Multilevel, threshold-based policies for cargo container security screening systems

European Journal of Operational Research 220 (2012) 522–529

Contents lists available at SciVerse ScienceDirect

European Journal of Operational Research journal homepage: www.elsevier.com/locate/ejor

Innovative Applications of O.R.

Multilevel, threshold-based policies for cargo container security screening systems Laura A. McLay a,⇑, Rebecca Dreiding b a b

Department of Statistical Sciences and Operations Research, Virginia Commonwealth University, 1015 Floyd Ave., P.O. Box 843083, Richmond, VA, United States Mantech International Corporation, 1560 Wilson Blvd., Suite 700, Arlington, VA 22209, United States

a r t i c l e

i n f o

Article history: Received 20 October 2010 Accepted 31 January 2012 Available online 16 February 2012 Keywords: Knapsack problem models Container screening Homeland Security Threshold constraints

a b s t r a c t To mitigate the threat of nuclear terrorism within the US using nuclear material that has been smuggled into the country, the US Bureau of Customs and Border Protection has expanded its cargo container detection capabilities at ports of entry into the US This paper formulates a risk-based screening framework for determining how to define a primary screening alarm for screening cargo containers given a set of dependent primary screening devices. To do so, this paper proposes two linear programming models for screening cargo containers for nuclear material at port security stations using knapsack problem models. All cargo containers undergo primary screening, where they are screened by a given number of security devices. The objective is to identifying the primary security outcomes that warrant a system alarm for each container risk group such that the system detection probability is maximized, subject to a screening budget. The base model is compared to a second model that explicitly requires a threshold-based policy. The structural properties of the two models are compared, which indicates that all risk groups except at most one have deterministic screening policies. A computational example suggests that the detection probability is not significantly altered by enforcing a threshold policy. Ó 2012 Elsevier B.V. All rights reserved.

1. Introduction National security has become a critical issue since the September 11, 2001 attack. Port security has emerged as a critically important yet vulnerable component in the Homeland Security system. One of the most important security issues to emerge is the need to prevent nuclear material being smuggled into the US by cargo containers, since nuclear material could be used to detonate a nuclear bomb on US soil. In order to prevent nuclear material from being smuggled into the US, nearly all of the 11.4 M cargo containers that enter the US every year are scanned by radiation portal monitors (RPMs) (Fritelli, 2005; US DOT, 2007; Lava, 2008; Bakir, 2008). There are many challenges associated with screening cargo containers. One challenge is to determine effective risk-based methods for screening cargo containers, given that risk assessments have been performed on cargo containers entering the US. The Automated Targeting System (ATS) is used to prescreen each cargo container and classify it as high-risk or low-risk using the shipping manifest and other information (Strohm, 2006). ATS and the outcomes of other US Customs and Border Protection programs – such as Customer Trade Partnership Against Terrorism (C-TPAT), the Container Security Initiative (CSI), and Secure Freight Initiative (SFI) – can be used to classify cargo containers into a large number of risk groups. ⇑ Corresponding author. Tel.: +1 804 828 5842. E-mail addresses: [email protected] (L.A. McLay), [email protected] (R. Dreiding). 0377-2217/$ - see front matter Ó 2012 Elsevier B.V. All rights reserved. doi:10.1016/j.ejor.2012.01.060

These programs provide a wealth of data that can be used to make more effective risk-based container screening decisions. Although a risk-based approach to cargo container screening is part of the US Customs and Border Patrol (CBP) plan for security, few guidelines are given to implement and assess such a strategy. Another challenge with screening cargo containers is that secondary screening inspection methods that rely on unpacking cargo containers are labor intensive, expensive, and time-consuming. As a result, a small proportion of cargo containers entering US ports are inspected for nuclear and radiological material using highly effective techniques and technologies, since it is expensive to inspect cargo by physically unpacking the containers or to use non-intrusive inspection technologies. This paper provides a prescriptive, structured framework for investigating security system design given that cargo containers undergo multilayered prescreening and that restrictions are imposed on how secondary screening decisions can be made. In this paper, screening refers to the entire inspection process in a layered port security system, which may involve scanning with an RPM, non-intrusive inspection using imaging technologies, document checking, and physically unpacking containers. Screening may take place at several locations, such as foreign ports, US seaports, land border crossings, as well as other locations. Note that more advanced and expensive screening procedures, such as non-intrusive inspection and unpacking containers, are used more sparingly and are targeted at high-risk containers (US CBP, 2007). Such inspections are assumed to be performed at a predetermined

L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529

security station such as at the exit lanes of a US seaport. Identifying optimal ways to use these limited screening resources is an important part of the Homeland Security system. This paper introduces two linear programming models for identifying risk-based screening policies using knapsack problem models. In both models, a prescreening system such as ATS classifies containers into a number of risk groups. All containers are screened by a set of primary screening devices, each of which yield an alarm of clear response. The objective is to determine how many device alarms lead to a primary screening alarm for each risk group to maximize the detection probability of the system subject to a screening budget. Containers are sent to secondary screening (or cleared) at a specific location (e.g., the exit lanes at a single port). The base model is compared to a second model that explicitly requires a threshold-based policy, which requires that the primary screening alarms be defined such that there is a threshold in the total number of alarms that defines the primary screening alarms for each risk group. Such a threshold is desirable for simplicity, but may not be optimal (McLay and Dreiding, 2009). This approach of exploring how to define a primary screening alarm complements the approach of determining individual sensor operating characteristics (by changing the level at which individual sensors yield an alarm based on receiver-operating characteristic curves) while assuming that an escalating security policy is in place. This latter approach is explored in several papers (e.g., Wein et al., 2007; Boros et al., 2009). Defining a primary screening alarm and defining individual sensor operating characteristics are interrelated problems. However, the objective of this paper focuses on the definition of a primary screening alarm to isolate the effect of this type of decision and to highlight its importance in a risk-based security context, particularly since any layer in the security system could cumulatively use information from previous security checks to more effectively detect nuclear material. This paper extends the analysis by McLay et al. (2011), who explore the relationships and tradeoffs between prescreening intelligence, secondary screening costs, and the efficacy of radiation detectors when there are two risk groups (i.e., high-risk and lowrisk). This paper considers a generalized prescreening system that classifies containers according to an arbitrary number of risk groups, where the risk groups are linked to a portfolio of threat and non-threat scenarios, and it considers the impact thresholdbased primary screening alarms. The key contribution of this analysis is that it provides a multilevel, risk-based framework for determining how to define a system alarm when screening cargo containers given limited secondary screening resources while simultaneously considering threshold-based screening restrictions. The analysis indicates that a threshold-based definition for the system alarm may not be optimal under reasonable assumptions, but they lead to near-optimal solutions that may be easier to implement in practice. Structural properties of the model shed light on optimal screening policies as well as how prescreening can effectively use scarce screening resources. This paper is organized as follows. Section 2 provides a literature review for security screening problems and research models for detecting nuclear material. Section 3 introduces parameters and notation used in the models, and then it introduces the two proposed models. Their structural properties are analyzed in Section 4. A simple computational example is analyzed in Section 5. Concluding remarks and directions for future research are given in Section 6.

2. Background There is a growing body of literature that addresses the detection of nuclear material in cargo containers using opera-

523

tions research methodologies. Wein et al. (2006) analyze an eleven-layer screening system for containers entering the US by considering a fixed budget and port congestion. They consider the effects of prescreening from ATS and whether a terrorist enrolls in the Customs-Trade Partnership Against Terrorism (CTPAT) program. Bakir (2008) presents a decision tree model to analyze the screening of cargo containers at commercial truck crossings on the US border with Mexico. The analysis suggests that new screening equipment should not be routinely installed. Bakir’s results largely depend on the conditional probability of an attack, and the analysis motivates the need for improved next-generation RPMs. Merrick and McLay (2010) extend Bakir’s model to examine whether even the original screening equipment investments were worthwhile. They also examine the scenarios when multiple layers of screening are viable and how large the deterrent effect should be to justify routine screening. Their analysis suggests that taking alarms caused by naturally occurring radioactive material (NORM) and the deterrent effect into account are important for port security models. Gaukler et al. (2011) investigate how radiography-based images can be used to supplement or replace prescreening by computing hardness measures to identify potential containerized threat scenarios. They explore the tradeoffs between the system detection probability and the sojourn time of the containers. Gaukler et al. (2012) extend this approach to consider hybrid screening systems and container-specific false alarm rates. Several research papers examine inspection strategies for cargo containers that use several types of screening tests. Wein et al. (2007) apply queuing theory and optimization to analyze cargo containers on truck trailers passing by a series of RPMs. They determine the optimal spatial positioning and scanning time for RPMs such that a desired detection probability is achieved. Ramirez-Marquez (2008) use decision trees to find cargo container inspection strategies that minimize inspection costs. Each strategy selects sensors that have varying reliability and costs. The strategy presented maintains a required detection rate that follows a minimum cost, order-dependent inspection. Concho and Ramirez-Marquez (2010) extends this work to provide an evolutionary algorithm for identifying near-optimal sensor operating characteristics. Boros et al. (2009) determine how to optimally inspect cargo containers by using a large scale linear programming model. Boros et al. (2011) extend this approach using decision trees and knapsack problem models by using dynamic programming to identify optimal inspection policies. Kantor and Boros (2010) use principles of game theory to determine when to unpack and inspect cargo containers when considering mixed inspection strategies. Note that none of these efforts explicitly consider the effects of prescreening to identify high-risk cargo containers. Several papers use stochastic network interdiction models to determine how to locate sensors. Morton et al. (2007) propose two stochastic network interdiction models to minimize the success of a potential terrorist. The first model is deterministic, which assumes that the path and location of the radiation detectors are known to all. In the second model, only a subset of radiation detectors is known by the smuggler, and the views of the interceptor and smuggler differ. These models are used to select sensor locations to minimize a terrorist’s probability of being successful at smuggling nuclear material across the borders. Dimitrov et al. (2011) use stochastic network interdiction models to determine how to locate radiation detectors on a network, given a large number of potential threat scenarios. They identify computationallyefficient methods for estimating detection probabilities. Nehme (2009) analyzes two-person stochastic network interdiction models for determining how to locate radiation detectors on a network. Three classes of models consider sequential games, simultaneous games, and games with hidden information.

524

L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529

In contrast to previous work in this area that seeks to determine sensor operating characteristics while assuming that an escalating primary security alarm is in place (i.e, at least one alarm yields a primary screening alarm), this paper explores the complementary issue of how to define a primary screening alarm in a risk-based security system while assuming that the sensor operating characteristics remain constant in order to shed light on optimal, risk-based security system design and operation. The additional issue of exploring threshold-based screening policies provides insight into the tradeoffs when there are restrictions on screening decisions. 3. Screening framework and model In this section, terminology and parameters are introduced for the two linear programming models, and the proposed models are formally stated. The Multilevel Knapsack Screening Problem (MKSP) examines the particular case when containers undergo prescreening prior to primary screening, based on the output of ATS and other forms of prescreening, and it investigates how to define a primary screening alarm given the container’s prescreening classification and the number of primary screening sensor alarms. MKSP examines primary screening alarms for the general screening case, whereas the Multilevel Threshold Knapsack Screening Problem (MTKSP) examines the restriction that all primary screening alarms are defined according to a threshold policy. First, a prescreening system is used to classify each cargo container into one of m risk groups, with m P 1. Cargo containers enter a security station (e.g., exit lanes at a port) to undergo primary screening, where n sensors screen each container. Each sensor yields an alarm or clear response, based on how the sensor operates and the characteristics of the cargo container, and hence, the total number of sensor alarms is between zero and n. The sensor alarms depend on the true underlying container contents (e.g., whether a nuclear weapon is in the container), which are likewise reflected in each of the risk groups. Ideally, the system yields a clear response for all of the non-threat containers and yields an alarm response for all of the threat containers. Based on the total number of sensor alarms, a primary screening system response is given. This allows the system response (either alarm or clear) to be defined in one of several ways (Kobza and Jacobson, 1996; Kobza and Jacobson, 1997). The primary screening system response has one of two outcomes, either an alarm is given or the container is cleared. If the cargo container is cleared, it exits the security station and continues along its path to its destination. The cargo containers that yield a primary screening alarm undergo secondary screening. The objective is to determine which containers yield a primary screening alarm in order to maximize the total security. It is assumed that the total security captures the expected number of threat containers that are selected for secondary screening, although other objective functions could be used. Although selecting threat containers for secondary screening does not guarantee that the threats are detected, secondary screening inspection procedures, such as using RIIDs and unpacking the containers, have a high probability of detecting a threat. Threat containers that are not selected for secondary screening are cleared, and hence, they cannot be detected by screening procedures (although they could be interdicted by local law enforcement before an attack). Note that this framework is defined generally for any type of radiological and nuclear sensor, and it makes no assumptions about how the sensors work together. MKSP and MTKSP have the following parameters:  m = number of prescreening risk groups,  n = number of sensors for screening cargo containers, each yielding a binary outcome,

 ri,k= security level associated with selecting containers of risk group i that yield k alarms for secondary screening (i.e., the reward), i = 1, 2, . . . , m, k = 0,1, . . . ,n,  wi,k= the number of containers of risk group i that yield k alarms (i.e., the weight), i = 1, 2, . . . , m, k = 0, 1, . . . , n,  c = the budget associated with secondary screening. All parameters are deterministic. The m risk groups reflect the prescreening risk assessments performed on each container, based on ATS and other forms of prescreening. The risk groups could be defined to capture screening outcomes at foreign ports, document checks, and expert judgement. Therefore, this framework captures a broad range of security screening operations. In the simplest case, there would be two risk groups, associated with containers perceived as high-risk or low-risk (Strohm, 2006; McLay and Dreiding, 2011). The n sensors could be radiation detectors such as RPMs, which screen each cargo container for radiation that is emitted by nuclear material such as plutonium and highly enriched uranium (HEU). The budget for secondary screening c is a deterministic value based on available resources. Is based on information collected and analyzed by the Department of Homeland Security (DHS) and CBP (Huizenga, 2005; Rooney, 2005). It is in part based on salaries paid to the employees hired to perform secondary screening. Note that the budget can be selected to take delay costs into account, and hence, delays are implicitly handled by this model, which assumes that the cost to resolve an alarm with secondary screening is the same for all types of containers. The rewards and weights, ri,k and wi,k, i = 1, 2, . . . , n, k = 0, 1, . . . , n, reflect the containers’ threat and alarm probabilities. To define the knapsack rewards and weights, the following parameters are needed:  N = number of cargo containers screened at the security station,  TðTÞ ¼ set of threat (non-threat) scenarios, where T and T are mutually exclusive and exhaustive subsets of the set of container scenarios,  Pt= the probability a cargo container is in threat or nonthreat P scenario t 2 T [ T, with t2T[T Pt ¼ 1, R  Pijt ¼ the conditional probability that a cargo container is classified into risk group i given its scenario, i ¼ 1; 2; . . . ; m; t 2 T \ T,  PjAjt\i ¼ the conditional probability that a container in risk group i and scenario t yields an alarm (A) at sensor j; j ¼ 1; 2; . . . ; n; i ¼ 1; 2; . . . ; m; t 2 T [ T,  PkA—t\i= the conditional probability that a container in risk group i and scenario t yields k alarms, k ¼ 0; 1; . . . ; n; i ¼ 1; 2; . . . ; m; t 2 T [ T. The total number of containers N represents the number of cargo containers that pass through a given station in a year, or another period of time. The threat scenarios T reflect possible sources for the nuclear weapon, weapon construction, and how the nuclear weapon is stored in the container, such as whether it is masked by naturally occurring radioactive material (NORM) or shielded with lead. Likewise, the non-threat scenarios (T) reflect the characteristics of containers that do not contain a nuclear weapon. The non-threat scenarios T could be defined to capture the container contents, such as whether a container contains NORM, since container contents are important for predicting alarm probabilities (Huizenga, 2005). Likewise, the probabilities associated with the threat and non-threat scenarios reflect the proportion of containers passing through a security station that take on the associated characteristics. The conditional probability that a cargo container is classified into risk group i given scenario t; PRijt for t 2 T [ T, reflects the quality of prescreening. These probabilities are based on the proportion of containers passing through a security station that are classified

