defensibility FINAL.pdf (526.1 kB)
Download file

Risk analysis beyond vulnerability and resilience – characterizing the defensibility of critical systems.

Download (526.1 kB)
journal contribution
posted on 18.04.2019, 00:00 authored by Vicki Bier, Alexander Gutfraind
A common problem in risk analysis is to characterize the overall security of a system of valuable assets (e.g., government buildings or communication hubs), and to suggest measures to mitigate any hazards or security threats. Currently, analysts typically rely on a combination of indices, such as resilience, robustness, redundancy, security, and vulnerability. However, these indices are not by themselves sufficient as a guide to action; for example, while it is possible to develop policies to decrease vulnerability, such policies may not always be cost-effective. Motivated by this gap, we propose a new index, defensibility. A system is considered defensible to the extent that a modest investment can significantly reduce the damage from an attack or disruption. To compare systems whose performance is not readily commensurable (e.g., the electrical grid vs. the water-distribution network, both of which are critical, but which provide distinct types of services), we defined defensibility as a dimensionless index. After defining defensibility quantitatively, we illustrate how the defensibility of a system depends on factors such as the defender and attacker asset valuations, the nature of the threat (whether intelligent and adaptive, or random), and the levels of attack and defense strengths and provide analytical results that support the observations arising from the above illustrations. Overall, we argue that the defensibility of a system is an important dimension to consider when evaluating potential defensive investments, and that it can be applied in a variety of different contexts.


The work of AG was supported in part by Uptake Technologies, Inc. The work of VB was supported in part by the US Department of Homeland Security (DHS) through the National Center for Risk and Economic Analysis of Terrorism Events (CREATE) under Cooperative Agreement No. 2010-ST-061-RE0001. However, any opinions, findings, and conclusions or recommendations in this document are those of the authors and do not necessarily reflect views of the Uptake or DHS. The authors would also like to acknowledge the extensive contributions of Mr. Ziyang Lu, a former master’s student at the University of Wisconsin-Madison, to the calculations and the overall accuracy of the paper.



Bier, V., & Gutfraind, A. (2019). Risk analysis beyond vulnerability and resilience – characterizing the defensibility of critical systems. European Journal of Operational Research. doi:10.1016/j.ejor.2019.01.011







Issue date


Usage metrics