European Journal of Operational Research 220 (2012) 522–529

Contents lists available at SciVerse ScienceDirect

European Journal of Operational Research

journal homepage: www.elsevier.com/locate/ejor

Innovative Applications of O.R.

Multilevel, threshold-based policies for cargo container security screening systems

Laura A. McLay a,⇑, Rebecca Dreiding b
a
Department of Statistical Sciences and Operations Research, Virginia Commonwealth University, 1015 Floyd Ave., P.O. Box 843083, Richmond, VA, United States
b
Mantech International Corporation, 1560 Wilson Blvd., Suite 700, Arlington, VA 22209, United States

a r t i c l e i n f o a b s t r a c t

Article history: To mitigate the threat of nuclear terrorism within the US using nuclear material that has been smuggled
Received 20 October 2010 into the country, the US Bureau of Customs and Border Protection has expanded its cargo container detec-
Accepted 31 January 2012 tion capabilities at ports of entry into the US This paper formulates a risk-based screening framework for
Available online 16 February 2012
determining how to define a primary screening alarm for screening cargo containers given a set of depen-
dent primary screening devices. To do so, this paper proposes two linear programming models for screen-
Keywords: ing cargo containers for nuclear material at port security stations using knapsack problem models. All
Knapsack problem models
cargo containers undergo primary screening, where they are screened by a given number of security
Container screening
Homeland Security
devices. The objective is to identifying the primary security outcomes that warrant a system alarm for
Threshold constraints each container risk group such that the system detection probability is maximized, subject to a screening
budget. The base model is compared to a second model that explicitly requires a threshold-based policy.
The structural properties of the two models are compared, which indicates that all risk groups except at
most one have deterministic screening policies. A computational example suggests that the detection
probability is not significantly altered by enforcing a threshold policy.
Ó 2012 Elsevier B.V. All rights reserved.

1. Introduction
National security has become a critical issue since the Septem-
ber 11, 2001 attack. Port security has emerged as a critically impor-
tant yet vulnerable component in the Homeland Security system.
One of the most important security issues to emerge is the need
to prevent nuclear material being smuggled into the US by cargo
containers, since nuclear material could be used to detonate a nu-
clear bomb on US soil.
In order to prevent nuclear material from being smuggled into
the US, nearly all of the 11.4 M cargo containers that enter the
US every year are scanned by radiation portal monitors (RPMs)
(Fritelli, 2005; US DOT, 2007; Lava, 2008; Bakir, 2008). There are
many challenges associated with screening cargo containers. One
challenge is to determine effective risk-based methods for screen-
ing cargo containers, given that risk assessments have been per-
formed on cargo containers entering the US. The Automated
Targeting System (ATS) is used to prescreen each cargo container
and classify it as high-risk or low-risk using the shipping manifest
and other information (Strohm, 2006). ATS and the outcomes of
other US Customs and Border Protection programs – such as Cus-
tomer Trade Partnership Against Terrorism (C-TPAT), the Container
Security Initiative (CSI), and Secure Freight Initiative (SFI) – can be
used to classify cargo containers into a large number of risk groups.
⇑ Corresponding author. Tel.: +1 804 828 5842.
E-mail addresses: lamclay@vcu.edu (L.A. McLay), rebecca.dreiding@mantech.-
com (R. Dreiding).
These programs provide a wealth of data that can be used to make
more effective risk-based container screening decisions. Although
a risk-based approach to cargo container screening is part of the
US Customs and Border Patrol (CBP) plan for security, few guide-
lines are given to implement and assess such a strategy.
Another challenge with screening cargo containers is that sec-
ondary screening inspection methods that rely on unpacking cargo
containers are labor intensive, expensive, and time-consuming. As
a result, a small proportion of cargo containers entering US ports
are inspected for nuclear and radiological material using highly
effective techniques and technologies, since it is expensive to in-
spect cargo by physically unpacking the containers or to use
non-intrusive inspection technologies. This paper provides a pre-
scriptive, structured framework for investigating security system
design given that cargo containers undergo multilayered presc-
reening and that restrictions are imposed on how secondary
screening decisions can be made.
In this paper, screening refers to the entire inspection process in
a layered port security system, which may involve scanning with
an RPM, non-intrusive inspection using imaging technologies, doc-
ument checking, and physically unpacking containers. Screening
may take place at several locations, such as foreign ports, US sea-
ports, land border crossings, as well as other locations. Note that
more advanced and expensive screening procedures, such as
non-intrusive inspection and unpacking containers, are used more
sparingly and are targeted at high-risk containers (US CBP, 2007).
Such inspections are assumed to be performed at a predetermined

