Richard A. Posner is a senior lecturer in law at the University of Chicago Law School. He was a judge of the U.S. Court of Appeals for the Seventh Circuit from 1981 to 1993 and was chief judge of the court from 1993 to 2000. He has written more than a dozen books. This article is based on two of them: Catastrophe: Risk and Response, chapter 3 (Oxford University Press, 2004), and Preventing Surprise Attacks: Intelligence Reform in the Wake of 9/11, chapter 3 (Hoover Institution and Rowman & Littlefield, 2005).

I want to discuss the general problem of determining optimal responses to catastrophic risks, defined as the risks of low or unknown probability that, if they materialize, will inflict heavy losses. The risks can arise from natural phenomena, from human accidents, or, as in the case of terrorist attacks, from deliberate human behavior.

To deal in a systematic way with catastrophic risks requires first assessing them and then devising and implementing sensible responses. Assessment involves first of all collecting the technical data necessary to gauge, so far as that may be possible, the probability of particular risks, the purely physical consequences if the risks materialize (questions of value are for later), and the feasibility of various measures for reducing either the risks or the magnitude of the consequences by various amounts. The next step in the assessment stage is to embed the data in a cost-benefit analysis of the alternative responses to the risk.

I am not proposing that cost-benefit analysis, at least as it is understood by economists, should be the decision procedure for responding to catastrophic risks. But it is an indispensable step in rational decision making in this as in other areas of government regulation. Effective responses to most catastrophic risks are likely to be extremely costly, and it would be mad to adopt such responses without an effort to estimate the costs and benefits. No government is going to deploy a system of surveillance and attack for preventing asteroid collisions, for example, without a sense of what the system is likely to cost and what the expected benefits are likely to be (roughly, the costs of asteroid collisions that the system would prevent multiplied by the probabilities of such collisions) relative to the costs and benefits both of alternative systems and of doing nothing. The “precautionary principle” (“better safe than sorry”) popular in Europe is not a useful alternative to cost-benefit analysis, if only because of its sponginess. In its more tempered versions, the principle is indistinguishable from a cost-benefit analysis with risk aversion assumed. Risk aversion entails that extra weight be given to the downside of uncertain prospects. In effect it magnifies the costs of harmful events, but it does not overthrow cost-benefit analysis, as some advocates of the precautionary principle may believe.

Precautionary considerations, moreover, can work against intervention or limit the optimal scale of intervention. An example is the optimal response to the danger of abrupt global warming. Suppose there is a 70% probability that in 2024 global warming will cause a social loss of $1 trillion (present value) and a 30% probability that it will cause no loss, and that the possible loss can be averted by imposing emission controls now that will cost the society $500 billion (for simplicity’s sake, I assume the entire cost is borne this year). In the simplest form of cost-benefit analysis, since the discounted loss from global warming in 2024 is $700 billion, imposing the emission controls now is cost-justified. But suppose that in 2014 we will learn for certain whether there is going to be the bad ($1 trillion) outcome in 2024. Suppose further that if we postpone imposing the emission controls until 2014, we can still avert the $1 trillion loss. Then clearly we should wait, not only for the obvious reason that the present value of $500 billion to be spent in 10 years is less than $500 billion (at a discount rate of 3%, it is approximately $425 billion) but also and more interestingly because there is a 30% chance that we will not have to incur any cost of emission controls. As a result, the expected cost of the postponed controls is not $425 billion, but only 70% of that amount, or $297.5 billion—which is a lot less than $500 billion. The difference is the value of waiting.

Suppose now that if today we impose emission controls that cost society $100 billion, this will, by forcing the pace of technological advance, reduce the cost of averting in 2014 the global-warming loss of $1 trillion in 2024 from $500 billion to $250 billion. After discounting to present value at 3% and by 70% to reflect the 30% probability that we’ll learn in 2014 that emission controls are not needed, the $250 billion figure shrinks to $170 billion. This is $127.5 billion less than the superficially attractive pure wait-and-see approach ($297.5 billion minus $170 billion). Of course, there is a price for the modified wait-and-see option—$100 billion. But the value is greater than the price.

In the example, the probabilities associated with catastrophe were assumed to be known, and also to be substantial. Often they will not be known. And if they are known but slightly, people may react to them irrationally. From a statistical standpoint, studies indicate that people sometimes overreact to a slight risk if it is associated with a particularly vivid, attention-seizing event. The 9/11 attacks have been offered as an illustration of this phenomenon. But to describe a reaction to a risk as an overreaction is to assume that the risk is slighter than people thought, and this presupposes an ability to quantify the risk, however crudely. We do not have that ability with respect to terrorist attacks. About all that can be said with any confidence about the 9/11 attacks is that if the United States and other nations had done nothing in their wake to reduce the probability of a recurrence, the risk of further attacks would probably have been great, although we do not know enough about terrorist plans and mentalities to be certain, let alone to know how great. After the government took defensive measures, the risk of further large-scale attacks on the U.S. mainland fell. But no one knows by how much it fell, and in any event it would be a mistake to dismiss a risk merely because it could not be quantified and therefore might be small—for it might be great instead. Unfortunately the ability to quantify a risk has no necessary connection to its magnitude. We now know that the risk of a successful terrorist attack on the United States in the summer of 2001 was great, yet the risk could not have been estimated without an amount and quality of data that probably could not have been assembled. To assume that risks can be ignored if they cannot be measured is an ostrich response.

This point is illuminated by the old distinction between “risk” and “uncertainty.” The former refers to a probability that can be estimated, whether on the basis of observed frequency or of theory, and the latter to a probability that cannot be estimated. Uncertainty does not, as one might fear it would, paralyze decision making. We could not function without making decisions in the face of uncertainty. We do that all the time by assigning, usually implicitly, an intuitive probability (what statisticians call a “subjective” probability) to the uncertain event. But it is one thing to act, and another to establish the need to act by conducting fruitful cost-benefit analyses, or by employing other rational decision-making methods, when the costs or benefits (or both) are uncertain because they are probabilistic and the probabilities are not quantifiable, even approximately. The difficulty is acute in some insurance markets. Insurers determine insurance premiums on the basis of either experience rating, which is to say an estimate of risk based on the frequency of previous losses by the insured or the class of insureds, or exposure risk, which involves estimating risk on the basis of theory or, more commonly, a combination of theory and limited experience (there may be some history of losses, but too thin a one to be statistically significant). If a risk cannot be determined by either method, there is uncertainty in the risk-versus-uncertainty sense, and only a gambler, treating uncertainty as a situation of extreme and unknowable variance in possible outcomes, will write insurance when a risk cannot be estimated. Or the government, as in the Terrorism Risk Insurance Act of 2002, which requires insurance companies to offer coverage of business property and casualty losses due to terrorism but with the federal government picking up most of the tab.

Among the catastrophic risks that present the most stubborn challenges to the cost-benefit analyst is the risk of a terrorist attack using weapons of mass destruction, such as bioweaponry. The probability of a bioterrorist attack, or rather the schedule of probabilities for the various forms that such an attack might take, cannot be estimated. It is not only that terrorists are secretive as to plans and capabilities. It is also that they—or at least the ones that have vague and encompassing aims—have such a broad range of potential means and targets to choose among and, if suicidal, cannot be deterred. Anyone who thinks terrorist attacks are predictable should read what the director of the Defense Threat Reduction Agency wrote just months before September 2001: “We have, in fact, solved a terrorist problem in the last twenty-five years. We have solved it so successfully that we have forgotten about it; and that is a treat. The problem was aircraft hijacking and bombing. We solved that problem … The system is not perfect, but it is good enough.… we have pretty much nailed this thing.”1

Clearly, science cannot predict where or when bioterrorists will strike, although it can say something about the likely means that they will employ, given feasibility and cost constraints, and much about the consequences of various types of bioterrorist attack. Maybe, however, the military and civilian intelligence services, the diplomatic service, and academic experts on terrorism can, by pooling their knowledge, produce reliable estimates of the probabilities of the various types of bioterrorist attack that are possible, and the estimates can then be married to scientific expertise to produce a schedule of expected costs of bioterrorism and therefore a guide to responsive measures. But it seems that about all that experts on terrorism are able to do, and even then only with a large error term, is to rank bioterrorist threats by relative likelihood—to say, for example, that a bioterrorist attack on Washington employing anthrax is more likely than an attack on London with smallpox. These rankings, while useful in establishing priorities within a fixed budget, do not enable expected costs to be calculated and so do not permit the application of cost-benefit analysis in its usual sense.

There are several possible methods, of varying utility, of adjusting cost-benefit analysis to reflect the presence of radical, nonquantifiable uncertainty. For example, it’s been suggested that “information markets” might be used to elicit information about the likely risks of particular bioterrorist attacks. These are markets in which the “securities” traded are not stocks or other financial instruments, but predictions. The idea is that predictions will be more accurate when there is a financial stake in accuracy, and the existence of a financial stake will elicit predictions from the most knowledgeable observers. The theory is fine but doesn’t seem applicable to terrorism. Terrorists could manipulate the market to generate inaccurate predictions or profit from their terrorism by making accurate ones. In addition, should bioterrorist attacks turn out to be infrequent (as we hope), it would be very difficult to verify the accuracy of the predictions; it would be like placing a bet on what the population of New York will be a hundred years from now. In the case of either natural catastrophes or accidental man-made ones, moreover, the man in the street does not have useful information, and the information possessed by scientists and other experts gets elicited and shared without need to provide a direct monetary reward for being right.

A more useful approach to cost-benefit analysis under conditions of extreme uncertainty is what I shall call “inverse cost-benefit analysis.” It involves simply dividing what the government is spending to prevent a particular catastrophic risk from materializing by what the social cost of the catastrophe would be if it did materialize. The result of this division is an approximation to the implied probability of the catastrophe—implied, that is, by what the government is spending to combat it. Expected cost is the product of probability and consequence (loss): C = PL. If P and L are known, C can easily be calculated. If instead C and L are known, P can easily be calculated. If $1 billion (C) is being spent to avert a disaster that if it occurs will impose a loss (L) of $100 billion, then P = C/L = .01.

If P so calculated diverges sharply from independent estimates of it, this is a clue that we may be spending too much or too little on avoiding L. It is just a clue, because of the distinction, fundamental in economics, between marginal and total costs and benefits. The optimal expenditure on a measure is the expenditure that equates marginal cost to marginal benefit. Suppose in the example just given that we happen to know that P is not .01 but .1, so that the expected cost of the catastrophe is not $1 billion but $10 billion. It doesn’t follow that we should be spending $10 billion, or indeed anything more than $1 billion, to avert the catastrophe. Maybe spending just $1 billion would reduce the expected cost of catastrophe from $10 billion all the way down to $500 million and no further expenditure would bring about a further reduction, or at least a cost-justified reduction. (For example, if spending another $1 billion would reduce the expected cost from $500 million to zero, that would be a bad investment, at least if risk aversion is ignored.) I discuss the implications of this point below but ignore it for the time being.

The federal government is spending at least $2 billion a year to prevent a bioterrorist attack. The goal is to protect Americans, so I shall ignore casualties in other countries. Suppose the most catastrophic biological attack that seems reasonably likely on the basis of what little we now know about terrorist intentions and capabilities would kill 100 million Americans. Economic studies of the value of life (studies based on what people demand in compensation for assuming small risks of death) yield a median per capita value for present-day Americans of $7 million. So if the attack occurred, the total costs would be $700 trillion—and that is too low because the death of more than a third of the population would have all sorts of collateral consequences, mainly negative. Let us, still conservatively however, refigure the total costs as $1 quadrillion. The result of dividing the money being spent to prevent such an attack, $2 billion, by $1 quadrillion is 1/500,000. Is there only a 1 in 500,000 probability of a bioterrorist attack of that magnitude in the coming year? One doesn’t know; but a probability of 1 in 500,000 seems too low.

It doesn’t follow that $2 billion is too little to be spending to prevent a bioterrorist attack, for the distinction between total and marginal costs must be borne in mind. Suppose that by spending $2 billion we reduce the probability of such an attack from .01 to .0001. The expected cost of the attack would still be very high—$1 quadrillion multiplied by .0001 is $100 billion—but spending more than $2 billion might not reduce the residual probability of .0001 at all. For there might be no feasible further measures to take to combat bioterrorism, especially when we remember that increasing the number of people involved in defending against bioterrorism also increases the number of people capable, alone or in conjunction with others, of mounting biological attacks. But we must also bear in mind that expenditures on combating bioterrorism do more than prevent mega-attacks; the lesser attacks, which would still be very costly both singly and cumulatively, would also be prevented.

Costs, moreover, tend to be inverse to time. It would cost a lot more to build an asteroid defense in one year than in 10 years because of the extra costs that would have to be incurred in order to effectuate a sudden reallocation of the required labor and capital from the current projects in which they are employed—and so would other crash efforts to prevent catastrophes. Placing a lid on current expenditures would have the incidental benefit of enabling additional expenditures to be deferred to a time when, because more will be known about both the catastrophic risks and the optimal responses to them, considerable cost savings may be possible. (This is the option approach that I discussed earlier in reference to abrupt global warming.) The case for such a ceiling derives from comparing marginal benefits to marginal costs, which may be sharply increasing in the short run.

A further qualification in evaluating the current response to the threat of bioterrorism requires mention. It concerns the way in which government expenditures are assigned to the different activities involved in combating terrorism. The expenditure category “catastrophic threats” in the federal budget is dominated by expenditures on identifying, detecting, and developing vaccines and cures for lethal pathogens. Expenditures classified elsewhere, however, such as expenditures on intelligence gathering, background checks, and border searches, will reduce the likelihood of bioterrorist attacks, though border searches would contribute very little because of the difficulty of detecting a lethal pathogen in a person’s luggage. We should think of the catastrophic-threats category in the federal budget as addressed to the residual risk of a bioterrorism attack if the “forward” defenses fail (this is another marginal comparison); nevertheless, the estimate of that risk implied by the expenditures in that category still seems too low.

Another area in which current government expenditures on mitigating catastrophic risks seem too low involves detecting and preventing asteroid collisions. NASA spends about $3.9 million a year compiling a catalogue of dangerous “near-Earth objects,” a preliminary defensive measure. But that is it, although the agency’s program of research on “smaller Solar System objects,” namely asteroids and comets, while not oriented toward defense against collisions, may yield knowledge that would be useful for such a defense. Other expenditures, actual and planned, and both private and public, swell the total. But the aggregate amount is small. Tellingly, NASA’s annual reports do not contain a section on asteroid defense or near-Earth objects. The current expenditure level is so close to zero that the distinction between total and marginal benefits and costs has little significance.

