Assessing National Security Risk in a Complex, Interdependent World
Author: Alan Dupont Published: 2012-05-31
Assessing National Security Risk in a Complex, Interdependent World
Michael Hintze Chair of International Security
Centre for International Security Studies,
University of Sydney
Assessing national security risk is a complex and demanding task in an era of protean security challenges and multiple, interconnected threats. In this paper I argue that a rigorous methodology for evaluating Taiwan’s threat environment is central to the task of anticipating and managing the proliferation of ‘known’ security challenges, as well as unexpected ‘black swan’ events. Without an efficacious risk assessment process, national security planners will struggle to develop a workable set of analytical lenses through which to view national security challenges or to prioritise the many national security challenges competing for their time and attention.
Assessing National Security Risk: Problems and Complexities
For Taiwan to build resilience in the face of future shocks one must first understand the nature of the challenge. In my view, there are four key problems to assessing national security risk in the 21st century. The first is how to make rational and informed judgements about the priority to be afforded to competing national security threats from among the rapidly expanding list of candidates. Australia’s 2008 National Security Statement, for example, mentions 16 separate, major security challenges while the US National Intelligence Council identifies more than 1,600 national security concerns. A complicating factor is the sheer breadth, scale and diversity of today’s national security challenges which stand in stark contrast to the parsimonious strategic and intelligence agendas of the Cold War.
Second, because many of today’s security challenges are highly interconnected it is imperative to find a way of identifying and comprehending the dynamics and significance of these connections. Financial instability may trigger political and strategic turbulence, as the 2008 Global Financial Crisis demonstrated. Cyber attacks may emanate from non-state actors, as well as states, while states may coopt criminal hackers for strategic purposes. Ecological stress heightens competition for scarce resources and deepens ethno-political cleavages. Scarcity of fresh water sharpens interstate rivalries, complicates sovereignty disputes and aggravates wider regional and global concerns about food security. Deforestation not only results in the loss of a valuable natural resource for a local community, or a particular state, but it can also trigger catastrophic flooding across national borders and contribute to wide-spread pollution in the short term, as well as climate change over the long term.
These developments, in turn, may cause food shortages, population displacement, economic damage and serious loss of life. Environmental issues will complicate energy choices as the transition from dirty fossil fuels like oil and coal to cleaner sources of renewable energy gathers speed, exacerbating shortages due to sudden price rises, distribution problems, or disruptions to essential supplies. Unregulated population movements across national borders can threaten the sovereignty and internal cohesion of affected states, especially when illegal migrants and refugees are of different ethnic or religious backgrounds. People smuggling is a crucial vector in the rapid spread of AIDS, highlighting the symbiosis between disease and organised crime. Drug trafficking and money laundering are increasingly linked to terrorism as well as crime.
The interconnected nature of strategic threats and hazards compounds the difficulty of national security decision making for two main reasons. First, addressing individual issues in isolation produces sub-optimal national security outcomes, even though each one may be complex enough to warrant concerted policy attention and attract its own group of special interest experts and advocates. Second, any particular set of these strategic issues is hyper-complex and should not be addressed in a compartmentalised fashion since the net effect of the interaction between the constituent issues can generate even greater complexity and uncertainty for the set as a whole. Well-intended policies to address specific problems like climate change or water scarcity, for example, can trigger unintended adverse consequences for apparently unrelated issues like energy or transport – and vice versa – unless policy makers address the entire portfolio of strategic priorities in an integrated and whole of nation fashion.
A third problem is the difficulty of assessing complexity, including positive and negative feedback processes which amplify or dampen the effects of certain changes. The interplay between causal factors can lead to non deterministic and unpredictable behaviour in which small changes trigger disproportionately larger and differentiated effects resulting in system changing ‘tipping points.’ Panarchy theory teaches that complex systems can collapse because of seemingly insignificant change at either the micro or macro level (Holling 2001 and Homer-Dixon 2006: 226-231). The danger rests in the ever increasing interdependence of modern societies which means that minor perturbations can be magnified enormously producing giant ripple effects. With the exception of mega natural disasters, such as major earthquakes, super volcanic eruptions or a catastrophic meteor strike on the Earth, which cannot be prevented or mitigated, humans are the key variable in all other security challenges. But unlike physical, technical and most living systems, humans are self-organising systems who are individually and collectively capable of very sophisticated intentional behaviour which makes it far more difficult to assess the effects of policy interventions on a large scale, no matter how well crafted or implemented.
