Why Bush’s War On Terror Is Failing: A Risk Management Perspective


By now we’re all quite familiar with the Bush administration’s stance on security. It essentially boils down to the best defense being a good offense. Or, to put it less philosophically, people can’t attack you if they don’t exist. The problem with this line is that it gives insufficient weight to reality.

Let us start with a formula for calculating risk in the information security world. Risk, in it’s most basic form, is the chance of something bad happening. It can be calculated in the following way:

 Risk = Threat x Vulnerability x Asset Worth

As I said, this is an information security formula, but it translates quite well to security in general. When we evaluate the variables here they materialize in the following way:

Threat = Bad Guys x Weapon PowerVulnerability = How Easy It Is To Attack UsAsset Worth = How Important The Targets Are To Our Livelihood

What Effect Is Bush Having On This Formula?

To make positive change we have to accurately gauge the effects of our actions on reality. Unfortunately, this is the part that the current administration is getting wrong. Let’s assign arbitrary numbers to these variables in order to demonstrate the difference between what they think they are doing vs. what they are actually doing. I’ve removed asset value since it stays relatively constant.

The Neocon Viewpoint

Pre-Bush: Threat (5) x Vulnerability (9) = 45% RiskPost-Bush: Threat (5) x Vulnerability (5) = 25% Risk

(-40% risk)

Basically, they think they’ve reduced Al-Quaeda’s ability to commit acts of terror against us, while they’ve simultaneously hardened our critical assets against attack. Unfortunately, that’s not the case.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.


Pre-Bush: Threat (4) x Vulnerability (9) = 45% RiskPost-Bush: Threat (10) x Vulnerability (8) = 80% Risk

(+ 45% risk)

The truth of the matter is that we’ve massively increased the number of people who want to do us harm in the world (threat). This adds to the threat against us infinitely more than we can possibly hope to reduce our vulnerability.

In short, we live in a free and open society that is vulnerable by its very nature. In such a society it is impossible to keep people who want to hurt us from doing so. There are too many malls, too many children, and too many ways to cause us harm.

The only way to stop people from hurting you is to make it so that they don’t want to.


The solution is for us to become a better country. We have to treat people with respect and stop intruding in their affairs. This is not isolationism, it’s common courtesy. Only once we’ve started down that path — a new path — will we be able to positively effect the operative variable in the risk equation (threat).

In other words, the crucial point here is the sheer number of people with the will to cause us harmnot specific measures aimed to stop how the attacks will occur. The current policy is failing because of this misunderstanding, and I hope someone figures this out sooner rather than later.:

Related posts: