write:)Thequalitativeriskratingdoesnotprovidead-equateinformationtoguideresourceallocation ingeneral. Forexample itassignsthesamequalitativeriskscore(Ò5Ó)to(a)a100%probabilityofzerofat

theconditionalprobabilitiesforthearcsinthetreemustbeestimated.Thisbegsthequestionofhowsuchprobabilitiesaretobedetermined
es-peciallyforÒeventsÓthatrepresentattackeractions.Severalresearchershavecommentedthatmodelingactionsasrandomvariablesisinadequateforrepre-sentingthepurposivebehaviorsofintelligentattack-ers.(2−4)Finally
aÒconditionalriskmatrixÓ(i.e.
ariskmatrixassumingthatanattacktakesplace)assignsoverallconditionalriskscorestopairsofconse-quenceandvulnerabilityscores
viathefollowingformula:ConditionalRiskScore=ConsequenceScore+VulnerabilityScore.(2)Thisreßectstheidentity:log(vulnerability×consequence)=log(vulnerability)+log(consequence)(3)becausethescalesusedtorateconsequenceandvul-nerabilityarelogarithmic.(Therealsoappearstobeanimplicitindependenceassumptionthatallowsvul-nerabilityandconsequencescorestobeassessedsep-arately
whichmightnotberealistic.)Thequalitativeriskratingdoesnotprovidead-equateinformationtoguideresourceallocation
ingeneral.Forexample
itassignsthesamequalitativeriskscore(Ò5Ó)to(a)a100%probabilityofzerofatalities(quantitativerisk=0
qualitativerisk=5+0=5)and(b)a20%probabilityof100fatal-ities(qualitativerisk=3+2=5).Similarly
azeroprobabilityofa$100billionlossisgiventhesameriskscore(Ò11Ó)asacertaintyofa$1billionloss.Suchanomaliesarisebecauseconsequencescoresandvul-nerabilityscoresaresummedtogetriskscores;thus
evenifonescoreiszero
theriskscore(unlikethequantitativerisk)canbenonzero.Thescoringalsocanassignrelativelysmallscorestorelativelylargerisks.Forexample
a0.10probabilityof100deaths(expectedvalue=10deaths)wouldhaveasmallerriskscore(4)thana0.26probabilityof26deaths(expectedvalue=6.76expecteddeaths
riskscore=5).3.LIMITATIONSOFRAMCAPTMFORQUANTITATIVERISKASSESSMENTRAMCAPTMÕsÒquantitativeÓapproach(whichmightbecalledsemi-qualitative)isalsobasedonEquation(1).Vulnerabilityandconsequencenum-bersarecalculatedasthearithmeticaverageoftheupperandlowervaluesoftheÒbinsÓ(thevaluerangesintheprecedingÒqualitativeÓapproach)forattacksuccessprobabilityandconsequenceofasuc-cessfulattack
respectively.Allquantitiesareinter-pretedasexpectedvalues.TheRAMCAPTMframeworkstatesthatanad-vantageofusingtheaboveformulawithadeÞnedsetofscalesforvulnerabilityandconsequenceisthatÒtheriskassociatedwithoneassetcanbeaddedtootherstoobtaintheaggregateriskforanentirefacility…[and]canbeaggregatedand/orcomparedacrosswholeindustriesandeconomicsectors.ThisispreciselythegoalofDHS.ÓHowever
suchsumma-tionisingeneralmathematicallyincorrect
asshowninthefollowingexamples.Moreover
itletsfacilityownersmanipulateriskestimatesupordown
de-pendingonpreferences.Itisunabletodistinguishamongsomerisks(limitedresolution)andcangiveincorrectestimatedriskrankings.Thefollowingex-amplesillustratetheselimitations.3.1.Example:DistortionsDuetoUseofArithmeticAveragesonLogarithmicScalesForthefollowingtworisks:•A:(Vulnerability=0.25
Consequence=$400M)•B:(Vulnerability=1
Consequence=$60M)
theformulaConditionalRisk=Vulnerability×ConsequenceimpliesthatAhasalargerconditionalriskthanB($100Mvs.$60M.)However
RAM-CAPTMwouldassignavulnerabilityof(0.125+0.25)/2=0.1875andaconsequenceof(200M+400M)/2=300MtoA
implyinganestimatedcon-ditionalriskof0.1875∗300M=$56.25MforA.Itwouldassignavulnerabilityof(0.9+1)/2=0.95andaconsequenceof(50M+100M)/2=$75MtoB
im-plyinganestimatedconditionalriskof0.95∗$75M=$71.25MforB.Thus
itreversesthecorrectrankingofthesetworisks.