The horrendous attacks on innocent people at the Boston Marathon continue to weigh on the public consciousness nearly a week after the deadly plot unfolded. There has been broad outreach to the victims and the suspects are accounted for: one dead, one in custody. Some people, especially in places where marathons, festivals, or other large public events will occur in the coming weeks and months are already looking ahead to the next question: What should we do to prevent terrorist attacks like this in the future?
In the wake of a terrorist attack, there is an overwhelming urge to fix things so the events will never be repeated. The story is familiar. After the bombing of U.S. embassies overseas, barriers around government buildings became de rigueur. After the anthrax letter attacks on Capitol Hill in 2001, mail to many federal offices faced irradiation and severe delays, if not prohibitions. When Richard Reed brought a shoe bomb on a plane, Americans removed their shoes at airports. After the London bombing plots, travelers lost the right to bring liquids on planes. After the so-called underwear bomber attempt, Transportation Security Administration spent millions of dollars on sophisticated body scanners.
Reactions like these may improve public safety, but in the long run they are often seen as reactionary, ineffective or costly. It isn't obvious that nuclear detectors deployed across the nation's border crossings have reduced risks of attack. The Biowatch system, deployed to detect possible bioterrorism attacks, has been criticized for not providing capabilities that will protect the public. One-by-one the post-9/11 aviation security measures are being reconsidered or rolled back. See, for example, the recent decision to allow small blades on planes.
As federal and local public safety agencies seek ways to better protect Americans in public spaces and at large gatherings, they need a reliable and valid way to decide when and how security should be changed. The solution to this problem is risk-based security, which seeks to focus resources on those threats that pose the most danger and that are the most likely to occur.
Basing public safety decisions on risk analysis allows authorities to devote public resources to those counterterrorism measures that have the potential to do the most good. It allows for better understanding of how information revealed by the latest attack changes what is already known about groups and individuals that possess the ability and intent to threaten public safety, or in other words the risks to public safety.
For example, early evidence showed that the bombs used in Boston were simple devices constructed of common components, suggesting nothing has changed in the access terrorists have to bomb technology. Similar consideration should be given to whether new information from Boston changes what we know about who may want to conduct attacks in the United States or what events or places they view as attractive targets. This information should inform future public safety decisions.
Risk-based security also allows public safety agencies to assess how security enhancements can reduce vulnerabilities and make the public safer in advance of terrorist incidents. Doing so requires considering the overall risks to public safety and addressing those specific factors that create vulnerability, not just the risks from a specific scenario. It has been shown, for example, that screening technologies at stadiums that reduce lines and congestion also decrease opportunities for attackers to strike large numbers of people.
In the current environment of government deficits and cuts to public safety spending, risk-based security can help avoid redundant or wholly ineffective security investments. In fact, several examples of how risk-based security has been used to improve public safety exist.
U.S. Customs and Border Protection use the Automated Targeting System to analyze information about the movements of goods and people. Travelers or shipments associated with patterns indicative of a greater risk of smuggling are tagged and subjected to closer inspection upon entry into the United States. The TSA is in the midst of implementing risk-based analysis to assess security at airports, identify what items to allow aboard aircraft and determine how trusted travelers are identified and screened. Following 9/11, RAND helped Los Angeles International Airport, commercial mall owners and rail operators understand the effectiveness of operational changes and capital improvements in the name of security.
Without risk-based security, law enforcement agencies are ill equipped to resist demands for increased security. Without a barometer for how risks have changed or how security will counter those changes, all proposals for increasing security are deemed critical and any failure to implement them is viewed as negligent.
Investigators now know quite a bit about how the tragedy at the Boston Marathon unfolded and their investigation is continuing. And public officials are undoubtedly asking themselves whether they should do something, anything, to immediately enhance public safety at large gatherings in the future.
Public officials should resist this pressure to take action in the charged atmosphere immediately following a terrorist attack. Public safety decisions are best rendered based on rigorous risk-based security analysis, not on public pressure so soon after such a traumatic event.
Henry Willis is director of the RAND Homeland Security and Defense Center at the nonprofit, nonpartisan RAND Corporation.
This commentary originally appeared in U.S. News & World Report on April 22, 2013. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.