Fourth, not all states share the same threat perceptions for cultural, historical, and strategic reasons. This will inevitably affect approaches to assessing risk and determining national security priorities. As an economically developed, politically stable, and Western oriented nation, Australia has quite different security perceptions and priorities from populous, developing Asian states and small, fragile Pacific Island countries. While Australia may be primarily concerned with promoting economic competitiveness and defending its territory from external enemies, developing Asian states are more likely to emphasise the maintenance of internal stability and social harmony as core security objectives. Pacific Island nations see climate change as an existential security threat rather than a manageable environmental problem. Even where there is broad consensus or a common security agenda, there may be significantly dissimilar views about the seriousness or probability of particular risks that no methodology, no matter how rigorous, can resolve entirely because human judgments are required.
Constructing a National Security Risk Methodology for the 21st Century
Before considering methodologies for assessing national security risk it is important to recognise that the notion of risk itself is changing in response to the rapidly evolving security environment and must therefore be reconceptualised. Risk is typically defined ‘in terms of the potential for damage to national security combined with the probability of occurrence and a measurement of the consequences should the underlying risk remain unaddressed” (DoD 2008a: 20). Or it may be seen as the failure to achieve strategic objectives at an acceptable cost (Holcomb 2004: 119). Other definitions emphasise a country's vulnerability which may be affected by intent and capability (Barnes and Ungerer 2009: 10). Some argue that definitions of risk which exclude human perceptions do not adequately capture the evaluative process. Seen from this perspective, risk is best represented by the formula ‘perception x probability x consequence’, reflecting the diversity of views about threat perceptions that are typically present within governments and policy elites.
However, this latter approach runs counter to the principal aim of a rigorously constructed, objective risk evaluation process risk which is to minimise human bias rather than encourage it. Furthermore, because today's security problems are more multifaceted and distant in space, and time, a reorientation away from the traditional emphasis on linear threats towards a broader, more inclusive approach is required. Standard forms of risk management, which have worked well for relatively predictable security challenges, must be modified and improved to include systemic methods and metrics that are better suited to calculating risks for complex non-linear strategic challenges, individually and collectively. In particular, there needs to a set of agreed metrics for evaluating the synergistic risks of combined threats and hazards in hyper-complex sets of interconnected security issues. This means focusing not only on the risk for individual threats such as cyber attacks, pandemics, missile strikes or infrastructure failure but also calculating the broader systemic risk should these threats all materialise within a very short time frame, or become ‘mega-problems.’
A risk based methodology for assessing and prioritising national security policy must have two essential elements. First, the methodology should be systematic - it must provide operational guidance in a logical, sequential manner. Second, it should be systemic in the sense that the methodology must provide a template for analysing both the causal factors and interconnected dynamics of the main security challenges in a holistic way. Both these characteristics derive from the basic notion of a system, with its emphasis on organisational relationships, but they are not coterminous. Systematic refers to any organised series of steps and procedures that enable people to carry out desired activities in a consistent fashion. Systemic refers to the knowledge and tools that permit an examination of the basic nature and emergent behaviour of complex phenomena as organised wholes.
Of course, a national security risk methodology need not be designed from first principles since there is a substantial body of literature on apposite methodologies from a wide variety of application domains, as well as associated analytical tools to conduct the highly specialised work that is essential to effective strategic analysis. Examples include the environmental scanning techniques used in futures research and corporate strategic planning, as well as sophisticated risk assessment models that have been developed in the insurance industry and medical fields (Coates 1986; Cruz 2004; Glenn and Gordon 2009; Robert l. Heath et al. 1988; Reckmeyer 1988; Rifkin and Bouwer 2007; Schütz et al. 2006). In addition, there is a long history of derivative risk techniques being used for national security and intelligence planning in Western democracies and increasingly in Asia (see, for example, Masse et al. 2009; DoD 2006; DoD 2008b; DoD 2009). While these techniques and models are not without utility none adequately capture or prioritise the diversity, complexity and dynamics of the contemporary international security environment because they reflect the preferences and predispositions of their authors, or subject matter experts, at the expense of systemic and objective risk based metrics.
The methodology proposed here is intended to rectify these deficiencies and has four distinct but integrated sequential steps:  Issues Identification;  Risk Assessment;  Capability Assessment; and  National Security Priorities.
National Security Risk Methodology
The first step is to identify, as comprehensively as possible, those issues most likely to have a major national security impact and to aggregate them in a coherent, systematic manner. In the initial iteration, it is important to cast the widest possible net to counteract the inherent tendency of government departments to zero in on a small set of narrow and immediate concerns that reflect individual portfolio responsibilities. Key tasks would include charting the defining features of the strategic landscape, compiling an inventory of potential threats and determining whether they are primarily internal or external and their likely duration . Anticipating future trends and conditions, rather than reactively waiting for issues to emerge or become apparent, is a hall mark of good planning. This is best done by soliciting formal input across government as well as from relevant non-government and international institutions drawing on selected, proven horizon scanning tools that are readily available for this kind of work. A credible, initial set of candidate national security challenges should result.
The next step is to appraise their probability and likely consequences, and to agree on which challenges require further analysis. Risk assessment always involves some form of trade off between the impact and probability of events or trends. So it would be crucial to include a detailed forecast of each issue’s assessed effect on a country’s vital security interests, by using alternative scenarios which enable analysts to assess their likelihood as well as the duration and intensity of their impact. These individual risk assessments would provide the basis for evaluating the consequences of all the issues vis-à-vis each other, to clarify which ones pose the greatest overall risks to national security. There will need to be a common methodology for these tasks, including a standardised set of criteria or metrics for rating the relative importance of different factors. These metrics would inform judgments about intentions, the nature of identified challenges (global or regional, short or long term, sudden or cumulative), their interconnectedness and their inherent ‘knowability.’ Certainty tables, of the kind used by climate change scientists in their assessments of probability and consequence, could be adapted to help indicate levels of confidence about particular evaluations.
The principal purpose of the capability assessment step is to ascertain the country’s readiness to address specific vulnerabilities. Among the main tasks would be an audit of the country’s national security capabilities followed by a detailed evaluation of their capacity to prevent, mitigate, or resolve anticipated national security risks. Policy makers need to know how to close or reduce the inevitable gaps between existing and required capabilities. Rather than attempting to eliminate specific risks, the capability assessment should specify ways of enhancing overall resilience so that a country can absorb disturbances and continue to function effectively, even under extremely adverse conditions. Integral to this process is the determination of national security vulnerabilities, which are not the same as threats. For example, while terrorism may rate highly on a list of prominent security challenges, actual strategic vulnerability may be of a significantly lower order due to effective counter-terrorist strategies and previous levels of funding. Conversely, neglected areas of vulnerability will require more attention and resources.
National Security Priorities
The fourth and final step is to develop a portfolio of national security priorities which treats them as an interrelated whole and provides the basis for a resource investment plan in national security that is explicitly tied to budget realities. Since most, if not all, of the strategic priorities will be complex and interconnected they must be addressed in a way that doesn’t result in unintended consequences or create additional problems in the future. This is likely to prove the most challenging part of the process for two reasons. The systemic features of an integrated set of priorities are more nuanced than those of any particular issue; and ascertaining them will require policy makers and intelligence analysts to transcend the legacies of institutional and intellectual habit that reinforce siloed thinking.
