Passenger screening is a critical component of aviation security systems. This paper introduces the sequential

Transcription

1 Vol. 41, No. 2, May 2007, pp issn eissn informs doi /trsc INFORMS A Sequential Stochastic Security System Design Problem for Aviation Security Alexander G. Nikolaev, Sheldon H. Jacobson Department of Computer Science, University of Illinois, Urbana, Illinois {[email protected], [email protected]} Laura A. McLay Department of Statistical Sciences and Operations Research, Virginia Commonwealth University, Richmond, Virginia 23284, [email protected] Passenger screening is a critical component of aviation security systems. This paper introduces the sequential stochastic security design problem (SSSDP), which models passenger and carry-on baggage-screening operations in an aviation security system. SSSDP is formulated as a two-stage model, where in the first stage security devices are purchased subject to budget and space constraints, and in the second stage a policy determines how passengers that arrive at a security station are screened. Passengers are assumed to check in sequentially, with passenger risk levels determined by a prescreening system. The objective of SSSDP is to maximize the total security of all passenger-screening decisions over a fixed time period, given passenger risk levels and security device parameters. SSSDP is transformed into a deterministic integer program, and an optimal policy for screening passengers is obtained. Examples are provided to illustrate these results, using data extracted from the Official Airline Guide. Key words: aviation security; homeland security; threat detection; risk analysis History: Received: September 2006; revised: December 2006; accepted: February Introduction Aviation security is an issue of national concern. The events of September 11, 2001, prompted multiple operational changes at all commercial airports, as well as sweeping changes in aviation security policy (Mead 2002, 2003). An important class of problems that arise in aviation security is the screening of passengers prior to boarding an aircraft. Developing strategies to effectively and efficiently screen passengers, as well as to allocate and operate screening devices, can be quite challenging. Moreover, even after such systems are in place, it can be very difficult to measure their effectiveness. The Aviation and Transportation Security Act (ATSA) enacted on November 19, 2001, by the U.S. Congress transferred aviation security responsibilities from the Federal Aviation Administration (FAA) to the (newly created) Transportation Security Administration (TSA) housed within the United States Department of Homeland Security. An important aviation security policy change that was part of the ATSA was the requirement for 100% checked baggage screening by December 31, Prior to this, only a small fraction of checked baggage was screened, based on the Commission on Aviation Safety and Security established on July 25, 1996, and headed by (then) Vice-President Albert Gore, which recommended that the aviation industry improve security using existing explosive detection technologies, automated passenger prescreening, and positive passenger-baggage matching. Up until that time, the FAA had been working with the airlines to annually purchase and deploy explosive detection systems (EDSs) at airports throughout the United States. From 1998 until September 11, 2001, EDSs were only used to screen checked baggage of selectee passengers, those who were not cleared by a computer risk assessment system (i.e., the Computer-Aided Passenger Prescreening System CAPPS) developed in conjunction with the FAA, Northwest Airlines, and the United States Department of Justice. The checked baggage of nonselectee passengers (i.e., those who were cleared by such a system) received no additional security attention. There were no further security screening differences between selectee and nonselectee passengers. The 100% checked-baggage screening policy eliminated the distinction between selectee and nonselectee passengers. The primary objective of 100% checked-baggage screening is to improve security operations at the nation s commercial airports. To meet this objective, the TSA is committed to developing new security system paradigms that can optimally use and simultaneously coordinate several security technologies and 182

2 Transportation Science 41(2), pp , 2007 INFORMS 183 procedures. In 2005, there were over 650 million passengers traveling in the United States, with forecasts of nearly one billion passengers by 2015 (Federal Aviation Administration 2006). Recent research suggests that greater scrutiny of passengers perceived as high risk (from a security standpoint) is more cost effective. Butler and Poole (2002) suggest that the TSA s policy of 100% checked-baggage screening is not cost effective, and that enhancing the binary screening paradigm to a multilevel screening system would be more cost effective. Poole and Passantino (2003) endorse risk-based aviation security procedures, assigning passengers and baggage to security devices in proportion to their perceived risk. They suggest that multiple levels of security may be more effective than treating all passengers as indistinguishable (from a security standpoint). The TSA further developed computerized risk assessment systems with the introduction of CAPPSII, an enhanced computer-based system for systematically prescreening passengers, which partitions passengers into three risk classes (as opposed to two classes by CAPPS) and pays special attention to individuals on terrorist watchlists available from government intelligence agencies. A frequently mentioned criticism of any system designed to classify passengers into risk classes, including CAPPSand CAPPSII, is that such systems can be gamed through extensive trial-and-error sampling by a variety of passengers through the system (Barnett 2001; Chakrabarti and Strauss 2002). Martonosi and Barnett (2006), and Martonosi (2005) note that trial-and-error sampling may not increase the probability of a successful attack, and that CAPPSII may not substantially improve aviation security if the screening procedures for each type of passenger are not effective. Barnett (2004) suggests that CAPPSII may only improve aviation security under a particular set of circumstances and recommends that CAPPSII be transitioned from a security centerpiece to one of many components in future aviation security strategies. On July 14, 2004, the TSA announced the dismantling of CAPPS II (due to privacy concerns), despite having invested $100 M into its development (Hall and DeLollis 2004). Shortly thereafter, the TSA announced the development of Secure Flight, which would focus exclusively on terrorist watchlists (Singel 2004). Several articles formulate aviation security problems as integer programming and discrete optimization models. Jacobson, Bowman, and Kobza (2001) provide a framework for measuring the effectiveness of a baggage-screening security device deployment at a particular station (e.g., an airport terminal). Jacobson et al. (2003) introduce three performance measures for baggage-screening security systems and use these models to assess their security impact on system design for single or multiple stations. Jacobson et al. (2005a) formulate problems that model multiple sets of flights originating from multiple