525

L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529

in risk group i, i = 1, 2, . . . , m, once a large number of cargo containers has been evaluated. Ideally, the threat containers are captured in risk groups that are matched with screening policies that are designed to detect them. The conditional probability that a container in risk group i and scenario t yields a k alarms, PkA—t\i, reflects the likelihood of observing a given number of alarms, based on the risk level and scenario. Methods by McLay and Dreiding (2011) can be used to compute the conditional probabilities of observing k-of-n alarms given a container’s risk group and scenario. These k-of-n alarm probabilities PkA—t\i can be computed using a reliability model given the individual alarm probabilities PjAjt\i , i ¼ 1; 2; . . . ; m; t 2 T [T; j ¼ 1; 2; . . . ; n (Koucky, 2003). In the case when each sensor operates independently and identically with the probability of a single sensor alarm P Ajt\i ; i ¼ 1; 2; . . . ; m; t 2 T [ T, then the number of alarms can be modeled as a Binomial random variable with parameters n and PA—t\i. The reward ri,k reflects the expected number of threat containers in risk group i that yield exactly k primary screening alarms, i = 1, 2, . . . , m, k = 0, 1, . . . , n:

r i;k ¼ N

X

P kAji\t PRijt P t

¼N

t2T

X

PkA\i\t :

ð1Þ

Alternatively, MTKSP can be formulated as an particular instance of the multiple-choice knapsack problem (MCKP). In MCKP, there are a set of classes, where the classes form a partition of the set of items. Exactly one item in each class must be added to the knapsack. As in KP, there is a single capacity constraint and the objective is to maximize the total reward. Each class in the MCKP formulation for MTKSP corresponds to a risk group, resulting in m classes. The rewards in the MCKP formulation for MTKSP, Ri,k, are interpreted as the expected number of threats in risk group i given yielding k or more alarms, resulting P in Ri;k ¼ nj¼k r i;j ; k ¼ 1; 2; . . . ; n, with Ri,n+1 = 0, i = 1, 2, . . . , m. The weights in the MCKP formulation are the expected number of containers in risk group i yielding k or more alarms, resulting in P W i;k ¼ nj¼k wi;j ; k ¼ 0; 1; . . . ; n, with Wi,n+1 = 0, i = 1, 2, . . . , m. The knapsack capacity remains c. MTKSP is stated as a linear programming model:

zT ¼ max

subject to

wi;k ¼ N

PkAji\t PRijt Pt ¼ N

t2T[T

P kA\i\t :

ð2Þ

t2T[T

MKSP is formally stated. Its decision variables are xi,k, which capture the proportion of type i containers yielding k alarms that are selected for secondary screening, i = 1, 2, . . . , m, k = 0, 1, . . . , n. For simplicity, MKSP is stated as an linear programming model.

z ¼ max

m X n X

r i;k xi;k ; i¼1 k¼0 m X n X

ð3Þ

wi;k xi;k 6 c;

subject to

ð4Þ

i¼1 k¼0

0 6 xi;k 6 1; i ¼ 1; 2; . . . ; m;

k ¼ 0; 1; . . . ; n:

ð5Þ

The objective function (3) reflects the expected number of threats that are selected for secondary screening. The first constraint (4) ensures that the screening decisions are capacity feasible. The final set of constraints (5) provide linear bounds for the variables. Note that MKSP is identical to the linear programming relaxation of the wellknown 0–1 Knapsack Problem (KP). This relationship will be explored in greater detail in Section 4. Ideally, if a container yielding k alarms is selected for secondary screening, k = 0, 1, . . . , n  1, then a container in the same risk group yielding k + 1 alarms is selected for secondary screening. Such a policy is called a threshold policy. However, McLay and Dreiding (2009) demonstrate that a threshold policy is not optimal using realistic parameter values. Note that a threshold policy would be optimal across all risk groups and capacity levels if:

ri;k r i;kþ1 < ; wi;k wi;kþ1

k ¼ 0; 1; . . . ; n  1;

xi;k1 6 xi;k ;

i ¼ 1; 2; . . . ; m; k ¼ 1; 2; . . . ; n:

ð6Þ

m X nþ1 X

nþ1 X

W i;k yi;k 6 c

ð8Þ

yi;k ¼ 1;

i ¼ 1; 2; . . . ; m

ð9Þ

k¼0

0 6 yi;k 6 1;

i ¼ 1; 2; . . . ; m; k ¼ 0; 1; . . . ; n þ 1

ð10Þ

The decision variables yi,k set the threshold for containers in risk group i at k as follows, i = 1, 2, . . . , m, k = 0,1, . . . , n + 1. When yi,k take on integer values, they define a deterministic threshold, where the threshold for risk group i is (not) set at k when yi,k = 1(0). When yi,k take on linear values, they define a random threshold, where a random proportion of containers in risk group i yielding at least k alarms are selected for secondary screening. Containers that yield k alarms are selected to secondary screening if the threshold is set to k ore fewer alarms. If yi,n+1 = 1, then no containers in risk group i are selected for secondary screening, i = 1, 2, . . . , m. The objective in (7) captures the expected number of threats that are selected for secondary screening. The first constraint (8) ensures that the screening decisions are capacity feasible. The second set of constraints (9) ensures the multiple choice constraint, which enforces a threshold policy. The final set of constraints (10) provide the variable bounds. 4. Structural properties This section summarizes the structural properties of MKSP and MTKSP and their policies. The structural properties of the screening policies implied by the optimal solutions to MKSP are first discussed, followed by a discussion of the MTKSP screening policies. The proofs for all results can be found in McLay and Dreiding (2011). The prior probability that a container in risk group i is a threat (i.e., is contained in one of the threat scenarios) is:

X t2T

for all i = 1, 2, . . . , m, due to the well-known solution to the linear programming relaxation to KP (Kellerer et al., 2004, p. 18). MTKSP is identical to MKSP except that it enforces such a threshold policy, which can be formulated by adding the following constraints to (3)–(5),

ð7Þ

i¼1 k¼0

The weight wi,k reflects the expected number of containers in risk group i that yield exactly k primary screening alarms, i = 1, 2, . . . , m, k = 0, 1, . . . , n:

X

Ri;k yi;k

i¼1 k¼0

t2T

X

m X nþ1 X

P Rtji ¼

P

t2T P i\t

Pi

Pn P

¼ Pn P k¼0

t2T P kA\i\t Pn P k¼0 t2T P kA\i\t þ t2T P kA\i\t k¼0

Pn r i;k ¼ Pnk¼0 : k¼0 wi;k

The posterior probabilities capture the conditional probabilities that a container is a threat given that it yields k alarms and is in risk P group i; t2T P tjkA\i . Theorem 1 defines the posterior probabilities. Theorem 1. The posterior probabilities that a container in risk group i P yielding k alarms is a threat, t2T P tjkA\i , is defined as the ratio of the reward to the weight, ri,k/wi,k, i = 1, 2, . . . , m, k = 0, 1, . . . , n.

526

L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529

It is desirable to select containers for secondary screening according to a threshold policy, which selects containers for secondary screening that yield more alarms rather than fewer alarms according to the optimal solution to the linear programming relaxation for KP. MKSP may result in a threshold policy for a given set of input parameters. Theorem 2 reports the conditions under which a threshold policy occurs across all values of C. For each risk group, the order that items are put into the knapsack (i.e., the order in which containers are selected for secondary screening) depends on sensor alarm dependencies. Theorem 2. Containers in risk group i that yield k alarms occur before containers in risk group i that yield k  1 alarms in the optimal knapsack sequence,

r i;k r i;k1 P ; wi;k wi;k1 only if

P P PkA\i\t P P t2T kA\i\t P P t2T : P ðk1ÞA\i\t t2T P ðk1ÞA\i\t t2T Corollary 1 illustrates when the conditions in Theorem 2 hold for the particular case when each sensor operates independently and identically with common single sensor true alarm and false alarm probabilities, when there is one threat and non-threat scenario (i.e., jTj ¼ jTj ¼ 1), and when alarm probabilities depend on the presence of a threat but not the risk group. In Corollary 1, T and T denote the events that a container is a threat and non-threat, respectively, rather than sets of threat and non-threat scenarios. Corollary 1. When sensor alarms are independently and identically distributed with true alarm and false alarm probabilities PA—T and PAjT , respectively, then

r i;k wi;k

r

P wi;k1 only if PAjT P PAjT . i;k1

Several types of screening technologies (e.g., RPMs) may be more effective at identifying NORM containers than threat containers, and hence, the conditions in Corollary 1 may not hold. Therefore, a threshold policy may not be optimal under realistic assumptions. This motivates the need to address the challenges associated with cargo container security system design. Section 5 illustrates this issue for a computational example. The analysis thus far has focused on the optimal solution to MKSP. The solution value to both MKSP and MTKSP reflects the expected number of threat containers selected for secondary screening. Enforcing a threshold policy in MTKSP reduces the expected number of threats detected as compared to MKSP, and this reduction is arbitrarily worse in the worst-case. Proposition 1. The ratio between the objective values for MTKSP and MKSP, ZT/Z, is arbitrarily bad. To see this, consider the following example. Example. Two sensors screen three containers (N = 3) with a single risk group (m = 1). There is one threat scenario and one nonthreat scenario ðjTj ¼ jTj ¼ 1Þ. One of the three containers is a threat. There are three equally likely primary screening outcomes: zero, one, or two alarms (i.e., w1,0 = w1,1 = w1,2 = 1). A threat container would have probability e of yielding two alarms and probability 1  e of yielding one alarm (i.e., r1,0 = 0, r1,1 = 1  e, r1,2 = e), with e < 1/2. If one container can be selected for secondary screening (c = 1), the optimal MKSP solution would select the container yielding one alarm. When enforcing a threshold policy, the optimal MTKSP solution would select the container yielding

two alarms, with ZT/Z = e/(1  e), which is arbitrarily bad as e approaches 0. h Consider a fixed risk group i. A threshold set at k indicates that a container yielding k alarms or more is selected for secondary screening, and a container yielding strictly fewer than k alarms is not selected for secondary screening. The threshold for risk group i is either deterministic (i.e., yi,k = 1 for some k) or random (i.e., 0 < yi,k < 1 for at least one k, which means that some containers are randomly selected for secondary screening). Proposition 2 indicates that the threshold for at most one risk group is random; the other thresholds are deterministic. Proposition 2. In an optimal solution to MTKSP, there are at most two fractional variables. If there are two fractional variables, then they are in the same risk group. Proposition 3 indicates that certain thresholds are dominated. A threshold k in risk group i is dominated if its posterior probability that a container in risk group i is a threat is not more than that of threshold k  1. The pruned version of MTKSP removes these thresholds (and their associated variables), since the variable associated with a dominated threshold level is always set to zero in an optimal solution. Corollary 2 indicates how to construct the screening policy given a solution to MTKSP. Proposition 3. If the posterior probability that container in risk group i yielding k  1 alarms is a threat is at least as large as the posterior probability that a container in risk group i yielding k alarms is a threat (i.e., ri,k/wi,k 6 ri,k1/wi,k1), then the risk group i threshold is not set to k alarms (i.e., yi,k = 0), k = 0, 1, . . . , n + 1, i = 1, 2, . . . , m. Corollary 2. If there are fractional variables in MTKSP, then they are adjacent variables in the pruned version of MTKSP, in which domi0 nated thresholds are removed. If the two fractional variables are k 00 0 00 and k in class i with k < k , then the optimal policy is to screen all con00 tainers yielding at least k alarms and to randomly screen a proportion 0 00 yi;k0 of containers yielding at least k alarms but strictly less than k alarms. This section summarizes the structural properties of the optimal policies for both MKSP and MTKSP. They indicate that whether or not there is a threshold in a given MKSP instance, all risk groups except at most one have deterministic screening policies in MKSP and MTKSP. These properties are illustrated in a computational example in Section 5. 5. Computational example This section reports results for a computational example to explore the tradeoffs with using a multilevel prescreening system when a threshold policy is and is not enforced. The analysis considers cargo containers screened by a series of sensors that are independent and operate identically based on the true classification of the cargo container. Therefore, the number of alarms for each type of container is modeled as a Binomial random variable with parameters n and its single sensor alarm probability, where each risk group contains a mixture of containers in the threat and non-threat scenarios. Although this independence assumption is not realistic, it sheds light on how a primary screening alarm can be defined in a multi-layered security system. Note that (McLay and Dreiding, 2011) illustrate that the highly dependent devices can be modeled using a single screening device. The proposed model is analyzed for a hypothetical single security station over a time horizon of one year. It is assumed that

