A common problem in risk management is to characterize the overall security of a system of valuable assets (e.g., government buildings or communication hubs), and to suggest measures to mitigate any security threats. Currently, analysts rely on a combination of security indices, such as resilience (the ability of a system to return to normal rapidly); robustness (the ability to function despite damage); redundancy (spare capacity); security (barriers to limit access); and vulnerability (susceptibility to hazards and/or intentional threats). However, these indices are not always actionable; i.e., they are not themselves sufficient to indicate whether policy makers should invest in improving a given system. Indeed, it has been observed that some vulnerable systems cannot be improved cost-effectively.
Bier, Vicki, Alexander Gutfraind, and Ziyang Lu. 2017. "Defensibility and Risk Management." Homeland Security Affairs 13 (October). https://www.hsaj.org/articles/14130