stations subject to a finite amount of resources. These problems consider three performance measures, and examples suggest that one of the performance measures may provide more robust screening device allocations. Virta, Jacobson, and Kobza (2002) consider the impact of originating and transferring selectee passengers on the effectiveness of baggage-screening security systems. In particular, they consider classifying selectee passengers into two types those at their point of origin and those transferring. This analysis is noteworthy because at least two of the hijackers on September 11, 2001, were transferring passengers. Babu, Batta, and Lin (2006) investigate the advantages of partitioning passengers into several groups, where a different screening strategy is used for passengers in each of the groups and the probability that each passenger is a threat is assumed to be constant. McLay, Jacobson, and Kobza (2005) analyze checkedbaggage screening systems that use a prescreening system and different baggage-screening devices, one to screen baggage of selectee passengers and the other to screen baggage of nonselectee passengers. McLay (2006) identifies models for designing security systems that partition passengers into several groups using discrete optimization, dynamic programming, and heuristics. A problem that models sequential, stochastic passenger arrivals is considered, and an optimal screening policy is determined. Research attention has also focused on the experimental and statistical analysis of risk and security procedures on aircraft. Barnett et al. (2001) report the results of a large-scale two-week experiment at several commercial airports to assess the costs and disruptions that would arise from using positive passenger baggage matching (an aviation security procedure) for all flights. Barnett, Abraham, and Schimmel (1979) and Barnett and Higgins (1989) study mortality rates on passenger aircraft and perform a statistical analysis on these data. Aviation security devices deployed at airport security checkpoints are used to detect prohibited items (e.g., guns, knives, explosives). Each security device provides a different level of security for passengers, and determining the types of security devices to deploy can be challenging. Moreover, once such security devices are deployed, the practical issue of determining how to optimally use them can be difficult. For an airport security system design problem, one objective is to maximize the security of passengers, given an available budget. However, there are many ways to define security. For passenger screening, security may be measured by the number of prohibited items detected as a result of screening, or the

3 184 Transportation Science 41(2), pp , 2007 INFORMS probability that a given percentage of such items is prevented from being carried onboard an aircraft. In the worst case, each passenger is a threat, because they have the potential to carry a prohibited item onto an aircraft. The reasoning behind such a classification is that even if a passenger does not intend to be involved in a planned attack targeted at an aircraft, a prohibited item that is carried onto an aircraft by one passenger may be used by any other passenger on the same airplane. This paper describes a systematic approach for designing a passenger and carry-on baggage-screening system using stochastic optimization and sequential assignment theory (Derman, Lieberman, and Ross 1972). The two key components of passenger screening are the device allocation problem (i.e., the purchase and installation of security devices) and the passenger assignment problem (i.e., the operation of security devices), which to date have been addressed as separate problems. This paper addresses these problems simultaneously and identifies models for optimally designing and operating security device systems. These models can be used to provide insights into the operation and performance of passenger screening, under the assumption that a passenger prescreening system (such as CAPPS) has been implemented and is highly effective in identifying passenger risk (TSA 2005). The paper is organized as follows. In 2, a twostage model framework is presented for passenger screening. Section 3 presents the sequential stochastic security design problem (SSSDP), a stochastic optimization model for passenger and carry-on baggagescreening operations. Section 4 provides an example to illustrate the application of SSSDP. Section 5 reports computational results for SSSDP using data extracted from the Official Airline Guide. A sensitivity analysis of this model is also provided. Section 6 provides concluding comments and directions for future research. The appendix contains a proof that SSSDP is NP-hard. 2. Two-Stage Model Framework Designing an effective passenger-screening system requires two stages: purchasing and installing security devices and screening passengers with these security devices. A passenger-screening system s effectiveness depends on decisions made in both of these stages and reflects the ability of a security system to prevent threat items from being carried onboard an aircraft. Although purchasing and installing security devices is often done several months or years prior to their use, aviation security systems are designed based on their expected future value, estimated passenger throughput, and the average number of prohibited items that passengers may attempt to carry onto an aircraft. Similarly, screening passengers in real time depends on the security devices that have been installed and are available. Several definitions and terms are needed to describe the two-stage model framework. A threat item is any object carried by a passenger that is prohibited by the TSA. Threat items include weapons, explosives, incendiaries, and other items that may appear harmless but can be used to inflict damage on an aircraft (TSA 2004). Note that the definition of a threat item can change based on intercepted attacks, intelligence, and the DHScolor-coded threat level (for example, in London in August 2006, terrorists intended to use liquid explosives as a means of attacking and destroying several U.S.-bound airplanes; as a result, water bottles were subsequently classified as threat items). A security device is an aviation security technology and/or procedure used to identify a threat item. Examples of security devices include x-ray machines (designed to detect knives and guns in carry-on baggage), explosive trace detectors (designed to detect trace particles of explosives in carry-on and checked baggage), explosive detection systems (designed to detect explosives in checked baggage), and detailed hand search by an airport security official (designed to detect items not found by metal detectors and to resolve alarms issued by such detectors). A set of security devices is a group of security technologies and/or procedures that can be collectively considered for use at an airport security checkpoint. By design, a set of security devices may contain several identical security devices. A security class is defined by a preassigned subset of a set of security devices through which passengers are processed prior to boarding an aircraft. The security level of each security class is a measure based on the security procedures, with each security device used to screen passengers in that security class. A prescreening system, such as CAPPS, assigns each passenger an assessed-threat value that quantifies the risk associated with the passenger. Passenger assessed-threat values are random variables, where the assessed-threat value for a specific passenger is referred to as a realized assessed-threat value. The annual cost associated with a security device includes purchase, installation, maintenance, and operational costs as well as the annual salary of security personnel required to operate the security device. The annual cost associated with a security device is estimated based on its expected estimated lifetime. The security system design problem is formulated as a two-stage passenger-screening model. The first stage is modeled as a deterministic problem that determines the set of security devices to purchase and install, subject to device-related feasibility constraints (e.g., budget and space constraints). The second stage is modeled as a stochastic problem that determines

