As we have indicated, the interest in risk in the new research on public security can be divided into two analytical parts: risk assessment and risk management. In risk assessment (covered in Part I) attention is paid to the threats that are perceived in the environment, the opportunities that provide targets, and the calculations that are made by individuals and agencies to balance risk against the demands of routine daily activities. This assessment is influenced by the stage at which we judge risks relative to an actual incident where prevention, preparedness, response, and recovery all affect our risk balance calculation.

Risk management, which we cover in Part II, addresses the ways in which agencies plan for and react to threats and incidents, in particular, in the judgments that they make about resource allocations. This process has important effects, as well, depending on the level of impact of incidents where different levels of jurisdiction may influence the ways in which resources are managed, the ways in which information about threat is used, and the authority that is applied in responding to and coordinating response.

Risk analysis is probabilistic but also must account for uncertainty, where we have more difficulty in make firm assessments of what might occur. The extent to which we can remove uncertainty will influence how well we are able to anticipate hazards and threats and their consequences. Probabilistic risk analysis, based on Bayesian inference, is a well-developed method that has been shown to provide risk management models despite limited data. Similarly, stochastic risk modeling has been used to develop warning systems that can generate testable hypotheses. The National Infrastructure Advisory Council also recommends consideration of the application of the COSO financial risk management model to security risks (see www.coso.org). The COSO model includes risk assessment, risk response, and governance and the development of metrics to assess risk and the integration of the model throughout the enterprise (Marsh and Noonan, 2005).

The RAND Corporation advocates event-based models that include detailed analysis of vulnerability and consequence of specific terrorist attack scenarios (Willis et al., 2005). In this context of uncertainty, the goal of event-based models is to reduce “egregious errors” in risk estimates as opposed to identifying optimal estimates. The point is that risk modeling is a well-developed approach in the private sector and comparative research assessing the use of these models in security organizations offers significant value to policymakers and leaders of organizations such as the Department of Homeland Security.

There is an extensive literature on risk and risk management that has dealt with a range of topics from health security (Glass and Schoch-Spana, 2002), to property protection (O’Malley, 1992), to crime control (Simon, 1988), to crime prevention (Bradley and Morss, 2002), and to environmental threats (Douglas and Wildavsky, 1982; Dimitrov, 2002). Increasingly, researchers are beginning to apply the risk models to the study of terrorism (Cummins and Lewis, 2003; Viscusi and Zeckhauser, 2003). These approaches can be typified as concentrating on applications of a perspective that has become a more prevalent part of criminal justice thinking, beginning with the idea that we are living in a “risk society”, where hazards and threats become a focus of agencies to control through selective application of resources (see Beck, 1992). These controls are calculated through an application of probabilistic reasoning that incorporates the value of information, surveillance, and insurance (or some other form of mitigation) as key components in risk management of crime and terrorism (Simon, 1988). What this means is that agencies become more aware of the need to determine the dangers in an environment and marshal resources to repair damage that come from these dangers. Agencies must also enlist the support of the public in managing their own risks and in allowing the institutional interventions that attack the threats, sometimes at the cost of privacy and freedom of movement.

The calculus for risk management has not had an explicit focus of discussions around counter-terrorism until recently. This has emerged in the United States primarily through the ongoing political debate surrounding the distribution of homeland security funds across the country. While the discussion began as one of fairness, arguing that the areas most vulnerable should receive most funding, this debate has become more focused around how vulnerability can actually be calculated. In these deliberations, US government agencies have offered the formulation that risk is a product of threat, vulnerability, and consequence. In examining these factors, risk is profiled as “relative,” with the direct acknowledgment that resources must be applied unevenly and that not all threats will be addressed. In fact, some have argued that too much protection against loss creates loss. Baker and Simon (2002) state that society should embrace some risks. This view flies in the face of thinking that “we need to be right all the time, the terrorist needs only be right once,” a form of thinking that says that we cannot afford to make a mistake and must take action to impede all possible attacks. This strategy is used in airport screening but not applied successfully in any other instance of broad-based terrorism control (see Lum, Kennedy, and Sherley, 2006; Mueller, 2006).

In articulating risk management procedures, there has been much talk about prevention, response, and recovery (these phrases appear in many different forms in documents prepared by a range of agencies involved in crime prevention, emergency preparedness, terrorism response, and so on). In the case of terrorism, these procedures are based on a view that if attacks can be anticipated, we can quickly respond and recover from these events. But many problems emerge in the prediction of terrorism acts, the most difficult being the fact that these are low incident occurrences that are difficult to plan for. Despite this, the cases where events have occurred have provided important models for response and recovery and are giving us some important insights into how we might better prevent these events (as we have seen in the aftermath of the London transit bombings and the break up of the threatened attacks on airlines in Britain).

In the discussions of risk assessment, there have been conversations about the importance of values and institutional expertise in influencing the success of programs addressing threats and balancing risks (Van Brunschot and Kennedy, 2008). An interesting example of the contrast across societies concerning the tension that develops between experts and the public concerning risks (characterized as the “precautionary principle”) is the aversion of Europeans to genetically modified food, despite continuous claims about its safety, a reaction not reflected in North America. In similar ways, discussions about risk management in responding to terrorism, on the face of it, varies dramatically from country to country. Part of this is determined by the local experiences with threats but it is in part a function of the degree of trust that the public puts in law enforcement and its ability to counter dangers in an effective way. The judgment about the success of risk management in counter-terrorism, then, is dependent on not just reducing incidents but also by delivering programs in which the public has confidence. This success also depends on the degree to which the public becomes a partner in the risk management process, working with agencies to deter terrorism. This can take on many different forms but two examples that illustrate this are the actions taken within ethnic communities that are vulnerable to terrorism recruitment to address these threats and the voluntary participation of industry in securing their supply chains in collaboration with customs and border patrol (Closs and McGarrell, 2004).

An important element in this cultural approach relates to the social construction of risk and the management of risk communications (Wildavsky, 1995; Glassner, 1999). Social construction relates to the ways in which risk and security are discussed in the media, by politicians, in local communities, and in small circles of family and friends. How risk is constructed can have important implications for the steps that we take to mitigate it. In addition, the ways in which we manage risk communication can influence our views of threat. Agencies play an important role in this communication and this needs to conform to their actions in preparing for and responding to crime and terrorism.

In sum, in developing risk assessments strategies, we have to address a number of issues. We can summarize the major ones by posing questions that will be the subject of the articles that we have included in this book: