Reducing the risk of intentional domino effects in process plants: A risk‐based minimax strategy

Compared with safety assessment, security risk assessment in chemical and process plants is more challenging. On top of uncertain environmental and operational parameters and interdependent failures, which are common in the safety risk assessment of complex systems and infrastructures, there are other uncertain parameters such as the likelihood of attack scenarios and attackers' expected outcomes. As such, the application of probabilistic risk assessment (PRA) techniques, which have long been applied to safety risk assessment and management, to security risk management may result in nonoptimal or suboptimal decisions. In the present study, we will demonstrate how a combination of PRA and game theory may outperform PRA and lead to a more cost‐effective allocation of security measures. For this purpose, the outcome of a dynamic Bayesian network—as a PRA technique—is used as input to the minimax strategy—as a game theoretic strategy—for security risk management of a tank terminal under attacks with a homemade bomb. The proposed risk‐based minimax strategy alleviates the need for estimation of attack likelihoods or attacker payoffs, which would have otherwise been too challenging to estimate if the analyst solely depended on a PRA technique.


| INTRODUCTION
Protecting critical infrastructures and hazardous facilities (nuclear facilities, chemical and process plants, etc.) against terrorist attacks has gained much attention since the September 11 terrorist attacks in the United States. Assessing and managing the risk of terrorist attacks is a multifaceted task that demands the analysis of potential targets, possible attack modes, credible attack scenarios, and the availability of mitigation alternatives. Factors such as the dynamic nature of terrorism risk, the countless number of possible attack scenarios, the contingent nature of the threats, and the limited resources available to eliminate all risks have led to the prioritization of the targets to protect and the defensive resources to allocate. 1 In this regard, risk scoring methodologies and probabilistic risk assessment (PRA) have been playing a key role in prioritizing antiterrorism measures. 2 Likewise, parallels between safety and security risks have been investigated, with discussions about safety risk assessment concepts that can essentially be modified and applied to the security risk assessment of hazardous facilities. 3 In a report by the U.S. Government Accounting Office, 4 the need for "a comprehensive risk management process" for effective allocation of antiterrorism resources was pointed out, which in turn has resulted in a number of risk-based scoring methodologies for the allocation of defensive resources. 1,[5][6][7][8] In such methodologies, the security risk (R) is defined as: where R is the security risk, T is the threat score (or likelihood), V is the vulnerability score, and C is the consequences. However, the application of PRA and, particularly the estimation of the risk of terrorist attacks using Equation (1), has been criticized by some researchers, [9][10][11][12][13] including Cox, 10 who claims that Equation (1) does not account for dependencies among the risk components and may result in an overestimation or underestimation of the risk. Khakzad et al. 14 used the analytic network process to demonstrate that linear scoring of the risk components (i.e., T, V, and C) may result in a different, and not necessarily accurate, prioritization of the threats and targets than those obtained from a nonlinear scoring approach capable of considering the mutual dependencies.
There have been attempts to take into account the dependencies in this regard, such as using a Bayesian network 15 or estimating the threat (T) as a function of target vulnerability (V) and attractiveness, both of which are estimated by defenders from the attackers' viewpoint. 7 In the majority of such efforts, however, the defenders' uncertainty about the attackers' goals, asset valuation (attractiveness), and intention has been modeled based on simplifying assumptions or probability distributions that cannot seem to be easily verified. Cox 10 also debates that estimating and presenting the threat (T) and vulnerability (V) simply as numbers cannot seem to account for an intelligent attacker's ability to dynamically replan and carry out the attack in face of defensive measures.
Aside from the simplistic nature of Equation (1), prioritization of defensive resources based on the results of PRA can be quite selfdefeating as it may make the defenders' resource allocation more predictable to attackers. For instance, a defender may rank order M facilities (targets) based on their respective risk scores, and decide to protect N facilities (N < M) depending on his available resources.
This will leave an informed attacker (informed in the sense that the attacker would know that the defender would have followed a riskbased approach) with K = M À N undefended facilities; the expected damage of attack to these could be even more than to the protected facilities. 10 Cox 11 further demonstrated the inefficacy of risk scoring methodologies, among others, in reflecting the role of secrecy and deception in reducing the risk of attacks or the influence of risk externalities 16 (e.g., protecting one target can increase the attractiveness of other targets), making them even less effective in some cases compared with a random allocation of defensive resources. According to Bier,16 negative externalities can be exploited by defenders to manipulate the attackers' choice, drawing their attention to less valuable targets or to well-secured and more valuable targets, only to find out their attack would cost more than it is worth.
Cox 10 recommends decision trees, optimization techniques, and game theory models as more viable alternatives to PRA as they help the defender optimize the allocation of resources to minimize the maximum damage (or expected damage) resulting from the "best response" of attackers. Best response models, in their simplest form, can be formulated as two-level optimization problems in which the defender calculates the attacker's best response to various allocations of resources (the attacker's best response would maximize the net expected reward of the attacker) and chooses the allocation that would minimize the damage. 7,10,12,17,18 Integration of PRA and game theory can effectively overcome the drawbacks of risk scoring approaches in both system safety management 19 and security management. 12 In the context of security risk, PRA can be used to calculate the expected payoffs of uncertain consequences of paired defender-attacker strategies, while game theory can be used to optimize the defenders' decisions (allocation of defensive resources) with regard to the attackers' best response. 12 In simultaneous or one-stage defender-attacker games, the defender acts first, trying to minimize the maximum damage that the attacker can make via the best response to the defender's decision.
Such games, also known as minimax strategies, are typically formulated in the form of relatively simple two-level optimization problems that do not require sophisticated game theoretic concepts. 12 In a two-level optimization problem, the defender must allocate defensive resources to a collection of targets that might potentially be attacked. The defenders usually do not know the attackers' preferences, while the attackers may observe the defenders' resource allocation or know the defenders' valuation of the assets (a game of incomplete information), leading to a sequential game. On the other hand, if the defenders manage to conceal defensive allocations, the optimization problem would turn into a simultaneous game. Nevertheless, defenders will generally be better off in a sequential game than in a simultaneous game. 16 As a result, a simultaneous game can be considered the worst-case scenario, resulting in the most conservative allocation of resources from the defenders' viewpoint.
The present study aims to illustrate the efficacy of the risk-based minimax strategy in reducing the risk of impending terrorist attacks on chemical and process facilities. Section 2 recapitulates the basics of minimax strategy; Section 3 demonstrates the application of riskbased minimax strategy on an illustrative tank farm and shows how relying merely on the results of PRA may lead to suboptimal decisions; and Section 4 is devoted to the discussions.