We know that the expected costs of asteroid collisions are nontrivial, though low, and that methods of detection, mitigation, and prevention are feasible and probably would not break the bank. The report of the Near-Earth Object Science Definition Team, commissioned by NASA, recommended a system of detection of all near-Earth objects at least 140 meters in diameter; the team estimated that it would cost $300 million to construct the system. Both the risks of asteroid collisions and the possible methods for detecting and intercepting asteroids that are on a collision course with the Earth have been known for some time, so the budget has had time to adjust but hasn’t done so.

A parallel United Kingdom task force estimated the annual probability of an asteroid collision that would kill 1.5 billion people as one in 250,000. Since value of life is positively correlated with per capita income, the $7 million figure I used earlier is too high when most casualties would be foreigners. Assume a value of life of $2 million. Then the expected annual cost of the collision would be $12 billion ($2 million x 1.5 billion [= $3 quadrillion] x .000004), which is many, many times the U.S. government’s annual spending on asteroid defense. More to the point, since most of the 1.5 billion victims would not be Americans, the world’s annual spending on asteroid defense—which is probably only very slightly more than $3.9 million because no other country has gone beyond the talking stage so far as an asteroid defense is concerned—is too low.

A proposal is pending for federal financing of a Large-aperture Synoptic Survey Telescope (LSST). This $150 million instrument “could locate 90% of all near-Earth objects down to 300 m in size, enable computation of their orbits, and permit assessment of their threat to Earth,” while greatly increasing our knowledge of remote galaxies. The telescope would not be a complete substitute for the telescopic array recommended by the NASA task force, even if the 10% of asteroids that would escape detection altogether are ignored. The LSST would spot an asteroid only when the asteroid passed in its orbital path through the section of sky swept by the telescope; the asteroid would not be continuously monitored even though its orbit might change after the initial observation. But the LSST would be a great start. Yet NASA refuses to fund it, so funding is being sought from the National Science Foundation and private sources. Astronomers, moreover, are much more interested in remote galaxies—study of which adds to knowledge of the origin, size, age, future, and composition of the universe—than in local orbiting rocks. The extent to which the LSST, if it is built, will actually be used for detection and evaluation of potentially dangerous asteroids is uncertain.

The federal government’s science and technology budget allocates about $1.7 billion a year to climate-change research, including research on clean fuels and carbon sequestration as well as on improving predictions of global warming. If the warming is moderate, the costs to the United States are likely to be modest, and $1.7 billion a year might actually be too much to spend on counteracting it. However, abrupt, catastrophic global warming is a possibility, and let me assume that if it occurred it would bring about a permanent reduction of one-fifth of gross domestic product, which is currently $10 trillion. Because the loss of $2 trillion a year is assumed to be permanent, the present value of the loss caused by the disaster, at a 3% discount rate, is slightly more than $66.6 trillion. The annual probability of a global-warming disaster of the assumed magnitude cannot be estimated. But it is at least plausible that a level of carbon dioxide emissions taxes that induced a considerably although not astronomically greater investment (largely private) than at present on averting such a disaster would be cost justified.

Table 1 summarizes the probabilities of catastrophe implied by current government expenditures to avert the three catastrophic risks that I have been discussing.

The distinction between total and marginal effects is only one qualification that must be borne in mind in reading this table. Notice that the table estimates the costs to the entire human race in the case of a disastrous asteroid strike, but only the costs to the United States in the case of bioterrorism and catastrophic global warming. This may seem arbitrary. But no other nation seems to be devoting any significant resources to trying to prevent an asteroid disaster, while other nations are devoting resources to preventing catastrophic global warming. As I do not know the amount of those resources, however, I cannot assess the adequacy of the total expenditures devoted to protecting the entire human race from those disasters. Moreover, even if the only costs of an asteroid disaster that should be considered in determining how much the United States should spend to prevent such a disaster are costs to the United States, scaling down the cost figures in Table 1 accordingly would still indicate that we are spending too little. Dollar-weighted, the United States is about one-fourth of the world; and remember that value-of-life estimates are positively correlated with per capita income.

Because it will sometimes be sensible to disregard low-priority projects entirely, the function of threat assessment, in regard to catastrophic risks as well as to more familiar threats, is not only to rank threats by their expected cost but also to fix a cutoff point below which threats will be disregarded because they would require attention disproportionate to the social benefits that attention to them would confer. Time diverted to thinking about very low-probability threats is unavailable for thinking about other threats unless the aggregate amount of attention to threats is increased. That would require diverting intellectual effort from other activities, and the diversion might be costly. The Office of Science and Technology Policy in the Executive Office of the President has a staff of only 50, which for political, budgetary, and personnel reasons may be difficult to expand in the short run. If so, the office might be making a rational choice to devote no attention at all to the asteroid threat on the grounds either that threats of lesser catastrophes deserve more attention because their expected costs are greater or because they seem more amenable to evaluation and response, or that other scientific projects altogether deserve more attention. The government cannot spend all its time conducting cost-benefit analyses of remote-seeming risks.

