Award, presentedby the International Society on Multiple Criteria Decision Making, and the 1994 Outstanding ContributionAward presented by the Institute of Electrical and Electronics Engineers; Systems, Man, and CyberneticsSociety, among others. He is the Engineering Area Editor of Risk Analysis: An International Journal,member of the Editorial Board of Journal of Homeland Security and Emergency Management, andAssociate Editor of Reliability Engineering and Systems Safety and ASCE Journal of InfrastructureSystems. He has served on and chaired numerous national boards and committees, and is a consultant topublic and private organizations. He has authored (and co-authored) six books and over 250 editorials andtechnical publications, has edited 20 volumes, and has served as dissertation/thesis advisor to 30 Ph.D.and 70 M.S. students. Under Dr. Haimes’ direction, the Center for Risk Management of EngineeringSystems has focused most of its research during the last decade on risks to infrastructures and safety-criti-cal systems.

Kenneth Crowther is research assistant professor with the Center for Risk Management of EngineeringSystems in the Department of Systems and Information Engineering at the University of Virginia inCharlottesville. He completed his Ph.D. in January 2007, at which time he was appointed to the Universityof Virginia faculty. His dissertation focused on risk analysis of multiregional systems. During his time asa graduate student, he published several papers in archival journals, delivered several conferencepresentations, and was awarded several achievement-based awards, including the distinguished graduatestudent award, an honorary departmental fellowship, and the outstanding graduate service and achieve-ment award. Dr. Crowther was appointed postdoctoral research fellow with the Institute for InformationInfrastructure Protection during the summer of 2007 to explore the risks and tradeoffs inherent in identitymanagement of regional and multiregional emergency response systems. His work is currently focusedin the area of strategic preparedness.

Barry M. Horowitz received an MSEE and Ph.D. from New York University in 1967 and 1969 and a BEEfrom the City College of New York in 1965. Dr. Horowitz joined the University of Virginia’s faculty as aProfessor in the Systems and Information Engineering Department in September 2001, after an industrialcareer involving the application of systems engineering to many large and complex systems. From 1969through 1996 he was employed in a variety of positions at the Mitre Corporation, including the last fiveyears as President and CEO and the three prior years as Executive Vice President and COO. During histime at Mitre he played major roles in the Company’s military, intelligence, and civil aviation sectors. Hereceived the Air Force’s highest award for a civilian as a result of this effort. In 1995, he authored a bookentitled Strategic Buying for the Future, which highlighted significant problems in the development oflarge military systems and corresponding approaches to solving these problems. In 1996, he foundedConcept Five Technologies, an e-business systems development company focused on the creation andapplication of standards-based frameworks for the secure integration of large business-to-businesse-business systems. As a result of his efforts, in 1996 Dr Horowitz was elected into the National Academyof Engineering. He is also a member of the Tau Beta Pi and Eta Kappa Nu honor societies.



homeland security preparedness: balancing protection with resilience in emergent systems

Documents