| MINIMAX STRATEGY
Game theory is a branch of applied mathematics for modeling situations of competitive cooperation or conflict of interest among a number of players (decision-makers) where usually one player gains at the expense of other player(s). A game consists of a set of players, a set of actions (moves) for each player, and a payoff (utility) function for each player. Games can be classified as simultaneous or sequential. In a simultaneous game (e.g., rock-paper-scissors), each player chooses their own action (makes a decision) without the knowledge of their opponents. On the other hand, in a sequential game (e.g., chess), the second player, when making their move, has some information about the first player's move. 20 Classification of games as simultaneous or sequential is more about the availability of information to the players at the time of decisionmaking than the temporal sequence of decisions (moves). Simultaneous games, which are the scope of the present study, can be presented in their normal form as a payoff table (or bimatrix) for two players. It is worth noting that a game, whether simultaneous or sequential, can alternatively be presented in extended form as a game tree. Table 1 presents a case with two assets, A and B, while the defender's resources would only allow for defending one or the other. According to the payoffs in Table 1, for instance, if the defender decides to defend asset A whereas the attacker attacks asset B, the defender and attacker would end up, respectively, with b1 and b2 as the payoffs.
If the attacker or the defender knew beforehand what move their opponent would make (e.g., if the attacker knew which target would have been secured by the defender, or similarly, if the defender knew which target would be attacked), the game would change from simultaneous (a game with incomplete knowledge) to sequential (a game with perfect information). With the defender's knowledge of the attacker's move, the move with the highest payoff for the defender given the attacker's move is thus the one with the best response for the defender. To find the defender's best response, the defender does not need to know the attacker's payoff since the focus is on the defender's highest payoff. As a result, the payoff table can be simplified to the one presented in Table 2.
As can be noted in Table 2, although the best response strategy alleviates the defender's uncertainty about the attacker's payoff, it still suffers from uncertainty about the attacker's move based on which of the best responses should be identified. Without knowing the attacker's move ahead of time, and to avoid the uncertainty that comes with anticipating the attacker's move, the defender can allocate defensive resources to minimize his losses. An attacker's payoff may be multifaceted, including but not limited to, causing fatalities and property losses, distributing propaganda, and so forth. However, when it comes to chemical and process facilities, the defender (the facility owner, for instance) may justifiably presume that the attacker's payoff would be proportionate (not equal) to the defender's loss (mostly, property losses).
This presumption, even if not realistic, would lead the defender to take actions to minimize his losses regardless of the attacker's payoffs.
For this purpose, the defender would look at the rows of Table 2 and in each row highlight the cell with the highest loss. The defender then selects the row with the lowest highlighted number, i.e., the lowest highest loss ( Table 3). The defender's move corresponding to the selected row is called a minimax strategy, 21 ensuring that in the worst-case scenario (in the context of the attack scenario of interest), the defender's loss would not exceed the minimax value. Since in a minimax strategy the defender's focus is on reducing their potential losses regardless of the attacker's payoff, an a priori estimation of the attacker's payoff (or expected utility) would not be needed.
In Table 3, the loss attributed to any move made by the defender is equal to the maximum possible loss resulting from that move. For instance, the loss of "Defend A" is taken as L A = max (a1, b1). As such, between "Defend A" and "Defend B", the defender selects the one attributed to the lowest loss, that is, min (L A , L B ). In other words, by implementing the best response that the defender identifies via the minimax strategy, the maximum loss the defender would expect to incur L i can be calculated as: where i is the index of the defender, j is the index of the attacker, x i is the decision made by the defender, x j is the decision taken by the attacker, and L i is the payoff the defender gets as a function of his and the attacker's decisions. The minimax strategy seems to be a viable strategy to cope with imminent terrorist attacks to chemical and process facilities when time is not sufficient to acquire the information required to predict the attacker's payoffs.

| An illustrative example
For illustrative purposes, the layout of an oil terminal is depicted in Figure 1, which consists of six oil storage tanks of two different sizes: The large tanks, T3 and T5, and the smaller tanks, T1, T2, T4, and T6.
Based on a thorough consequence analysis, the probability of fire propagation from a burning tank to an adjacent tank can be calculated using dose-effect relationships 24 given the dimensions of the adjacent tank and the amount of heat radiation it would receive. Figure 1 shows illustrative fire propagation probabilities, assuming the completion of a detailed consequence analysis, which is beyond the scope of the present study. In Figure 1, for instance, if T1 is on fire, the probability of T2 catching fire is 0.2, and vice versa.  Table 4 presents a number of conventional IEDs and their explosive capacity (TNT equivalent mass) based on the maximum explosive materials that could be carried or delivered. 25 In order to evaluate the impact of IEDs on process vessels, the overpressure generated by the IED's detonation should be calculated, for instance, using TNT equivalent mode 28 : where P (bar) is the peak overpressure, r (m) is the distance measured from the center of gravity of the explosion to the target vessel, and M TNT (kg) is the equivalent mass of trinitrotoluene (TNT) determined for an IED as in Table 4. Having the amount of overpressure at a target vessel and the threshold values in Table 5 Considering the explosive mass of a pipe bomb (2.3 kg, as in Table 4) and the least amount of overpressure required to cause damage to an atmospheric storage tank (0.22 bar, as in Table 5

