Any risk-management approach to security must start from the premise that uncertainty is the basic condition of human knowledge. Risk-management systems are always surrounded by uncertainties that make security provision far from perfect. In this article I briefly sketch 10 uncertainties of any risk-management system, with application to the risk of terrorist activity.
I. Risk is a statement of uncertainty
Risk is the probability of contingent harm, assessed in terms of frequency of occurrence and severity of loss. While statements of risk are intended to provide more certainty, they also convey uncertainty. They are at once expressions of knowledge and expressions of ignorance: uncertain knowledge claims about contingent future events that cannot be fully known (Adams 1995, 2003).
The capacity to assess and manage risk varies by the type of harm involved (Hood, Rothstein, and Baldwin 2001; Ericson and Doyle 2004a). Terrorist activity is especially difficult to assess in terms of frequency and severity (Ericson and Doyle 2004b). Terrorism is intentional catastrophe that can occur anywhere, at any time, repeatedly (Reuter 2004). Indeed, terrorists are in the business of uncertainty, playing on randomness to keep whole populations in fear, anticipation, and disestablishment. They precipitate an urge in the population for more certainty--expressed through escalating security measures--but are adept at grasping the rationality of each new security measure in order to subvert it and induce more uncertainty. The terrorist power of uncertainty is especially strong precisely because we live in a society dominated by the desire to tame chance and by institutions increasingly organized around risk management. Terrorism strikes at the foundation of this culture because it is a stark reminder of the limits of risk management. It brings home the potential ungovernability of modern societies, and how those with little power can work cheaply and effectively to destroy.
2. Risk selection
There are countless sources of harm in the world, only some of which can be subject to attention and risk management. Risk selection is in part a question of knowledge: Is the risk directly perceptible, subject to mediation by experts, or virtual in the sense of being easy to imagine but impossible to observe (Adams 1995, 2003)? Risk selection is also a social, cultural, political, and economic process. A few potential sources of harm are brought to the centre of a risk-management portfolio because they are believed to have the greatest potential for adversely affecting the interests of portfolio stakeholders. Risk portfolios are often constituted in politically charged contexts where the risks selected are used to define values, interests, and ways of life beyond probabilistic reasoning (Douglas 1990; Hacking 2003).
Prior to 9/11 there were repeated attacks on American targets by al-Qaeda, including one on the World Trade Center (WTC). However, it was the catastrophic events of 9/11 that precipitated the move of terrorism to the centre of the risk portfolio of Western societies. An executive of a reinsurance company that paid out several billion dollars in claims following 9/11, articulating his views on catastrophic risk selection, has said his company was aware of various assessments of the new terrorism prior to 9/11, including the possibility of a second al-Qaeda attack on the WTC aimed at total destruction. However, only a few possible sources of catastrophic loss are brought to the centre of the company's risk portfolio at a given time, and prior to 9/11 terrorism was not one of them:
An international reinsurer is supposed to have a certain experience
with catastrophes. But the question is... given the diversity of
liability scenarios, how can we meaningfully process such
experience? This is scarcely possible using actuarial methods
alone. It calls for professional methods that are probably more
akin to those of a social historian than those of an actuarial
scientist or legal expert . …