The Virtues of a Systems of Systems (SoS) Approach
The best way of achieving these goals is through a Systems of Systems (SOS) approach that addresses the most serious security challenges as a whole rather than treating them as independent, compartmentalised issues. A fully developed SOS template would need to incorporate empirically based metrics capable of correlating the consequences and probability of system changing threats to determine risk, by focusing on the connections between them and their capacity to cause systemic disruption and instability. A well crafted set of objective metrics would greatly improve a government’s ability to understand the interrelationships between seemingly disconnected strategic issues and promote coordination across diverse bureaucratic and intelligence communities to achieve key national security objectives.
Although SoS approaches are primarily associated with the development of sophisticated weapons technologies they were originally intended to help policy-makers develop more integrated solutions to hyper-complex challenges. These challenges were closely interconnected, exhibited highly non-deterministic behaviour and involved diverse sets of independent stakeholders who were essential to achieving the best results but could not be compelled to acquiesce in the problem solving process. Far greater integration is required to avoid departmental specific strategies that are apt to produce sub-optimal national security outcomes.
Part of the remedy lies in helping policy-makers appreciate one of the fundamental insights from system’s thinking – the principle of sub-optimisation. Conventional wisdom assumes that maximising the benefits for a particular whole will automatically flow from optimising the performance of its component parts. While this may seem logical, it only applies to those forces, issues and challenges that are relatively simple in composition or dynamics. Although counterintuitive, optimising the greater good for a complex whole actually requires the sub-optimisation of its constituent elements in the same way that producing a champion football team demands the subordination of individual skills and talent to the team ethos.
This is especially true when the ‘whole’ in question is a hyper-complex entity, whose parts are complex independent systems themselves. Creating an optimal national security capability can only be achieved by applying interdisciplinary knowledge, methodologies and tools for integrating independent systems into effective solutions to complex challenges. Conventional risk assessment methodologies typically assume that the combined risk for a particular set of security threats can be readily determined by calculating each risk and adding them together. But these methodologies are ill-suited to assessing the security challenges we now confront.
Assessing strategic risk, whether in politics, business, or national security is a problematic but essential task. More often than not, poor decision-making is directly attributable to the lack of a rigorous evaluation process that permits and, indeed, encourages rational calculations about threats, vulnerabilities, and achievable outcomes. Taiwan’s ability to develop effective analytical tools for assessing national security risk will be a key determinant of its success in managing the many security challenges it confronts. Countries adept at anticipating developments, discerning trends, and evaluating risk among the clutter of confusing and contradictory change indicators will be significantly advantaged over those which are not. Foresight buys precious response time and, in matters of national security, prescience provides a vital strategic edge over potential enemies as well as an enhanced capacity for leadership in the face of common threats.
ALSAC (Air Land Sea Application Center), 2001. Risk management: multi-service tactics, techniques, and procedures (Washington, DC: United States Army, Marine Corps, Navy, Air Force).
Coates, Joseph F., 1986. Issues identification and management: the state of the art of methods and techniques (Palo Alto: Electric Power Research Institute).
Cruz, Marcelo (ed), 2004. Operational risk modelling and analysis: theory and practice (London: Risk Books).
DHS (United States Department of Homeland Security), 2009. National infrastructure protection plan: partnering to enhance protection and resiliency (Washington, DC: DHS).
DoD (United States Department of Defense), 2008a. National Defense Strategy (Washington, DC: DoD).
DoD (United States Department of Defense), 2008b. Risk management for Army, Marine Corps, Navy, Air Force (Washington, DC: DoD).
DoD (United States Department of Defense), 2006. Risk management guide for DoD acquisition (Washington, DC: DoD).
DoD (United States Department of Defense), 2009. Risk management (including risk assessment) for defense critical infrastructure protection (Washington, DC: DoD).
Environment News Service, 2002. ‘Pacific islands: climate change, radiation concern leaders’, Environment News Service, 19 August, <http://www.ens-newswire.com/ens/aug2002/2002-08-19-03.asp>.
Fingar, C. Thomas, 2009a. Payne Distinguished Lecture on ‘Anticipating opportunities: using intelligence to shape the future’ at the Freeman Spogli Institute for International Studies (Stanford University, 21 October 2009).
Fingar, C. Thomas, 2009b. ‘Interview’ by William J. Reckmeyer (14 December 2009).
Glenn, Jerome C. and Theodore J. Gordon (eds), 2009. Futures research methodology – version 3.0 (New York: American Council for the United Nations University).
Heath, Robert L. and Associates, 1988. Strategic issues management (San Francisco: Jossey-Bass).
Heng, Yee-Kuang, 2006. War as risk management: strategy and conflict in an age of globalized risks (London: Routledge Kegan Paul).
Holcomb, James F., 2004. ‘Managing strategic risk’, in The Army War College guide to national security policy and strategy (Carlisle: US Army War College).
Holling, Crawford S., 2001. ‘Understanding the complexity of economic, ecological and social systems’, Ecosystems, 4(5): 390-405.
HSC (United States Homeland Security Council), 2009. National strategy for homeland security (Washington, DC: HSC).
Homer-Dixon, Thomas, 2006. The upside of down (Melbourne: Text Publishing).
Homer-Dixon, Thomas, 2002. The ingenuity gap: facing the economic, environmental, and other challenges of an increasingly complex and unpredictable future (New York: Vintage Books).
Hills, Alice, 1999 ‘Criminality and Policing in Stability and Support Operations’, Military Review 79(6) 1999.
Masse, Todd, Siobhan O’Neil and John Rollins, 2007. The Department of Homeland Security’s risk assessment methodology: evolution, issues, and options for congress (Washington, DC: Congressional Research Service).
Myers, Norman, 1993. Ultimate security: the environmental basis of political security (New York: Norton).
Naylor, Rosamond L. et al., 2007. ‘The ripple effect: biofuels, food security, and the environment’, Environment,49:9: 30-43.
PCO (Canadian Privy Council Office), 2004. Securing an open society: Canada’s national security policy (Ottawa: PCO).
PR (Presidence de la Republique), 2008.French white paper on defence and national security (Paris: PR).
Rasmussen, Mikkel V., 2006. The risk society at war: terror, technology, and strategy in the twenty-first century (Cambridge: Cambridge University Press).
Reckmeyer, William J., 1988. Strategic issues management: a renaissance systems approach (Palo Alto: Electric Power Research Institute).
Rifkin, Erik and Edward Bouwer, 2007. The illusion of certainty: health benefits and risks (New York: Springer).
Rudd, Kevin, 2008. The first National Security Statement to the Australian Parliament (Canberra: Office of the Prime Minister).
Schütz, Holger,Peter M. Wiedemann,Wilfried Hennings,Johannes Mertens,Martin Clauberg, 2006. Comparative risk assessment: concepts, problems, and applications (New York: Wiley).
Taleb, Nicholas N., 2007. The black swan: the impact of the highly improbable (New York: Random House).
UKCO (United Kingdom Cabinet Office), 2008. The national security strategy of the United Kingdom: security in an interdependent world (London: UKCO).
 Black swan events are high impact occurrences that emerge without clear warning, whose indicators are explainable only in retrospect and which, by definition, cannot be predicted even by the best horizon scanning techniques. The term is derived from the discovery of thought-to-be-impossible black swans in Western Australia during the 18th century (Taleb 2007). See also Homer-Dixon 2002: 171-187.
 It is difficult to be precise about the number of separate security challenges which feature in the Australia’s National Security Statement since they are not clearly conceptualised or aggregated. By the author’s count, the 16 are: conflict between the major powers; changing levels of military spending and capability in our region; cyber warfare; Afghanistan; Iraq; espionage and foreign interference; terrorism; protective security challenges; the proliferation of weapons of mass destruction; intrastate conflict in our region; transnational organised crime; border management; disease pandemics; climate change; energy security and demographic change (Rudd 2008). For a comparable list of US national security concerns, see Fingar 2009a and Fingar 2009b.