This is adapted from Mueller and Stewart's new Terror, Security, and Money: Balancing the Risks, Benefits, and Costs of Homeland Security. Read earlier pieces about why the government refuses to subject homeland-security spending to cost-benefit analysis and how the government overestimates the risk of terrorism.
Is it possible to measure the risk of terrorism? Measuring risk can be difficult, but it is done as a matter of course in such highly charged areas as nuclear power plant safety, airplane safety, and environmental protection. There is adequate information about terrorism: There is plenty of data on how much damage terrorists have been able to do over the decades and about how frequently they attack. The insurance industry has a distinct financial imperative to understand terrorism risks to write policies for it. If the private sector can estimate terrorism risks and is willing to risk its own money on the validity of the estimate, why can't the Department of Homeland Security?
A conventional approach to cost-effectiveness compares the costs of security measures with the benefits as tallied in lives saved and damages averted. The benefit of a security measure is a multiplicative composite of three considerations: the probability of a successful attack, the losses sustained in a successful attack, and the reduction in risk furnished by security measures. This product, the benefit, is then compared to the cost of the security measure instituted to attain the benefit. A security measure is cost-effective when the benefit of the measure outweighs the costs of providing the security measures.
The interaction of these variables can perhaps be seen in an example. Suppose there is a dangerous curve on a road that results in an accident from time to time. To evaluate measures designed to deal with this problem, the analyst would need to estimate 1) the probabilityof an accident each year under present conditions, 2) the costs of the consequences of the accident (death, injury, property damage), and 3) the degree to which a proposed safety measure lowers the probability of an accident (erecting warning signs) and/or the losses sustained in the accident (erecting a crash barrier). If the benefits of the risk-reduction measures—these three items multiplied together—outweigh their costs, the measures would be deemed cost-effective.
These considerations can be usefully wrinkled around a bit in a procedure known as "break-even analysis" to calculate how many attacks would have to take place to justify a security expenditure.
We apply this approach to the overall increase in domestic homeland security spending by the federal government (including for national intelligence) and by state and local governments. That is, we assume homeland security measures are in place before the attacks continue, and we evaluate the additional funds that have been allocated to homeland security, almost all of it designed, of course, to deal with terrorism, the only hazard that notably inspired increased alarm after the attacks. By 2009, this increase totaled some $75 billion per year. This is a very conservative measure of the degree to which homeland security expenditures have risen since 9/11 because it excludes items such as private sector expenditures, hidden and indirect costs of implementing security-related regulations, and the costs of the terror-related (or terror-impelled) wars in Iraq and Afghanistan.
To evaluate the reduction in risk provided by security measures, we need to consider their effectiveness in foiling, deterring, disrupting, or protecting against a terrorist attack. In assessing risk reduction, it is important first to look at the effectiveness of homeland security measures that were in place before 9/11. The 9/11 Commission's report points to a number of failures, but it acknowledges as well that terrorism was already a high priority of the government before 9/11. More pointed is an observation of Michael Sheehan, former New York City deputy commissioner for counterterrorism: "The most important work in protecting our country since 9/11 has been accomplished with the capacity that was in place when the event happened, not with any of the new capability bought since 9/11. I firmly believe that those huge budget increases have not significantly contributed to our post-9/11 security."
There is another consideration. The tragic events of 9/11 massively heightened the awareness of the public to the threat of terrorism, resulting in extra vigilance that has often resulted in the arrest of terrorists or the foiling of terrorist attempts.
In our analysis we will assume that risk reduction caused by the security measures in place before 9/11 and by the extra vigilance of the public after that event reduced risk by 50 percent. This is an exceedingly conservative estimate not only because of Sheehan's observation but because security measures that are at once effective and relatively inexpensive are generally the first to be implemented—for example, one erects warning signs on a potentially dangerous curve in the road before rebuilding the highway. Furthermore, most terrorists (or would-be terrorists) do not show much intelligence, cleverness, resourcefulness, or initiative, and therefore measures to deal with them are relatively inexpensive and are likely to be instituted first. Dealing with the smarter and more capable terrorists is more difficult and expensive, but these people represent, it certainly appears, a decided minority among terrorists.
In addition, we will assume that the increase in U.S. expenditures on homeland security since 2001 has been dramatically effective, reducing the remaining risk by an additional 45 percent. Total risk reduction, is generously assumed, then, to be 95 percent with the pre-existing measures and the extra public vigilance responsible for 50 percent of the risk reduction and the enhanced expenditures responsible for the remaining 45 percent.