Possible Does Not Mean Useful: The Role of Probability of Attack in Security Risk Management

Providing adequate security to civilian nuclear materials and facilities exemplifies the long-standing, dynamic challenge of addressing the potential for facility damage under operational uncertainty. Estimating attack likelihood with enough precision to be useful and actionable for security risk management is philosophically, scientifically, and practically challenging. In response, this paper discusses the conceptual and analytical shortcomings of various approaches to calculating the likelihood of attack as a foundational element of security risk management. From these shortcomings emerge a set of characteristics that can guide the creation of alternative concepts that provide more robust and actionable security risk management approaches better aligned with the Ievolutionary growth in civilian nuclear facilities. Such broader conceptions would support movement from traditional interpretations of probability of attack toward more nuanced and complex depictions to enhance security risk management.