527

L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529

1 Case 1 Case 2 Case 3

0.95

0.9

0.85 Z

N = 1 M containers enter the security station during the time horiP zon. The probability that a container is a threat is t2T Pt ¼ 1=N, which is selected such that one threat is expected to pass through the security station. As a result, the objective function value for both MKSP and MTKSP captures the detection probability, i.e., the conditional probability that a threat is selected for secondary screening. A system with n = 10 sensors is considered with m = 4 risk groups. The risk groups capture reflect a hypothetical prescreening system that classifies each container as (1) high-risk (HR) or low risk (LR) based on whether the container is perceived as a threat and (2) high-background (HB) or low-background (LB) based on whether the container is perceived as having high levels of background radiation due to NORM. This results in four prescreening risk groups based on combinations of these two prescreening layers, with risk group 1 = HR, HB; 2 = HR, LB; 3 = LR, HB; and 4 = LR, LB. Three cases are considered for determining how accurate the prescreening system is at identifying threat containers, given by the HR or LR designation. Each case compares each HR risk group to its corresponding LR risk group for HB and LB, thus comparing risk groups 1 to 3 and risk groups 2 to 4 (McLay and Dreiding, 2011). The three cases are (1) High-risk and low-risk containers are equally likely to capture a threat container, (2) High-risk containers are ten times more likely to capture a threat container than low-risk containers, and (3) High-risk containers are 100 times more likely to capture a threat container than low-risk containers. McLay and Dreiding (2011) describe in detail how the input parameters are computed using realistic input parameters. For simplicity, only the MKSP input parameters are reported, with Table 1 reporting ri,k and wi,k, i = 1, 2, . . . , m, k = 0, 1, . . . , n. To interpret the results, recall that the fraction of containers yielding a particular number of primary alarms that are randomly selected for secondary screening defines the screening policy in MKSP. In MTKSP, Proposition 2 indicates that there are at most two fractional variables and that at most one risk group has a random screening policy. The results are reported as a function of c to considering varying levels of the secondary screening budget, with 0.01N 6 c 6 0.20N. Fig. 1 shows the detection probabilities across the values of c. It suggests that the differences in the detection probabilities is

0.8

0.75

0.7

0.65

0

0.5

1 c

1.5

2 5

x 10

Fig. 1. MKSP and MTKSP detection probabilities Z as a function of c.

greatest when c is small, with virtually identical detection probabilities across Cases 1, 2, 3 for c > 3  104 (0.03N). Therefore, prescreening appears to be most important when few containers are selected for secondary screening, which is currently the practice at US seaports (Rooney, 2005; Lava, 2008). The same policy being optimal across Cases 1, 2, and 3 suggests that prescreening could essentially not a factor in improving detection probabilities in certain scenarios. In order to capture the degradation to the detection probability when enforcing a threshold policy, Fig. 2 shows the ratio in the MKSP objective function value to the MTKSP objective function value, ZT/Z. It reports that ZT/Z = 1 for c P 3  104, which indicates that the threshold policies are sub-optimal only for very small values of c. For all cases considered, ZT/Z > 0.9995, which suggests that for realistic input parameters, the detection probability would not be significantly altered by enforcing a threshold policy, despite having no worst-case performance guarantee (see Proposition 1).

Table 1 Rewards and weights Parameter

Case

i

k=0

k=1

k=2

k=3

k=4

k=5

k=6

k=7

k=8

k=9

k = 10

ri,k

1

ri,k

2

ri,k

3

wi,k

1

wi,k

2

wi,k

3

1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4

1.88E08 1.95E05 4.51E07 4.68E04 1.38E07 1.43E04 3.32E07 3.44E04 3.79E07 3.93E04 9.10E08 9.44E05 37.2 38574.6 891.9 925789.6 37.2 38574.3 891.9 925789.9 37.2 38573.8 891.9 925790.4

1.88E07 1.95E04 4.51E06 4.68E03 1.38E06 1.43E03 3.32E06 3.44E03 3.79E06 3.93E03 9.10E07 9.44E04 3.7E01 386.1 8.9 9267.2 0.4 386.1 8.9 9267.2 3.7E01 386.1 8.9 9267.2

8.46E07 8.78E04 2.03E05 2.11E02 6.22E06 6.46E03 1.49E05 1.55E02 1.71E05 1.77E02 4.09E06 4.25E03 1.7E03 1.7 4.0E02 41.8 1.7E03 1.7 4.0E02 41.8 1.7E03 1.8 4.0E02 41.7

