Howard Kunreuther | Not passing the buck on security

Each of us has a personal story regarding his or her experience with the terrorist attacks of Sept. 11, 2001.

I was starting a sabbatical at Columbia University, having arrived the first week of September. As an avid cyclist, I was riding my bike along the Hudson River that day. I didn't notice anything strange until I arrived at the 69th Street pier, when I heard on my Walkman that a small plane had hit a World Trade Center building. However, thinking it was a minor incident, I left the pier at 9:01 and never saw the second plane hit the tower.

As it happens, the tragedy would end up having a major impact on my career. Over the years, I have been studying decision making for low probability, high consequence events. Terrorism took center stage after 9/11. In the last five years, it has been an important part of my research activities and those of others at the Wharton School's Risk Center.

Since the attack, I have been working with others to study ways to enhance security to reduce the likelihood of future attacks.

While in New York City during the months following 9/11, I teamed up with Geoffrey Heal, a professor at the Columbia Business School. The two of us spent considerable time grappling with the following question: What incentive does an individual or firm have to invest in protective measures, knowing that others can cause them damage or harm because they have not undertaken similar measures? We were interested in what strategies to follow when one's own security is dependent on the actions of others. This concept of interdependent security has been a focus of research activity at Penn, Columbia and other academic institutions in the United States and abroad and stimulated discussions with those concerned with homeland security.

One feature common to these IDS problems is the presence of what economists call negative externalities, or risks that originate outside one's own control. The risk of an airline's plane being blown up by a bomb depends not only on its own security practices, but also on the thoroughness with which other airlines inspect bags. With respect to organizational decision-making, the risk a corporate divisional manager faces that his company will experience catastrophic losses depends not only on how he manages his divisional risks but also on how other division heads behave.

In other words, the incentive any firm or individual has to invest in protective measures depends on how it expects others to behave. If a manager thinks that others will not make themselves more secure, this reduces the incentive for her to do so because she is still at risk whether or not she takes precautionary measures. On the other hand, should the manager believe that others will invest in security, she may conclude that this is the best personal strategy to follow.

Consider airline security. If an airline accepts baggage that contains a bomb, the piece of luggage may not damage one of its own planes. In fact, it may be transferred to another airline before it explodes. It's a tragic game of "hot potato" - the music stops when the bomb explodes. As a bomb will only explode once, only one plane will be destroyed.

Unfortunately, there are real-life examples to illustrate this point. In 1988, terrorists checked a bag containing a bomb on Malta Airlines, which had minimal security procedures. The bag was transferred at Frankfurt to a Pan Am feeder line and then loaded onto Pan Am 103 in London's Heathrow Airport. The transferred piece of luggage was not inspected at either Frankfurt, Germany or London because the assumption in each airport was that it had been inspected at the point of origin. The bomb exploded over Lockerbie, Scotland, taking down the plane and killing 259 people in the air and 11 on the ground.

Failures in a weak link that was part of the complex network of independently operating airlines - Malta, in this case - compromised the security of a flight leaving from a core hub, London. However, in the case of 9/11, no single person (airline security personnel, World Trade Center officials, the New York City first responders or the pilots) could have done anything under the security systems in place at the time that could have prevented the catastrophe.

How can we ensure that enough firms in a network will invest in security that all the others will follow suit? In some cases there may be a single firm in an industry occupying such a strategic position that, if it chooses to invest in protection will cause others to find it in their best interest to do the same. And even if there is no single firm, there may be a small group who can tip the balance and entice others to invest.

For each IDS problem, there is a range of risk management strategies that can be pursued by the private and public sectors to encourage organizations and individuals to invest in cost-effective protective measures. These include developing more accurate ways of analyzing the risks and costs of statistically unlikely large-scale disasters, designing economic incentives (such as tax, subsidy or insurance programs) to encourage investment in protection, restructuring the liability system to take interdependencies into account and developing and a better system of building codes that are enforced that can help prevent indirect structural damage like what we saw on 9/11 and after Hurricane Katrina.

Insurance can play a key role in this regard, but there is a need to assess the risk. Policymakers may find it desirable to integrate several measures through public-private partnerships to deal with the IDS problem. The specific actions to be undertaken will depend on the nature of the risk.

The terrorist events of 9/11 have demonstrated that we live in an interdependent world. The challenge facing us today is how to deal with these global risks so we can reduce the likelihood of catastrophic losses in the future.

Howard Kunreuther is a professor of Decision Sciences and Business and Public Policy. He is the co-director of the Wharton Risk Management and Decision Processes Center.

Please note All comments are eligible for publication in The Daily Pennsylvanian.