| Risk-based minimax strategy
The IED attack to the tank terminal is depicted in Figure 1 Table 6 lists such probabilities resulting from the IED attacks to each possible piar of adjacent tanks, where the attacked tanks have been denoted by a unity probability.
The expected loss of each IED attack scenario can be estimated using the loss associated with the damage to each storage tank.
Assume that given an IED attack, the defender would incur a cost of 3 units for damage to a large tank and a cost of 1.5 units for damage to a smaller tank, if the tanks are full (a full storage tank is filled to 0.85 of its capacity). Having these costs, a concurrent IED attack to T2 and T5 would result in the largest damage (see the last row of Table 6), and can be taken as the most credible attack scenario from a purely PRA perspective (we will later demonstrate how relying solely on the results of PRA could lead to choosing a different and not necessarily an efficient mitigating strategy).
In the context of inherent safety, reducing the inventory of hazardous substances in chemical and process plants has been proposed as an effective way to limit the effect of not only accidental 32 but also intentional events. 33 In the present study, emptying the storage tanks is chosen as a safety measure for reducing the risk of an imminent IED attack, which cannot be prevented but could be mitigated. 33 This safety measure can be categorized as the "minimization" and/or "limitation of effects" principles in the context of inherent safety. In this regard, it is assumed that the tank terminal cannot afford to keep more than one large tank or two smaller tanks empty, for instance, due to adverse impacts on the supply chain or loss of revenue. empty are listed in Table 7. As can be noted from the numbers in Table 7, the attack to a full or empty tank does not seem to make a significant difference in terms of cost: For instance, attack to a full large tank would cause a damage of 3 units to the defender, while the same attack to an empty large tank would cause a damage of 2.5 units (the cost of the tank, 2, plus the cost of loss of revenue, 0.5). However, attack to an empty tank is expected to limit the damage to the target tank only, which prevents greater damage caused by potential domino effects.
The DBN developed in Figure 2 can be used to calculate the expected loss the defender would incur by defending tank Ti (keeping them empty) while tank Tj might get attacked, bearing in mind that (i) the defender cannot afford defending more than one large tank or two smaller tanks and (ii) the attacker would not be able to attack more than two adjacent tanks. For the sake of exemplification, consider a case where the defender decides to "Defend T1" and the attacker "Attack T1 and T2". We have chosen this simple defendattack scenario because the corresponding domino effect can readily be modeled as a simple BN with no need for the DBN, as illustrated in  table in Table 8 (denoted with a bold number).
Having the expected loss of each defend-attack scenario in Table 8 T A B L E 6 Domino effect probabilities for given IED attack to each pair of adjacent tanks in Figure 1: Attack to T2 and T5 is associated with the maximum expected loss (denoted in bold numbers) F I G U R E 3 Probability of fire propagation due to IED attack to T1 and T2. Since T1 is empty of flammable substances, it will get damaged but cannot contribute to the domino effect (i.e., no direct arc from T1 to T4)

Case 1
Assume that the defender would choose to make their decision based on the outcomes of risk assessment where the IED attack to T2 and T5 would result in the highest risk of damage (see the expected losses in the last row of Table 6). Taking "Attack to T2 and T5" as the most likely attack scenario due to its maximum expected loss, the defender would choose "Defend T2" as the most cost-beneficial decision attributed to a minimum expected loss of 4.96 units (i.e., the value resulting from the intersection of "Defend T2" and "Attack T2 and T5" in Table 8).
An attacker who suspects that the defender would base their decision merely on the results of risk assessment would choose to launch the second riskier attack scenario (the one attributed to 8.72 as the second highest expected loss in Table 6), that is, "Attack T4 and T5". In such a case, the defender would end up with a loss of 6.02 units (i.e., the value resulting from the intersection of "Defend T2" and "Attack T4 and T5" in Table 8), which is higher than a loss of 5.20 resulting from a risk-based minimax strategy.

Case 2
One may also argue that strategies such as minimax are more suitable for decision-making under ignorance, that is, when a decision maker has no idea about the likelihood of "the states of nature", 21 which in our case are attack scenarios. In this regard, a PRA advocate may see it more appropriate to assign likelihoods to the attack scenarios proportional to their relative expected loss. 9 According to the expected losses of attack scenarios in Table 6 Table 9. Considering only the expected losses, "Defend T2 and T4" may be selected due to having resulted in the lowest mean loss.
In decision-making under risk, between two decision alternatives with more or less the same mean values, the one with a lower standard deviation should be chosen as the desired alternative. 21 For this purpose, the Microsoft Excel ® Data Analysis toolpak was used to conduct ANOVA (Analysis of Variance) between the two closest decision alternatives, that is, "Defend T2 and T4" and   T1 and T2  T2 and T3  T1 and T4  T2 and T5  T4 and T5  T4 and

DATA AVAILABILITY STATEMENT
Data sharing is not applicable to this article as no new data were created or analyzed in this study.