Another way to put this is that the costs of responding to risks of disaster include the cost of assessing the risk and formulating the response—the cost of cost-benefit analysis—and may be considerable when opportunity cost (the forgone value of alternative uses of the time and other resources devoted to the cost-benefit analysis) is included, as it should be, in the costs of such analysis. But I doubt that ignoring the risk of a catastrophic collision with an asteroid can be justified on these grounds. Not only is it a non-negligible risk of a huge catastrophe, but the costs of responding to the risk, even as expanded to take in the opportunity cost just mentioned, are moderate.

A final qualification is that the estimates for the expenditures required for an effective asteroid defense and for arresting global warming are too low. In the first case, they ignore other government programs, including other NASA programs for studying asteroids, that contribute at least indirectly to defense against the risk, and in both cases they ignore nongovernmental expenditures. The LSST, if it is built, will be financed in part by private universities, and many near-Earth asteroids have been discovered by the Lincoln Labs’ LINEAR (Lincoln Near-Earth Asteroid Research) program, using two telescopes, although it does receive federal funding, some of it from NASA. The federal government finances only about half the basic research conducted in this country, and some of the other half, which is financed by universities and private companies out of their own pockets, contributes to defending against the catastrophes in question. In addition, some companies are voluntarily reducing their carbon dioxide emissions. And investments in energy efficiency designed merely to reduce the cost of energy may reduce those emissions as a byproduct.

Figure 1 illustrates another way in which cost-benefit analysis can be used fruitfully even when there is great uncertainty about one or more of the components of the analysis.

Figure 1. The “Tolerable Windows” Approach

The marginal benefits and marginal costs of measures to reduce or eliminate some catastrophic risk are shown as functions of the quantity of precautions taken, with the optimal level of precautions (q*) given by the intersection of the two functions. Suppose the optimum cannot be determined because of uncertainty about costs, benefits, the discount rate, or probabilities. We may, though, know enough about the benefits and costs to be able to create the “window” formed by the two vertical lines. Notice that at the left side of the window frame the benefits of a further effort to eliminate or prevent the catastrophe in question comfortably exceed the costs, while at the right side the reverse is true. If we stay within the window, although we won’t know whether our measures are optimal, we’ll at least have some basis for confidence that they are neither grossly inadequate nor grossly excessive. A plausible application is to the current funding of asteroid defense: it is likely that we are well to the left of the left side of the window.

Here is another example of the tolerable-windows approach in action: The benefits of preserving the existing amount of genetic diversity cannot be quantified. But the cost of preserving samples of animals and plants, whether entire species or varieties within a species (such as different breeds of the same animal species), that are on the verge of extinction is probably small enough to put us to the far left of the window. Indeed, since these samples can be preserved at low cost in the form of frozen seeds that can be resuscitated and made to germinate, large-scale efforts to preserve biodiversity by tightly limiting human land uses may not be cost-justified. We cannot be sure because there is no census of species and many of them have very small populations and those often in out-of-the-way places (such as ocean bottoms)—and these are the very species most at risk of extinction, and it would be infeasible to obtain and preserve specimens of all of them. At least modest efforts to preserve specimens of species, or varieties, on the verge of extinction seem worthwhile, and so that is the place to start.

A more familiar simplification of cost-benefit analysis than the tolerable-windows approach is risk-risk assessment, whereby the risks to life or health of alternative responses to some danger (including the alternative of doing nothing) are compared, but no effort is made either to monetize them or to bring other costs and benefits into the analysis. This approach can work well in simple cases—for example, when a measure to prevent a 1% risk of death in an automobile accident would create a 2% risk of death in such an accident. It is also relevant to the dual-use dilemma that is created by efforts to prevent bioterrorism: measures that impede access to lethal pathogens may slow research into the development of effective medical responses to natural epidemics.

But the utility of the method is limited because it leaves out considerations that may be critical to a responsible decision—namely other costs and benefits. For example, advances in medicine that reduce mortality may increase the rate of population growth, thereby contributing indirectly but not necessarily trivially to global warming, the costs of which cannot be reduced to lives lost, although abrupt global warming could cause a catastrophic loss of life. Population growth creates other negative externalities as well. They may or may not exceed the positive externalities; but the uncritical belief, which is standard in risk-risk assessment, that “saving lives” is always a good thing is an obstacle to responding effectively to catastrophic risks.

It may be objected that cost-benefit analysis is a waste of time because politicians are not welfare maximizers. They are not. But cost-benefit analyses can influence public policy even in a political system guided by self-interested politicians responsive to interest groups. An interest group will not press for a project that does not confer net benefits on it. The greater the excess of benefits over costs, the likelier are the beneficiaries to be able to overcome the free-rider impediment to the formation of an effective interest group; the greater the excess of costs over benefits, the likelier are opponents to be able to organize effective resistance. So information about costs and benefits can influence political outcomes even if no political faction is committed to adopting only those policies that can pass a cost-benefit test.

National defense is a good example of a government program that exists because of a very great preponderance of benefits over costs, great as those costs, and uncertain as the benefits, are, rather than because national defense confers economic rents on some narrow interest group, though some people still believe that defense expenditures are the result of machinations by the “merchants of death.” National defense is not only a good example, but a pertinent one. Measures for defending against catastrophic risks reflect concerns similar to those that motivate the nation’s heavy military expenditures.

But there are all sorts of obstacles—political, psychological, economic, and cultural—to responding rationally to catastrophic risks. And the problem seems general. Students of regulation have been critical of the gross and seemingly irrational differences in the estimates of the value of life that are implicit in government regulation of different risks. The range is from $100,000 for death in accidents involving unvented space heaters to $92 billion for death from the herbicides atrazine or alachlor in drinking water. (These figures are derived by dividing the cost of preventing the death by the probability that death would occur if the cost were not incurred.) Suppose NASA’s asteroid-defense budget of $3.9 million a year is perfectly attuned to the public’s valuation of lives lost in asteroid collisions and an estimate made by John Lewis that the expected cost of such collisions is 1,479 deaths per year is correct. That is a global figure, and the U.S. population is only about 5% of the total world population, so let us reduce this number to 74. The implication is that NASA is valuing each of these lives at $52,700. This is not only less than 1% of the $7 million mean estimate in the scholarly literature; it is little more than half the value of a life imperiled by an unvented space heater.

The differences among the value of life estimates probably can be explained by information costs, by psychological factors such as probability neglect, the availability heuristic, and the “dread” factor (notably absent in death by unvented space heater), by political factors, and by the asymptotic relation between risk and the value of life (when risks are very slight, people often write them down to, or very near, zero). The differences may also be somewhat exaggerated by the critics. Nevertheless, the criticism that government does not use consistent criteria to determine responses to risk has great force. And as Table 1 and the accompanying discussion suggest, the criticism applies as forcefully to the regulation of catastrophic risks as to the lesser risks on which the critics have focused. It underscores the importance of having cost-benefit analyses of responses to catastrophic risks conducted by neutrals who do not have financial, political, or psychological stakes in how the analyses come out.

I have noted several times the peculiar difficulties involved in estimating terrorist threats and responding to surprise attacks generally. These difficulties will be the focus of the balance of this article.

Consider two states of the world. In one, a warning of a surprise attack occurs but is disregarded, so the attack takes place, inflicting costs of a on the victim. In the other state of the world, the warning is heeded and the attack is defeated, at cost d (for defensive measure), but because the attack is defeated, a is zero. Let the probability of the attack be p; then the probability that there will be no attack is 1 – p. The expected cost of the attack if the warning is disregarded is pa, and the expected cost if the warning is heeded is (1 – p)d, so the warning should be heeded if pa > (1 – p)d and be disregarded otherwise.

The assumption that d affects a but not p may seem questionable because we usually think of defensive measures as being designed to reduce the likelihood of whatever prospective injury is being defended against. Most surprise attacks, however, occur even if the element of surprise is lost; they just do less damage. But the analysis would not be materially altered by assuming that defensive measures reduce the probability of an attack as well as the damage from it.

Another assumption is that if the warning is heeded, the damage inflicted by the surprise attack will be zero. This assumption is unrealistic and should be relaxed. The damage will just be smaller than if the warning had been ignored. Denote that diminished damage by b; it is smaller the greater d is, d being the expenditure on defensive measures when the warning is heeded.

Besides the direct cost of defensive measures, there is a lulling “boy crying wolf” cost, which I’ll denote by w. This cost is greater the smaller the probability of attack and therefore the more often that warnings will be false alarms, which increase the likelihood that true alarms will be ignored. It is also greater the greater d is, because if big costs are incurred to defend against an attack that does not occur there will be a greater reluctance to heed the next warning.

In light of these adjustments, the inequality pa > (1 – p)d, which states the condition for when a warning should be heeded and thus defensive measures taken, becomes, with a slight rearrangement of terms,

Inequality 1 says that it is more likely that heeding the warning will be the prudent response the higher p is (which not only increases the left-hand side of the inequality, but, because of its negative effect on w, reduces the right-hand side), the lower d is, the lower w is, and the higher a is. Conversely, the lower p is but the higher d is, and the smaller the effect of defensive measures in reducing b (the diminished cost of an attack if the defensive measures are taken) and hence the higher b(d) is, the likelier the prudent course is to ignore the warning sign. The effect of d is complex: it makes heeding the warning more likely to be prudent by reducing b (the damage from the attack when precautions are taken), but less likely to be prudent because it is a cost of heeding the warning and because it increases the lulling effect.

To illustrate, the Israelis disregarded the signs of an imminent attack by the Egyptians and Syrians in October 1973 because they thought the probability of an attack low, because defensive measures (mobilization) would have been costly, because a lulling effect had been induced by a previous costly mobilization in response to what proved to be a false alarm, and because, believing that even without mobilizing the reserves their frontline forces could hold the line, they didn’t think mobilization necessary to minimize the cost of an attack (that is, they didn’t think b was much lower than a). In the case of the 9/11 attacks, p was thought low, a was thought lower than it turned out to be, and d was high because of the cost, and inconvenience to passengers, of the kind of airline security measures that were adopted after the attacks.

Thus far I have treated d dichotomously: if inequality 1 is satisfied, the potential victim of a surprise attack should take d measures; if not, he should take no measures. A more realistic assumption (which incidentally permits dispensing with b) is that d can vary. Concretely, if d = 0, a is as in inequality 1, but as d rises, a falls: the more defensive measures that are taken, the less harm the attack does. The goal, then, in picking the level of d is to minimize the sum (S) of the expected costs of the attack and the costs of d, where d is the number of units of defense and c(d) the cost of defense. Thus

S is thus the sum of the costs of false negatives (failing to predict attacks that occur), which is the first term on the right-hand side of equation 2, and the costs of false positives (false alarms), which are given by the second and third terms, the second being the cost of defensive measures and the third the lulling cost.

Provided that the rate at which an increase in d reduces a exceeds the rate at which such an increase increases c and w, S is minimized by taking the derivative of S with respect to d and setting the result equal to zero, yielding

where a_d is the effect on a (the harm to the victim of the attack) of a small change in d (the extent of defensive measures), and c_d and w_d are the effects on c (the cost of defensive measures) and w (the lulling cost), respectively, also of a small change in d. In words, the optimal expenditure on defensive measures requires increasing them to the point at which a $1 increase in their cost (including the effect on the lulling cost) reduces the expected cost of the attack by $1. The greater the effect of such expenditure in reducing the cost of an attack if it occurs, and the higher the probability of an attack (provided that the effect on the expected cost of such an attack exceeds the effect on reducing the expected lulling cost), the greater the cost-justified level of measures to anticipate and respond to the attack.

The model is still unrealistic, in being limited to a single prospective surprise attack. A related unrealism is that it ignores the dynamic character of the crying-wolf phenomenon. The boy who cried wolf did not sound only a single false alarm; it was the repetition of false alarms that made it impossible for him to convince his hearers that his latest alarm was true. In other words, the lulling cost rises with each false alarm.

Assume there are t periods in each of which there is an equal probability of an attack that will impose the same costs and cost the same to defend against, and that for every period in which an attack does not occur the lulling cost increases by r% a year. With this adjustment, the sum of all costs, S in equation 2 becomes

where y(t,p) = t(1 + r)^j and j is a probability distribution of p. Notice that y, and hence the lulling cost, increases with t and with r but decreases with p, because the higher p is, the likelier is an attack, and an attack will reduce the lulling cost in the next period. It might, however, replace it with a “hyper-alert cost”—a possible increased risk of surprise attack if all attention is focused on preventing a repetition of a previous attack to the neglect of other possible attacks. For example, the nation may be expending excessive resources on screening airline passengers, to the neglect of potential terrorist threats to other parts of the nation’s transportation system. In addition, a hyper-alert state may precipitate a flood of warnings that turn out to be false alarms (which has certainly been the experience since 9/11), creating new lulling costs. The other side of this coin is that false alarms draw attention away from true dangers; they are, at best (that is, without producing a crying-wolf effect), distracting noise. My model ignores all these complications, but they are worth mentioning just to indicate the complexity of responding intelligently to the threat of surprise attack.

S is minimized (provided that some plausible restrictions are placed on the terms) when

In words, the total investment in defensive measures against a possible surprise attack should be carried to the point at which the cost of an additional measure, plus the increase in expected lulling costs from taking the additional measure, would be just equal to the reduction in the expected cost of attacks that the measure would bring about.

The foregoing analysis is offered as a possible aid to identifying relevant considerations and the relations among them. It is not intended as an algorithm. The problem with using a formula to optimize the response to warnings of an attack is the difficulty, bordering on the impossibility, of quantifying the terms, other than d and c and in some cases b(d). Assessing the probability of a surprise attack is particularly baffling, as we know. A further difficulty is that a formula cannot be applied across the entire spectrum of possible surprise attacks; this is precluded by the inescapable necessity of filtering data in accordance with the analyst’s preconceptions. There is a near-infinite number of data points in our visual and auditory fields, and we can’t take them all in at once. A rational person prioritizes in accordance with his interests. So intelligence officers determine where the greatest dangers lie, and having made that determination give greater weight to incoming information that bears on those dangers than to information on more remote dangers.

This gives rise to the following paradox: a surprise attack is likelier to succeed when it has a low antecedent probability of success and the attacker is weak, because on both counts the victim will discount the danger and because the range of possible low-probability attacks by weak adversaries is much greater than the range of possible high-probability attacks by strong ones. The potential victim marshals his defensive resources to protect the high-probability targets of greatest value, leaving under-protected the immense number of lower-valued low-probability targets. Knowing this, an enemy who wants to achieve strategic surprise picks one of those inferior targets. Realizing that this is what the enemy is likely to do, and that he is therefore unlikely to obtain a decisive victory, the potential victim reckons the expected loss (severity discounted by probability) from the attack as low and so does not invest a great deal in anticipating and taking measures to defend against the attack, especially since the cost of defending against the entire spectrum of low-probability attacks by weak adversaries (who may, moreover, be numerous) is prohibitive. Surprise attacks are a favorite tactic of the weak because they are a force multiplier, which a weak enemy needs most. When used by the weak they tend to be wild, and ultimately unsuccessful, gambles, but may inflict great damage en route to their ultimate failure. This may explain, by the way, why surprise attacks are relatively rare. On the one hand, when employed by the weak, they are indeed gambles, with dim prospects of ultimate success (the weaker of two contenders is likely to lose the contest), and the greater prospect of ultimate defeat is a deterrent. On the other hand, a strong, aggressive state has difficulty achieving strategic surprise because its intentions are anticipated.

The basic elements of this analysis can be formalized with the aid of our original inequality, pa > (1 – p)d, which says take defensive measures if but only if the expected cost of an attack exceeds their cost. Assume now that there are two types of attack, one that involves a high probability of inflicting a devastating loss (high p and high a), the other a low probability of inflicting a much smaller loss (low p and low a). Assume further that there are n potential attacks of the first type and n' of the second and that d, the defensive measures necessary to prevent an attack, is the same for each class. Let p' denote the probability of attacks in the second class and a' the harm caused by such an attack, so p' < p and a' < a, but n' > n.

We now have two inequalities, the first denoting the condition for taking defensive measures against the first type of attack and the second the condition for taking defensive measures against the second type:

The first inequality is much more likely to be satisfied than the second. The fact that there are more potential attacks of the second type is irrelevant. If the expression in brackets is negative, multiplying it, however many times, will not make it positive; and unless it is positive, defensive measures will not be cost justified. The first term in the bracketed expression in inequality 6b, p'a', is smaller than the corresponding term in inequality 6a because it is the product of two smaller terms, so, for example, if p = .2 and p' = .1, and a = 100 and a' = 20, pa = 20 and p'a' = 2. The second term, (1 – p')d, is larger, because d is unchanged but 1 – p' is larger than 1 – p (in the example, it is .9 versus .8). The smaller the first term and the larger the second, the more likely the bracketed term is to be negative and so the less likely are defensive measures to be justified. In the example, if d = 5, the first inequality is 20 – .8(5) = 16, while the second is 2 – .9(4) = –1.64. So it does not pay to take defensive measures aimed at averting the lesser attack.

These numbers are arbitrary, but they illustrate how it can be rational to take no defensive measures at all against a large class of potential surprise attacks. This is all the more likely when the costs of information are taken explicitly into account. The existence of those costs—alternatively, the necessity (owing to the limitations of human mental capacity) of economizing on attention—makes it likely that below some threshold of expected cost, no consideration whatever will be given to taking defensive measures against a class of possible surprise attacks. Such a “threshold heuristic,” which is related to my earlier point about the indispensability of preconceptions to rational thought, may be at once rational and an invitation to attack. It may also be related to an irrational tendency of people to write down small risks to zero, though presumably intelligence professionals and others who deal with risk professionally are less likely to succumb to this tendency than laypeople.

The fundamental problem, however, is the asymmetry of attacker and victim. The attacker picks the time, place, and means of attack. Since without a great deal of luck his plan cannot be discovered in advance by the victim, the attacker has, by virtue of his having the initiative and of the victim’s being unable to be strong everywhere all the time, a built-in advantage that assures a reasonable probability of a local success. The attacks on Pearl Harbor, Tet (but for its political impact), Yom Kippur, and the 9/11 attacks all achieved only local successes. But when an attacker is willing to settle for a local success, there is little the victim can do to prevent it.

Finally, as Thomas Schelling has pointed out in his book The Strategy of Conflict, the more sensitive a warning system, the greater the risk of the victim’s responding mistakenly with a preemptive attack on the supposed attacker. The system “may cause us to identify an attacking plane as a seagull, and do nothing, or it may cause us to identify a seagull as an attacking plane, and provoke our inadvertent attack on the enemy.” So here is still another reason to doubt the wisdom of seeking an airtight defense against surprise attacks.

References

Click on an end note number to return to the article.

1. Jay Davis, “Epilogue: A Twenty-First Century Terrorism Agenda for the United States,” in The Terrorism Threat and U.S. Government Response: Operational and Organizational Factors, James M. Smith and William C. Thomas, eds. (Colorado Springs, CO: U.S. Air Force Institute for National Security Studies, 2001), p. 275.