“There are as many definitions of ‘vulnerability’ and ‘risk’ as there are agencies in federal, state, and local governments combined….Currently, there is no universally accepted definition of the most basic measures of criticality - vulnerability and risk. “For example, the intelligence community typically defines ‘risk’ as R = T + V 9Threat plus Vulnerability). The FBI says ‘risk’ is R = I x T x V (probability of an incident times threat times vulnerability).116 A number of other methodologies use arbitrary metrics to gauge risk. The most popular method of gauging criticality of an asset such as a port, telecommunications center, water treatment plant, or transportation terminal is to assign numbers to each asset and then add them together. In ranked ordering systems such as the U.S. Coast Guard’s port security and risk assessment tool, risk is computed by summing assigned numbers to various properties such as damage, casualties, vulnerability, and threat. These numbers are provided by subject matter experts who, in turn, rely on their individual judgment when rating ‘vulnerability’ and ‘risk’. The port asset with the highest total is declared the most critical. “The validity of this approach relies on subject matter experts, which does not address the problem of inconsistency across experts. This leads to uneven ranking, because every expert has a different idea of how to assign numbers. It also leads to meaningless totals, because of the different interpretations of what the numbers mean. “The intelligence community’s risk equation is difficult to apply because it is not clear how one compares a low-threat, high-vulnerability asset with a high-threat, low-vulnerability asset. If we add threat and vulnerability together and get the same total, what is the difference? Clearly, a highthreat condition deserves closer scrutiny than a low-threat condition, regardless of the vulnerability, and yet R = T + V produces indistinguishable totals…. “We need a standard, scientifically exact method of assessing vulnerability and risk. Only then will we be able to define vulnerability and risk. A standard definition means that states and localities will be able to compare apples to oranges, and that the result of vulnerability analysis will mean something - across the 50 states…. “Suppose for example, ‘vulnerability’ is defined as the probability that an attack will succeed and ‘risk’ is defined as the expected value of the damage caused by a successful attack Vulnerability is a probability (a number from zero to 100% and risk is a cost (a number that represents the impact of an attack on an asset or entire sector). Mathematically, risk is V x D, where V = vulnerability and D is typically in units of dollars, casualties, or some other loss”. (Lewis and Darken 2005, 4-5)