2.26E06 2.34E03 5.42E05 5.62E02 1.66E05 1.72E02 3.98E05 4.13E02 4.55E05 4.72E02 1.09E05 1.13E02 8.4E05 7.0E03 2.0E03 1.7E01 9.8E05 2.2E02 2.0E03 1.5E01 1.3E04 5.2E02 2.0E03 1.2E01

4.00E06 4.10E03 9.60E05 9.83E02 2.94E05 3.01E02 7.06E05 7.23E02 8.06E05 8.26E02 1.94E05 1.98E02 2.6E03 4.2E03 6.2E02 1.0E01 2.6E03 3.0E02 6.2E02 7.5E02 2.7E03 8.3E02 6.2E02 2.2E02

5.91E06 4.92E03 1.42E04 1.18E01 4.35E05 3.62E02 1.04E04 8.68E02 1.19E04 9.91E02 2.86E05 2.38E02 5.9E02 7.2E03 1.4 1.7E01 5.9E02 3.8E02 1.4 1.4E01 5.9E02 1.0E01 1.4 7.9E02

2.25E05 4.10E03 5.40E04 9.84E02 1.66E04 3.01E02 3.97E04 7.23E02 4.54E04 8.26E02 1.09E04 1.98E02 9.3E01 4.0E02 22.3 1.0 9.3E01 6.6E02 22.3 9.4E01 9.3E01 1.2E01 22.3 8.9E01

2.04E04 2.35E03 4.89E03 5.64E02 1.50E03 1.73E02 3.60E03 4.15E02 4.11E03 4.74E02 9.87E04 1.14E02 10.1 4.0E01 242.0 9.5 10.1 4.1E01 242.0 9.5 10.1 4.4E01 242.0 9.4

1.44E03 9.34E04 3.45E02 2.24E02 1.06E02 6.87E03 2.54E02 1.65E02 2.90E02 1.88E02 6.96E03 4.52E03 71.8 2.8 1724.0 67.3 71.8 2.8 1724.0 67.3 71.9 2.8 1724.0 67.2

6.07E03 4.32E04 1.46E01 1.04E02 4.46E02 3.17E03 1.07E01 7.62E03 1.22E01 8.70E03 2.94E02 2.09E03 303.3 11.8 7279.1 283.9 303.3 11.8 7279.1 283.9 303.4 11.8 7279.0 283.9

1.15E02 4.69E04 2.77E01 1.13E02 8.47E02 3.45E03 2.03E01 8.28E03 2.32E01 9.46E03 5.58E02 2.27E03 576.3 22.5 13830.3 539.4 576.3 22.5 13830.2 539.4 576.5 22.5 13830.1 539.4

528

L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529

difference between the MKSP and MTKSP policies. It illustrates that a threshold policy is not optimal when c < 3  104. This further suggests that there are few practical changes in the screening policies when a threshold policy is enforced.

Ratio of detection probabilities, Z T/ Z

1 Case 1 Case 2 Case 3 0.9999

6. Conclusions 0.9998

0.9997

0.9996

0.9995 0

0.5

1 c

1.5

2 x 10

5

Fig. 2. Detection probability ratio ZT/Z as a function of c.

Recall that the results of Theorem 2 (that guarantees a threshold policy) does not apply to any of the four risk groups for all values of c considered. However, a threshold policy may be observed for a given level of the budget. Fig. 3 shows the optimal screening policies for each of the four risk groups for Case 2. Fig. 3(a) illustrates the optimal MTKSP thresholds for all risk groups. Since MKSP defines a threshold policy for risk groups 1, 2, 4 (and these thresholds are identical to those for MTKSP in Fig. 3(a)). All risk group thresholds are non-decreasing with c, which indicates that as more containers can be inspected by secondary screening procedures, fewer primary screening alarms warrant a container being selected for secondary screening regardless of risk group. In some scenarios, primary screening is essentially not needed, since all containers in a risk group are selected for secondary screening regardless of how many primary screening sensors yield an alarm (when c P 1.2  105, all risk group 1 containers are selected for secondary screening, and when c P 1.6  105, all risk group 2 and 3 containers are selected for secondary screening). Fig. 3(b) illustrates the MKSP upper and lower thresholds as well as the MTKSP threshold for risk group 3, thus capturing the

This paper introduces two linear programming models for multilevel screening cargo containers for nuclear material at security stations throughout the US using knapsack problem models. The analysis provides a risk-based framework for determining how to define a primary screening alarm when screening cargo containers given limited screening resources. The second model enforces a threshold policy to create screening policies that are easy to implement in practice. The structural properties of the two models are analyzed in order to shed light on the optimal policies. Analysis of this proposed model indicates that the optimal policy is not always a threshold policy under reasonable assumptions. However, a computational example indicates that enforcing a threshold policy may not lead to a significant decrease in the detection probability nor significant changes in the resulting screening policy. This paper investigates the issue of how to define a primary screening alarm given a set of screening devices, rather than depending on prespecified notions of how a primary screening alarm should be defined. The proposed model can be used as a general framework to determine how to design next-generation security screening system as well as define a primary screening alarm for any type of problem that relies on a series of screening devices or methods, risk assessments, and a limited secondary screening budget. There are several possible extensions to this work that address the limitations of the linear programming models considered. First, this paper essentially assumes that each sensor alarm is equally important for determining which cargo containers should be selected by secondary screening. One extension is to examine the mixture of sensor alarms – rather than the total number of sensor alarms – that lead to secondary screening. A second extension is to consider the proposed models as one component in a larger access security system that operates in series, with dependencies between the components. A third extension to the proposed models is to explore the impact of complementary technologies to detect such threats (that detect alpha, beta, and gamma particles). Work is in progress to address these extensions.

Fig. 3. Screening Thresholds as a function of c for b = 10, n = 5.

L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529

Acknowledgements This material is based upon work supported by the US Department of Homeland Security under Grant Award Number 2008-DN077-ARI001-03. The computational work was done at Virginia Commonwealth University. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the US Department of Homeland Security. The authors thank the referees for their helpful comments and suggestions, which have resulted in a significantly improved manuscript.

References Bakir, N.O., 2008. A decision tree model for evaluating countermeasures to secure cargo at United States Southwestern ports of entry. Decision Analysis 5 (4), 230–248. Boros, E., Fedzhora, L., Kantor, P.B., Saeger, K., Stroud, P., 2009. Large scale LP model for finding optimal container inspection strategies. Naval Research Logistics 56 (5), 404–420. Boros, E., Goldberg, N., Kantor, P.B., Word, J., 2011. Optimal sequential inspection policies. Annals of Operations Research 187 (1), 89–119. Concho, A.L., Ramirez-Marquez, J., 2010. An evolutionary algorithm for port-ofentry security optimization considering sensor thresholds. Reliability Engineering & System Safety 95 (3), 255–266. Dimitrov, N., Michalopolous, D.P., Morton, D.P., Nehme, M.V., Pan, F., Popova, E., Schneider, E.A., Thoreson, G.G., 2011. Network deployment of radiation detectors with physics-based detection probability calculations. Annals of Operations Research (to appear). Fritelli, J.F., 2005. Port and maritime security: Background issues for congress. CRS Report for Congress, Congressional Research Service, The Library of Congress, RL31733. Gaukler, G., Li, C., Cannaday, R., Chirayath, S.S., Ding, Y., 2011. Detecting nuclear materials smuggling: Using radiography to improve container inspection policies. Annals of Operations Research 187 (1), 65–87. Gaukler, G., Li, C., Cannaday, R., Chirayath, S.S., Ding, Y., 2012. Detecting nuclear materials smuggling: Performance evaluation of container inspection policies. Risk Analysis (to appear). Huizenga, D., 2005. Detecting nuclear weapons and radiological material: How effective is available technology? Statement before the Subcommittee on Prevention of Nuclear and Biological Attacks and Subcommittee on Emergency Preparedness, Science and Technology, The House Committee on Homeland Security, June 21.

529

Kantor, P., Boros, E., 2010. Deceptive detection methods for effective security with inadequate budgets: The testing power index. Risk Analysis 30 (4), 663–673. Kellerer, H., Pferschy, U., Pisinger, D., 2004. Knapsack Problems. Springer-Verlag, Berlin. Kobza, J.E., Jacobson, S.H., 1996. Addressing the dependency problem in access security system architecture design. Risk Analysis 16 (6), 801–812. Kobza, J.E., Jacobson, S.H., 1997. Probability models for access security system architectures. Journal of the Operational Research Society 48 (3), 255–263. Koucky, M., 2003. Exact reliability formula and bounds for general k-out-of-n systems. Reliability Engineering and System Safety 82, 229–231. Lava, J., 2008. US Customs and Border Protection. DIMACS/DyDAn/LPS Workshop on Port Security/Safety, Inspection, Risk Analysis, and Modeling, Piscataway, NJ, November 17-18, 2008. McLay, L.A., Dreiding, R., 2009. Risk-based policies for detecting nuclear material on cargo containers with classification errors. Technical report, Virginia Commonwealth University, Richmond, VA. McLay, L.A., Dreiding, R., 2011. Multilevel, threshold-based policies for cargo container security screening systems. Technical report, Virginia Commonwealth University, Richmond, VA, available at . McLay, L.A., Lloyd, J.D., Niman, E., 2011. Interdicting nuclear material on cargo containers using knapsack problem models. Annals of Operations Research 187 (1), 185–205. Merrick, J.R.W., McLay, L.A., 2010. Is screening cargo containers for smuggled nuclear threats worthwhile? Decision Analysis 7 (2), 155–171. Morton, D.P., Pan, F., Saeger, K.J., 2007. Models for nuclear smuggling interdiction. IIE Transactions 39, 3–14. Nehme, M.V., 2009. Two-person games for stochastic network interdiction: Models, methods, and complexities. Ph. D. thesis, The University of Texas, Austin, TX. Ramirez-Marquez, J.E., 2008. Port-of-entry safety via the reliability optimization of container inspection strategy through an evolutionary approach. Reliability Engineering and System Safety 93, 1698–1709. Rooney, B., 2005. Detecting nuclear weapons and radiological material: How effective is available technology? Statement before the Subcommittee on Prevention of Nuclear and Biological Attacks and Subcommittee on Emergency Preparedness, The House Committee on Homeland Security. Strohm, C., 2006. Investigators call cargo security program unreliable. GovExec.com. April 6, available at , accessed on November 22, 2006. United States Customs and Border Protection, 2007. Secure Freight with CSI, Megaports. Fact sheet, Washington, D.C. United States Department of Transportation, 2007. America’s container ports: Delivering the goods. Research and innovative technology administration, Bureau of Transportation Statistics, Washington, D.C. Wein, L.M., Liu, Y., Cao, Z., Flynn, S.E., 2007. The optimal spatiotemporal deployment of radiation portal monitors can improve nuclear detection at overseas ports. Science and Global Security 15, 211–233. Wein, L.M., Wilkins, A.H., Baveja, M., Flynn, S.E., 2006. Preventing the importation of illicit nuclear materials in shipping containers. Risk Analysis 26 (5), 1377–1393.