4 Transportation Science 41(2), pp , 2007 INFORMS 185 how to screen passengers arriving (in real time) with the available security devices subject to passenger assignment constraints. Consider a general representation of the SSSDP formulated for a particular airport. In the first stage, define V as the space of all sets of security devices that satisfy the device-related feasibility constraints, and hence, each v V is a set of security devices that can be purchased and installed in the airport. In the second stage, passengers are assigned to and screened by a set of security devices purchased and installed in the first stage. Suppose that N passengers are expected to check in during a given fixed time period. For hub airports in the United States, airport security resources are allocated based on peak-period passenger throughput (i.e., the average passenger volume during certain hours usually 4 12 hours of regular airport security operation on any typical day). The idea behind this assumption is that if a certain level of security can be provided during a peak hour of airport operation, then all other operational period passenger volumes can be handled as well. The few exceptions (such as periods around major holidays) are handled on a case-by-case basis by allowing more peak hours and/or scheduling extra security personnel on such days. Define A as the set of all feasible passenger assignments, and hence a A is an N -dimensional vector of assignment variables. A passenger prescreening system is available to provide passenger risk assessments, and hence it can be used to determine the assessed-threat value for each passenger (i.e., the realized assessed-threat value). The passenger assessedthreat values are given by the random vector AT 0 1 N. For a given set of security devices v V,a realization of the assessed-threat vector at 0 1 N, and a passenger assignment vector a A, the function G a v at measures the level of security. The objective is to identify a set of security devices v opt V that maximizes E AT max a A G a v AT)]. Therefore, the two-stage model is given by ( ) max E AT max G a v AT (1) v V a A which is an optimization problem embedded within an optimization problem. The objective of the first stage is to identify a set of security devices that maximize an objective function, which is a function of the solution of the second stage (i.e., passenger assignments). The objective of the second stage is to determine a passenger assignment for each realization of the assessed-threat vector that maximizes an objective function, which is a function of the solution of the first stage (i.e., the set of security devices). Therefore, the two stages are interdependent and hence must be addressed accordingly. Several papers model the purchase and installation problem associated with security devices. Jacobson et al. (2005b) present NP-complete decision problems that capture the deployment and utilization of baggage-screening security devices. McLay, Jacobson, and Kobza (2006) and McLay and Jacobson (2007) formulate problems that consider budget allocation based on security device costs, and introduce knapsack problem variations to address them. A greedy heuristic is introduced that obtains approximate solutions. Other research focuses on assigning passengers to two or more security classes. McLay (2006) considers the real-time operation of passenger-screening systems by formulating a passenger assignment problem as a Markov decision process and shows how the optimal policy can be obtained by dynamic programming. McLay, Jacobson, and Kobza (2006) solve a deterministic passenger assignment problem using integer and linear programming models. To summarize, Jacobson et al. (2005b), McLay, Jacobson, and Kobza (2006), and McLay and Jacobson (2007) assume deterministic distributions of passenger risk levels for device allocation, which corresponds to the first stage of (1). Moreover, McLay (2006), and McLay, Jacobson, and Kobza (2007) assume a given set of available security classes for passenger assignment that corresponds to the second stage of (1). This paper combines these two problems, such that an optimal decision/policy is made at each of these stages, making the resulting problem much more realistic, but also more challenging to solve. The first stage of the model considered in this paper (device allocation) answers two questions: What set of security devices should be installed, and what security classes should be selected given this set of security devices? Moreover, different security classes are allowed to share security devices, which is not the case in Jacobson et al. (2005), McLay, Jacobson, and Kobza (2006), and McLay and Jacobson (2007). Lastly, with the induced stochasticity in passenger assessedthreat values, the model in this paper is a close approximation to the way in which airport security checkpoints are designed and used. This paper takes into account an implicit dependence between purchasing and installing security devices and assigning passengers to such security devices. A solution to (1) answers the question of how many security devices of each available type should be purchased and installed, as well as providing a passenger assignment strategy to optimally utilize these security devices. Section 3 describes a particular case of (1), which can be solved as an integer programming model.

5 186 Transportation Science 41(2), pp , 2007 INFORMS 3. A Discrete Optimization Model This section introduces the SSSDP, which models the screening operations of passengers and carry-on baggage in an aviation security system. A solution to this problem provides an optimal set of security devices to purchase and install, and for a given set of passengers, the optimal assignment of each passenger to these security devices. To describe SSSDP, consider the airport security checkpoint where security devices are to be installed and operated, and a fixed time period during which the passenger arrival rate to the security area in the terminal can be assumed to be constant (e.g., during a peak hour of operation). Assume that the total number of passengers expected to check in during this time period is fixed, and assume that the space requirements and the security device capacities are given. Upon check-in, a passenger s assessed-threat value becomes known (i.e., realized), and the passenger is assigned to a security class. To formulate SSSDP, the following sets, variables, parameters, and functions are needed, N : number of passengers to enter the airport security checkpoint over a given fixed time period, D: set of security devices available, c d : capacity of security device d D, s d : space at the airport security checkpoint required for security device d D, M d : annual cost associated with security device d D, J : a set of security classes, defined as a family of unordered subsets of D, L j : security level associated with security class j J, S: space available at the airport security checkpoint to install and operate security devices, B: annual budget available to purchase, install, and operate security devices, AT: passenger assessed-threat random vector, AT 0 1 N, where AT i is the assessed-threat value (random variable) for passenger i = 1 2 N, P AT at : probability mass function of the assessedthreat vector AT, { 1 if class j J contains device d D I dj = 0 otherwise X j : number of passengers assigned to security class j J (decision variable), Y d : number of security devices of type d D purchased and installed (decision variable). Security device parameters are needed to formulate device-specific feasibility constraints in the first stage of (1). The capacity of a security device is defined as the upper bound on the hourly rate at which passengers can be screened by the device. The space parameter of a security device is defined as the area (in square meters) required by the security device when installed and in operation. The annual cost is the amount of resources (per year) required to purchase, install, and operate a security device. The budget is the total amount of resources available annually for purchasing, installing, and operating the security devices and screening passengers. Security level L j is defined as the conditional probability of detecting a threat item by security class j given that a passenger is carrying a threat item. This probability, known as the true-alarm rate, is a function of the detection probabilities associated with the devices and the procedures used to screen passengers in security class j. The assessed-threat values quantify the risk associated with each passenger. The assessed-threat value of a passenger can be defined as the probability that the passenger is carrying a threat item. The realized assessed-threat values are based on information that passengers provide, either implicitly or explicitly, which is processed (in real time) through an automated system such as CAPPS. Assume that the assessed-threat values for each passenger are independent, and that the realized assessed-threat values are accurate representations of passengers true level of risk. Assume that each passenger is carrying either zero or one threat item. Then, for a given set of passengers, the expected number of threat items detected is the sum (over the set of passengers) of the products of each passenger s realized assessed-threat value and the security level of the respective security class to which the passenger is assigned; let this sum be the objective function G a v at in the second stage in (1). Then the second stage can be modeled as an instance of the sequential stochastic assignment problem (Derman, Lieberman, and Ross 1972). By definition, for a given passenger assessed-threat distribution, the expected number of threat items that enter the security area is N i=1 E AT i. For a set of security levels of available security classes j J L j X j and a realized assessed-threat vector at, define the stochastic sequential assignment function G = f SSA j J L j X j at as a linear function that returns the expected number of threat items detected when an optimal, sequential assignment policy is followed in the second stage. Then, the SSSDP is formulated as ( ( )) max E AT f SSA L j X j P AT j J subject to j J X j = N (2)

6 Transportation Science 41(2), pp , 2007 INFORMS 187 I dj X j Y d c d j J M d Y d B d D s d Y d S d D d D X j Z + Y d Z + j J d D In (2), the expected number of threat items detected is maximized when assigning the N passengers to security classes. This value is given by the optimal passenger assignment policy as a function of the security classes and underlying probability mass function of the assessed-threat vector. A solution to (2) determines the number of passengers to be screened by each security class, and assigns each passenger individually to a security class upon check-in. The first constraint ensures that all passengers are screened. The second set of constraints ensures that a sufficient number of devices of each type are purchased to assign all N passengers. The third and fourth constraints ensure that the annual costs and space required to purchase, install, and operate the security devices do not exceed the available budget and space, respectively. Note that solving the second stage in (1) reduces to maximizing the value expressed by G = f SSA j J L j X j at. The optimal solution to the second stage of SSSDP is given in terms of a policy (see Derman, Lieberman, and Ross 1972). Theorem 1 formally describes how the optimal passenger assignment policy is implemented. Theorem 1 (Derman, Lieberman, and Ross 1972). For each n 1, there exist real numbers 0 t 0 n t 1 n t 2 n t n n = 1 such that whenever there are n passengers to assign to security classes with security levels L 1 L 2 L n, then the next passenger to check in is optimally assigned to class i if the realized assessed-threat value at 1 is contained in the interval t i 1 n t i n. Furthermore, t i n, i = 1 2 n 1, is the expected value, whenever there are n 1 passengers to assign, of the quantity which is assigned to the ith least secure class (assuming an optimal policy is followed). To determine the optimal assignment for the N passengers arriving sequentially at the airport security checkpoint, Theorem 1 must be applied (sequentially, in reverse) N times, for n = N N 1 1. In particular, suppose that there are n passengers scheduled to arrive, and hence need to be assigned to security classes, with the n security classes available indexed in order of increasing security levels. When a passenger arrives at the airport security checkpoint and checks in, their realized assessed-threat value is determined by a prescreening system. The decision to assign this passenger to one of the available security classes is made at this time (with the assessed-threat values of the remaining n 1 passengers treated as i.i.d. random variables). Theorem 1 states that the interval 0 1 can be divided into n subintervals t i 1 n t i n, i = 1 2 n, such that each passenger s security class assignment is determined by the subinterval that contains the passenger s realized assessed-threat value (i.e., if this value is contained in the interval t i 1 n t i n, then the passenger is assigned to security class i). Once such an assignment is made, this security class is no longer available, the number of passengers to arrive is decremented by one, and Theorem 1 is reapplied to determine the security class assignment for the next passenger to arrive and check in, with the endpoints of the subintervals t i 1 n t i n, i = 1 2 n recomputed (see Lemma 1 for the method by which these values are determined). Given a set of security levels j J L j X j, the maximum objective function value in (2) is achieved when the passenger with the smallest realized assessedthreat value is assigned to the least secure class, the passenger with the second-smallest realized assessedthreat value is assigned to the second least secure class, and so on (for a proof of this result, see Hardy, Littlewood, and Polya 1952). Let k i, i = 1 2 N,be the ith smallest number of threat items expected in the passenger set (see Lemma 1 later in this section). Then, SSSDP is formulated as an integer program with binary assignment variables, defined as A ij = 1 (0) if passenger i is (not) assigned to security class j for j J, i = 1 2 N. The objective is to maximize the expected number of threat items detected, which is represented by the sum of the products of the security levels and k i, i = 1 2 N. With the added notations, (2) is transformed into max [ ] N L j A ij k i i=1 j J subject to j J A ij = 1 i= 1 2 N N X j A ij = 0 i=1 I dj X j Y d c d j J M d Y d B d D s d Y d S d D j J d D (3) A ij 0 1 X j Z + Y d Z + j J d D In (3), the constraints in (2) are reformulated under the added notation. The first set of constraints ensures

7 188 Transportation Science 41(2), pp , 2007 INFORMS that each passenger is screened exactly once. The second set of constraints ensures that the number of passengers screened by class j J is equal to N i=1 A ij, j J. The remaining constraints are the same as the constraints in (2). Lemma 1 shows how t 0 n t 1 n t 2 n t n n, n = 1 2 N, and coefficients k i, i = 1 2 N can be computed. In particular, it uses the probability distribution for the passenger assessed-threat values to compute the intervals that determine which security class a passenger is assigned to when they check in, based on their particular realized assessedthreat value. Lemma 1 (Derman, Lieberman, and Ross 1972). Let F AT z denote the cumulative distribution function of the assessed-threat value for passenger i = 1 2 N. Define t 0 n = 0, t n n = 1 for n = 0 1 N. Then ti n t i n+1 = zdf AT z +t i 1 n F AT t i 1 n +t i n 1 F AT t i n t i 1 n for n=0 1 N and i =1 2 n The expectation of the assessed-threat value of the passenger to be assigned to the ith least secure class is given by k i = t i N+1, i = 1 2 N. Using these values, SSSDP is modeled as an integer program (3). SSSDP is now formally stated using this notation Stochastic Security System Design Problem (SSSDP) Instance: Positive integers N, S, and B; finite set D, for each d DM d Z +, c d Z +, and s d Z + ;a finite family J of subsets of D, for each j J L j R + ; for each i = 1 2 N, a positive real number k i. Question: Is there an assignment of binary variables A ij, i = 1 2 N, j J, and a non-negative integer Y d, d D, such that N i=1 j J L j A ij k i is maximized and j J A ij = 1 for i = 1 2 N, N i=1 j J I dj A ij Y d c d for each d D, d D M d Y d B, d D s d Y d S? SSSDP is NP-hard by a polynomial Turing reduction from the integer knapsack problem (see the appendix for a proof). 4. Illustrative Example This section presents an example to illustrate the application of SSSDP, using data extracted from the Official Airline Guide (OAG) for domestic flights of a single airline carrier at the terminal of a hub airport in the United States. The data provided by the OAG include the set of flights, the number of available seats on each flight, and the departure time of each flight. All passengers are assumed to have exactly one carry-on bag. Table 1 Assessed-threat value at Probability Mass Function for Passenger Assessed-Threat Values Probability P AT = at One instance of the example is considered in detail in order to show how the problem data are translated into the inputs to (3). The instance uses a set of passengers with a given assessed-threat vector distribution. This passenger set is defined using OAG data, which consider a one-hour peak-period time window. Each flight is assumed to have an 80% enplanement rate. The size of the passenger set for this peak-period is estimated to be 3,996, using recommended check-in time guidelines by airlines for domestic flights (e.g., see and The probability mass function for the assessedthreat values can take many forms. Table 1 is one such instance, where most passengers have a low assessed-threat value. Table 2 contains the security device data used for this example, for both passenger and carry-on baggage screening. The security device characteristics are estimated using information available in the public domain (Butler and Poole 2002; Virta, Jacobson, and Kobza 2003). Metal detectors and hand wands screen passengers for concealed metal objects (e.g., guns, knives). Document scanners screen passengers identification cards, boarding passes, and other assorted documents for narcotics and explosives residue. Carry-on baggage EDSs screen carry-on baggage for chemicals commonly used in bombs. Detailed hand search involves the airport security official manually searching for Table 2 Security Device Data M d s d c d Device Device type P (False clear) ($M/yr.) (m 2 ) (passengers/hour) 1 Metal detector (MD) Hand wand inspection (HW) 3 Document scanner (DS) 4 Carry-on bag EDS (BE) 5 Detailed hand search (HS) 6 X-ray machine (XR)

8 Transportation Science 41(2), pp , 2007 INFORMS 189 Table 3 Security Class Data Security Security levels class Security devices L j 1 MD, XR MD, BE HW, XR MD, HS MD, BE, XR HW, BE MD, BE, HS DS, XR HW, HS MD, DS, XR MD, DS, BE DS, BE HW, DS, XR HW, BE, XR DS, HS HW, DS, BE HW, BE, HS DS, BE, XR DS, BE, HS MD, DS, HS HW, DS, HS MD, DS, BE, XR MD, DS, BE, HS HW, DS, BE, XR HW, DS, BE, HS concealed weapons and bombs. X-ray machines also screen carry-on baggage for concealed weapons and bombs. Table 3 contains security class data. Each possible combination of security devices in Table 2 is considered to form a security class, under the restriction that security devices that use similar technologies for detecting threat items are not included in the same security class (e.g., metal detectors and hand wand inspections), which results in a total of 25 distinct security classes. Each security class includes at least one passenger-screening device and at least one carryon baggage-screening device. The security level values are computed using security device false clear rates, defined as the conditional probabilities of clearing a passenger, given that they are carrying a threat item. The security levels are computed as the true alarm rates associated with the security classes, assuming that security devices within each of the classes operate independently (Kobza and Jacobson 1996, 1997). In addition, given the dearth of data, assume that a threat is equally likely to be in either a carry-on bag or on a passenger. To determine the inputs in (3), set N = 3 996, D = 1 2 6, and J = with M d, c d, s d for d D obtained from Table 2 and L j for j J obtained from Table 3. In addition, I dj for d D and j J are determined using the first column of Table 3. For example, for security class j = 1, I 11 = I 61 = 1 and I 21 = I 31 = I 41 = I 51 = 0, since security device d = 1 (MD) and security device d = 6 (XR) are in security class j = 1, and other devices are not. Lemma 1 is used to compute the coefficients k i, i = , given the assessed-threat values distribution defined in Table 1. Lastly, the values of S and B must be chosen. Note that given security device parameters and passenger volume N, there exists a range for S and B such that the model becomes infeasible when S or B are below this range (i.e., the given resources are insufficient to screen all passengers), and the optimal solution no longer improves when S and B are above this range (i.e., all passengers are screened with the most secure security class). For example, if a security area at a given terminal is projected to occupy 800 area units (square meters), and 8 budget units (millions of U.S. dollars) to be available annually, then set S = 800 and B = 8. Then, (3) is solved for X j, j J, and Y d, d D. For example, X 1 indicates how many passengers (out of N = 3 996) need to be screened by devices in security class j = 1 and Y 1 indicates how many metal detectors (d = 1) need to be purchased and installed to maximize the expected number of threat items detected. Note that to ensure the optimal operation of the purchased devices, the assignments for any set of passengers arriving in real time have to follow the sequential stochastic assignment policy described in Theorem 1, based on the values t i n+1 computed from Lemma Computational Results This section reports computational results with the SSSDP example described in 4. In general, the aviation security data available in the public domain are of limited quality. Passenger classification is also considered security-sensitive information. Moreover, performance characteristics of the latest security devices are classified information. Lastly, political forces on the aviation security community make them reactive to ongoing threat events. Given all these constraints, an effort is needed to find solutions to new threats and problems before they surface. These limitations do not reduce the value of aviation security research, but rather enhance it, since optimization models can be tested using new, better-quality data as they become available. In essence, as data quality improves, model sophistication will become more critical and of greater interest to the TSA and other aviation security stakeholders. Results are presented for three instances of the example described in 4. In particular, 56 scenarios are considered for each instance (based on eight different values for available space in square meters (m 2 ) and seven different values for the available budget

9 190 Transportation Science 41(2), pp , 2007 INFORMS Table 4Probability Mass Functions for Passenger Assessed-Threat Values Table 5 Instance 1 Expected Number of Threat Items Not Detected per Year Assessed-threat Probability Instance value at P AT = at in millions of U.S. dollars ($M)). The three instances use a common set of security devices (see Table 2), a common set of security classes (see Table 3), but different passenger assessed-threat value distributions (see Table 4). For Instance 1, the assessedthreat values are the same for all passengers (i.e., passengers are indistinguishable). The assessed-threat value distributions for Instances 2 and 3 were chosen based on different perceived risks in the system. The Instance 2 assessed-threat value distribution corresponds to security environments where the majority of passengers are very low risk, with a discrete uniform distribution used for the remaining (higher-risk) passengers. The Instance 3 assessed-threat value distribution corresponds to security environments where most passengers have either a very low or a very high assessed-threat value, with a passenger approximately 10 times more likely to be low risk rather than high risk. All these distributions are scaled such that the expected number of threat items that a passenger carries is approximately The size of the passenger set is 3,996 over a one-hour peak period. Based on OAG flight information, each day is assumed to have six peak hours of operation. The expected number of threat items that attempt to enter the airport security checkpoint over the span of one year is approximately 90,097 for Instance 1, 87,908 for Instance 2, and 87,500 for Instance 3. Note that for each instance, this value is estimated based on peak-hour periods of a terminal operation only, and the expected assessed-threat value of the respective distribution. As a result, this value is slightly different for each instance due to the rounding of the Space (m 2 ) Budget ($M) ,000 1, ,585 6,241 4,862 4,862 4,862 4,862 4,862 4, ,585 6,241 4,117 3,591 3,591 3,591 3,591 3, ,585 6,241 4,117 3,044 2,606 2,606 2,606 2, ,585 6,241 4,117 3,044 1,971 1,862 1,862 1, ,585 6,241 4,117 3,044 1,971 1,664 1,577 1, ,585 6,241 4,117 3,044 1,971 1,664 1,378 1, ,585 6,241 4,117 3,044 1,971 1,664 1,378 1,248 assessed-threat values to four decimal places. Note also that if the assessed-threat values for a given distribution are scaled by a factor (the value of must be defined such that the resulting assessedthreat values are between zero and one, since they are defined as probabilities), then the expected number of threat items that attempt to enter the airport security checkpoint and the expected number of threat items detected will be scaled by as well. For each instance, each of the 56 scenarios is formulated as an integer program and solved using CPLEX 7.0. All the computational experiments were executed on a Pentium IV 1.6 GHz processor with 1,048 MB of RAM. The average CPU runtime per scenario was 46 seconds. The optimal value returned by the integer program for each scenario is the expected number of threat items detected during one peak hour of operation at the selected airport security checkpoint. Scaling these results, Tables 5, 6, and 7 report the expected number of threat items not detected (i.e., cleared) over a one-year time period (during peak-period hours). A sensitivity analysis of these results was performed by looking at how changes to the annual budget (for a fixed security area) or changes to the security area (for a fixed annual budget) impact security. For example, suppose that a total security area at the airport terminal is projected to be 600 m 2, and the annual budget of $10 M is available. Table 6 shows that for Instance 2 and these settings, 3,510 threat items (out of approximately 87,908) are expected to Table 6 Instance 2 Expected Number of Threat Items Not Detected per Year Space (m 2 ) Budget ($M) ,000 1, ,993 5,239 4,257 4,257 4,257 4,257 4,257 4, ,993 5,239 3,510 3,225 3,225 3,225 3,225 3, ,993 5,239 3,510 2,664 2,341 2,341 2,341 2, ,993 5,239 3,510 2,664 1,867 1,695 1,695 1, ,993 5,239 3,510 2,664 1,867 1,552 1,495 1, ,993 5,239 3,510 2,664 1,867 1,552 1,344 1, ,447 3,429 2,434 2,664 1,867 1,552 1,344 1,243

10 Transportation Science 41(2), pp , 2007 INFORMS 191 Table 7 Instance 3 Expected Number of Threat Items Not Detected per Year Space (m 2 ) Budget ($M) ,000 1, ,165 4,387 3,758 3,758 3,758 3,758 3,758 3, ,165 4,387 3,316 2,829 2,829 2,829 2,829 2, ,165 4,387 3,316 2,352 2,105 2,105 2,105 2, ,165 4,387 3,316 2,352 1,840 1,697 1,697 1, ,165 4,387 3,316 2,352 1,840 1,484 1,423 1, ,165 4,387 3,316 2,352 1,840 1,484 1,344 1, ,165 4,387 3,316 2,352 1,840 1,484 1,344 1,279 be cleared during peak-hour operations over a oneyear time period. If the security area is expanded by 100 m 2, then this number can be reduced by approximately 8%. However, if the security area is expanded by 100 m 2 and an additional $2 M becomes available annually, then this value can be reduced by approximately 30%. This information can be used to assess whether the cost of additional space or screeners can be justified in light of the additional security that they provide. Alternatively, if security areas must be reduced in size, or if the number of screeners must be reduced, the resulting cost savings can be weighed against the associated increased airport risk. Such issues as these can be addressed using the model framework presented. Figures 1 and 2 depict the relationship between the expected fraction of threat items not detected, under different scenarios for Instance 1. In Figure 1, the space parameter is varied with the annual budget fixed, while in Figure 2, the space parameter is fixed with the annual budget varied. In general, as additional resources are added to security operations (either as additional space or additional budget), the expected number of threat items not detected Expected fraction of threat items not detected per year (%) Annual budget ($M) Figure 2 Instance 1 Fixed Space Space = 700 m 2 Space = 900 m 2 Space = 1,050 m 2 decreases, although this decrease becomes less pronounced with higher levels of resources added. For any given space parameter value, there exists an upper bound on the annual budget required to improve security (e.g., in Instance 1, for S = 900 m 2, the upper bound is $16 M). Similarly, for a given annual budget, there exists an upper bound on the space parameter value such that any space in excess of this upper bound does not result in a higher security level (e.g., in Instance 3, for B = $8 M the upper bound is 600 m 2 ). This occurs when one of the two constraints (space or budget) is tight. Figures 3 6 provide the analysis of the expected fraction of threat items not detected for Instances 2 and 3. The exact expected number of threat items that attempt to enter the terminal is required to obtain the values for each instance. For Instances 1, 2, and 3, these numbers are 90,097, 87,908, and 87,500, respectively. Expected fraction of threat items not detected per year (%) ,000 1,100 Space (m 2 ) Annual budget = $8 M Annual budget = $12 M Annual budget = $16 M Annual budget = $ M Expected fraction of threat items not detected per year (%) Annual budget = $8 M Annual budget = $12 M Annual budget = $16 M Annual budget = $ M ,000 1,100 Space (m 2 ) Figure 1 Instance 1 Fixed Annual Budget Figure 3 Instance 2 Fixed Annual Budget

11 192 Transportation Science 41(2), pp , 2007 INFORMS Expected fraction of threat items not detected per year (%) Space = 700 m 2 Space = 900 m 2 Space = 1,050 m Annual budget ($M) Figure 4Instance 2 Fixed Space Expected fraction of threat items not detected per year (%) Annual budget = $8 M Annual budget = $12 M Annual budget = $16 M Annual budget = $ M ,000 1,100 Space (m 2 ) Figure 5 Expected fraction of threat items not detected per year (%) Instance 3 Fixed Annual Budget Space = 700 m 2 Space = 900 m 2 Space = 1,050 m Annual budget ($M) Figure 6 Instance 3 Fixed Space Note that when the annual budget or the available space are fixed, the expected number of threat items cleared in Instance 1 is generally greater than the expected number of threat items cleared in Instance 2, which in turn is greater than the expected number of threat items cleared in Instance 3. This observation suggests that as the security risk of passengers can be more accurately made, the more efficiently available resources can be used. Therefore, increasing the accuracy of passenger risk assessment is as important as the choice of optimal passenger assignment. 6. Conclusions Passenger and carry-on baggage screening is a critical component of any aviation security system operation. This paper introduces the SSSDP, which captures the screening operations of passengers and carry-on baggage as a two-stage model, with device purchases and installation as the first stage and passenger screening as the second stage. The sequential stochastic assignment theory allows SSSDP to be formulated as an integer programming model. SSSDP is also shown to be NP-hard. An example is provided to illustrate the application of SSSDP, with three instances created that incorporate flight data extracted from the OAG as well as security data based on information provided by the TSA (available in the public domain). Optimal integer program objective function values were computed for several scenarios using CPLEX, where a solution for each scenario determines the number of security devices to be purchased and installed, and the number of passengers to be screened by each security class. The passenger screening is determined by a sequential assignment policy, as described in Theorem 1, where the objective value is the average number of threat items detected for a set of passengers. The results reported enumerate all prohibited items expected to be cleared for a given security system scenario, with no distinction made between a threat item simply forgotten to be taken out of a passenger s bag and a threat item purposefully concealed. Given how aviation security is currently implemented, there is no way to distinguish between these two situations in terms of threat detection procedures. However, when or if such a distinction can be made, the model can be reformulated with the resulting new data. Note that any type of security-screening procedure consumes security capacity and reduces passenger throughput. In practice, this problem is handled by introducing secondary screening, which is used to resolve alarms in each security class (Hilkevitch 2003). The models presented in this paper focus on the primary screening procedures associated with each security class. It is assumed that there are sufficient resources available for resolving alarms, with

12 Transportation Science 41(2), pp , 2007 INFORMS 193 additional time and effort for secondary screening accounted for by adjusting device capacities and fixed costs. There are several possible future research directions. First, taking passenger convenience issues into account would add a new dimension to the model and analysis. In particular, SSSDP does not take into account the expected time passengers wait in security lines. Introducing waiting times suggests another class of security design problems, which could incorporate elements of queueing theory. Second, minimizing the overall false-alarm rate can be useful because the majority of passengers are not threats, and high false-alarm rates are expensive to the airlines. However, different passenger assignment policies do not significantly impact false alarms (because false alarms need to be resolved just as frequently for low-risk passengers as for high-risk passengers) and, hence, the false-alarm problem can itself be formulated only for security devices, without regard for passenger assignment. Moreover, more accurate security device data would be required to effectively use such models. Third, an extension to SSSDP can be considered where each passenger s assessed-threat value dynamically changes as a result of each subsequent screening by a security device. Such multilevel dynamic assignment problems are of particular interest to the TSA (Kahn and Robinson 2006). Work is in progress to design algorithms and heuristics for all these model extensions. Acknowledgments This material is based on work supported by the National Science Foundation under Grant DMI and the Air Force Office of Scientific Research under Grants FA and FA Any opinions, findings, and conclusions or recommendations expressed in this material are the authors own and do not necessarily reflect the views of the National Science Foundation or the Air Force Office of Scientific Research. The authors wish to thank the associate editor and two referees for their superb comments and feedback on an earlier version of the paper. The authors would also like to thank Dr. John J. Nestor and Dr. Lyle Malotky of the Transportation Security Administration within the United States Department of Homeland Security, and Dr. John E. Kobza, Texas Tech University, for their comments and feedback on this line of research. The computational work was done in the Simulation and Optimization Laboratory housed within the Department of Computer Science at the University of Illinois. Appendix Theorem 2. SSSDP is NP-hard. Proof. SSSDP is shown to be NP-hard by constructing a polynomial Turing reduction from the integer knapsack problem (IKP) (Garey and Johnson 1979). The objective of IKP is to choose the number of each item type to add to a knapsack such that the knapsack is within its capacity and the total profit is maximized. IKP is first formally stated. Integer Knapsack Problem Instance: Finite set J, for each j J a size s j Z + and a value v j Z +, and a positive integer S. Objective: Find an assignment of a nonnegative integer x j, j J such that j J x j s j S and j J x j v j is maximized. Given an arbitrary instance of IKP, define a particular instance of SSSDP as follows: Let D = J = J 0. SetL j = v j for all j J, j = 1 2 J, and L j = 0 for j J, j = J +1. Set M d = 0, c d = 1, and s d = s d, d = 1 2 J, and M d = 0, c d = 1, and s d = 0, d = J +1. Lastly, set I dj = 1 (0) if d = j d j, S = S, B = 0, N = S/min j J s j, and k i = 1, i = 1 2 N. This transformation can be performed in polynomial time in the size of the arbitrary instance of the IKP. To show that an optimal solution to SSSDP maps to an optimal solution of IKP, suppose that A ij, i = 1 2 N, j J, and Y d, d D is an optimal solution to SSSDP. Then, j J A ij = 1, i = 1 2 N, N i=1 A id Y d, d D, d D s d Y d S, and N i=1 j J L j A ij is maximized. The claim is that x j = A ij, j = 1 2 J is an optimal solution for IKP. Note that x j = A ij, j = 1 2 J is a feasible solution to IKP because j J x j s j = N j J i=1 A ij s j j J Y ij s j S = S. Suppose that x j, j = 1 2 J is an optimal solution to IKP, such that j J x j v j > j J x j v j. When k i = 1, i = 1 2 N, then the passengers are indistinguishable. Without loss of generality, for j = 1 2 J, let Ā ij = 1 for i 1 + j 1 m=1 x j x j + j 1 m=1 x j, and Ā ij = 0 otherwise. Then, Ā ij for i = 1 2 N and j J, and Y d = N i=1 Āid for d D is a feasible solution to SSSDP: j J Ā ij = 1, i = 1 2 N, N i=1 Āid Y d, d D, and d D s d Y d = N d D i=1 Āids d = j J x j s j S = S. Note that N i=1 Āij = x j, j = 1 2 J. Therefore, the SSSDP objective function value for this solution is N i=1 j J L j Ā ij = j J x j v j > j J x j v j = N i=1 j J L j A ij, which is a contradiction. Therefore, x j = A ij for j = 1 2 J is an optimal solution for IKP. References Babu, V. L., R. Batta, L. Lin Passenger grouping under constant threat probability in an airport security system. Eur. J. Oper. Res Barnett, A The worst day ever. OR/MS Today Barnett, A CAPPSII: The foundation of aviation security? Risk Anal Barnett, A., M. K. Higgins Airline safety: The last decade. Management Sci Barnett, A., M. Abraham, V. Schimmel Airline safety: Some empirical findings. Management Sci Barnett, A., R. W. Shumsky, M. Hansen, A. Odoni, G. Gosling Safe at home? An experiment in domestic airline security. Oper. Res Butler, V., R. W. Poole, Jr Rethinking checked-baggage screening. Reason Public Policy Institute, Policy Study 297, Los Angeles, CA. Chakrabarti, S., A. Strauss Carnival booth: An algorithm for defeating the computer-aided passenger screening system. First Monday 7. Derman, C., G. J. Lieberman, S. M. Ross A sequential stochastic assignment problem. Management Sci. 18(7)

13 194 Transportation Science 41(2), pp , 2007 INFORMS FAA, Federal Aviation Administration FAA Aerospace Forecasts: Fiscal Years Office of Policy and Plans, Federal Aviation Administration, United States Department of Transportation, Washington, D.C. Garey, M. R., D. S. Johnson Computers and Intractability. A Guide to the Theory of NP-Completeness. W. H. Freeman and Co., New York. Hall, M., D. DeLollis Plan to collect flier data canceled. USA Today (July 14) 1. Hardy, G. H., J. E. Littlewood, G. Polya Inequalities, 2nd ed. Cambridge University Press, Cambridge, England. Hilkevitch, J London airport offers security lessons for U.S. Chicago Tribune (February 17) 1. Jacobson, S. H., J. M. Bowman, J. E. Kobza Modeling and analyzing the performance of aviation security systems using baggage value performance measures. IMA J. Management Math Jacobson, S. H., L. A. McLay, J. E. Kobza, J. M. Bowman. 2005a. Modeling and analyzing multiple station baggage screening security system performance. Naval Res. Logist. 52(1) Jacobson, S. H., L. A. McLay, J. E. Virta, J. E. Kobza. 2005b. Integer program models for the deployment of airport baggage screening security devices. Optim. Engrg. 6(3) Jacobson, S. H., J. E. Virta, J. M. Bowman, J. E. Kobza, J. J. Nestor Modeling aviation baggage screening security systems: A case study. IIE Trans Kahn, E., R. Robinson Risk management analysis for U.S. commercial aviation security. Proc. 4th Internat. Aviation Security Tech. Sympos., Safe Skies Publishing, Washington, D.C., Kobza, J. E., S. H. Jacobson Addressing the dependency problem in access security system architecture design. Risk Anal. 16(6) Kobza, J. E., S. H. Jacobson Probability models for access security system architectures. J. Oper. Res. Soc. 48(3) Martonosi, S An operations research approach to aviation security. Ph.D. thesis, Massachusetts Institute of Technology, Cambridge, MA. Martonosi, S., A. I. Barnett How effective is security screening of airline passengers? Interfaces 36(6) McLay, L. A Designing aviation security systems: Theory and practice. Ph.D. thesis, University of Illinois at Urbana- Champaign, Urbana, IL. McLay, L. A., S. H. Jacobson Integer knapsack problems with set-up weights. Computational Optim. Appl. 37(1) McLay, L. A., S. H. Jacobson, J. E. Kobza Making skies safer: Applying operations research to aviation passenger prescreening systems. OR/MS Today 32(5) McLay, L. A., S. H. Jacobson, J. E. Kobza A multilevel passenger prescreening problem for aviation security. Naval Res. Logist. 53(3) McLay, L. A., S. H. Jacobson, J. E. Kobza Integer programming models and analysis for a multilevel passenger screening problem. IIE Trans. 39(1) Mead, K. M Key challenges facing the Transportation Security Administration. Office of the Inspector General Report CC , Department of Transportation, Washington, D.C. Mead, K. M Aviation security costs, Transportation Security Administration. Office of the Inspector General Report CC , Department of Transportation, Washington, D.C. Poole, R. W., Jr., G. Passantino A risk-based airport security policy. Reason Public Policy Institute, Policy Study 308, Los Angeles, CA. Singel, R Life after death for CAPPS II? Wired News (July 16). TSA U.S. Department of Homeland Security, TSA-Rev TSA The National Archives and Records Administration File, FR Document Virta, J. E., S. H. Jacobson, J. E. Kobza Outgoing selectee rates at hub airports. Reliability Engrg. System Safety Virta, J. E., S. H. Jacobson, J. E. Kobza Analyzing the cost of screening selectee and non-selectee baggage. Risk Anal