0377-2217/$ - see front matter Ó 2012 Elsevier B.V. All rights reserved.
doi:10.1016/j.ejor.2012.01.060
 L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529
security station such as at the exit lanes of a US seaport. Identifying
optimal ways to use these limited screening resources is an impor-
tant part of the Homeland Security system.
This paper introduces two linear programming models for iden-
tifying risk-based screening policies using knapsack problem mod-
els. In both models, a prescreening system such as ATS classifies
containers into a number of risk groups. All containers are screened
by a set of primary screening devices, each of which yield an alarm
of clear response. The objective is to determine how many device
alarms lead to a primary screening alarm for each risk group to max-
imize the detection probability of the system subject to a screening
budget. Containers are sent to secondary screening (or cleared) at a
specific location (e.g., the exit lanes at a single port). The base mod-
el is compared to a second model that explicitly requires a thresh-
old-based policy, which requires that the primary screening alarms
be defined such that there is a threshold in the total number of
alarms that defines the primary screening alarms for each risk
group. Such a threshold is desirable for simplicity, but may not
be optimal (McLay and Dreiding, 2009).
This approach of exploring how to define a primary screening
alarm complements the approach of determining individual sensor
operating characteristics (by changing the level at which individual
sensors yield an alarm based on receiver-operating characteristic
curves) while assuming that an escalating security policy is in
place. This latter approach is explored in several papers (e.g., Wein
et al., 2007; Boros et al., 2009). Defining a primary screening alarm
and defining individual sensor operating characteristics are inter-
related problems. However, the objective of this paper focuses on
the definition of a primary screening alarm to isolate the effect of
this type of decision and to highlight its importance in a risk-based
security context, particularly since any layer in the security system
could cumulatively use information from previous security checks
to more effectively detect nuclear material.
This paper extends the analysis by McLay et al. (2011), who ex-
plore the relationships and tradeoffs between prescreening intelli-
gence, secondary screening costs, and the efficacy of radiation
detectors when there are two risk groups (i.e., high-risk and low-
risk). This paper considers a generalized prescreening system that
classifies containers according to an arbitrary number of risk
groups, where the risk groups are linked to a portfolio of threat
and non-threat scenarios, and it considers the impact threshold-
based primary screening alarms. The key contribution of this
analysis is that it provides a multilevel, risk-based framework for
determining how to define a system alarm when screening cargo
containers given limited secondary screening resources while
simultaneously considering threshold-based screening restrictions.
The analysis indicates that a threshold-based definition for the
system alarm may not be optimal under reasonable assumptions,
but they lead to near-optimal solutions that may be easier to
implement in practice. Structural properties of the model shed
light on optimal screening policies as well as how prescreening
can effectively use scarce screening resources.
This paper is organized as follows. Section 2 provides a litera-
ture review for security screening problems and research models
for detecting nuclear material. Section 3 introduces parameters
and notation used in the models, and then it introduces the two
proposed models. Their structural properties are analyzed in
Section 4. A simple computational example is analyzed in
Section 5. Concluding remarks and directions for future research
are given in Section 6.
2. Background
There is a growing body of literature that addresses the
detection of nuclear material in cargo containers using opera-
523
tions research methodologies. Wein et al. (2006) analyze an ele-
ven-layer screening system for containers entering the US by
considering a fixed budget and port congestion. They consider
the effects of prescreening from ATS and whether a terrorist en-
rolls in the Customs-Trade Partnership Against Terrorism (C-
TPAT) program. Bakir (2008) presents a decision tree model to
analyze the screening of cargo containers at commercial truck
crossings on the US border with Mexico. The analysis suggests
that new screening equipment should not be routinely installed.
Bakir’s results largely depend on the conditional probability of
an attack, and the analysis motivates the need for improved
next-generation RPMs. Merrick and McLay (2010) extend Bakir’s
model to examine whether even the original screening equip-
ment investments were worthwhile. They also examine the sce-
narios when multiple layers of screening are viable and how
large the deterrent effect should be to justify routine screening.
Their analysis suggests that taking alarms caused by naturally
occurring radioactive material (NORM) and the deterrent effect
into account are important for port security models.
Gaukler et al. (2011) investigate how radiography-based images
can be used to supplement or replace prescreening by computing
hardness measures to identify potential containerized threat sce-
narios. They explore the tradeoffs between the system detection
probability and the sojourn time of the containers. Gaukler et al.
(2012) extend this approach to consider hybrid screening systems
and container-specific false alarm rates.
Several research papers examine inspection strategies for cargo
containers that use several types of screening tests. Wein et al.
(2007) apply queuing theory and optimization to analyze cargo
containers on truck trailers passing by a series of RPMs. They deter-
mine the optimal spatial positioning and scanning time for RPMs
such that a desired detection probability is achieved. Ramirez-Mar-
quez (2008) use decision trees to find cargo container inspection
strategies that minimize inspection costs. Each strategy selects
sensors that have varying reliability and costs. The strategy pre-
sented maintains a required detection rate that follows a minimum
cost, order-dependent inspection. Concho and Ramirez-Marquez
(2010) extends this work to provide an evolutionary algorithm
for identifying near-optimal sensor operating characteristics. Boros
et al. (2009) determine how to optimally inspect cargo containers
by using a large scale linear programming model. Boros et al.
(2011) extend this approach using decision trees and knapsack
problem models by using dynamic programming to identify opti-
mal inspection policies. Kantor and Boros (2010) use principles of
game theory to determine when to unpack and inspect cargo con-
tainers when considering mixed inspection strategies. Note that
none of these efforts explicitly consider the effects of prescreening
to identify high-risk cargo containers.
Several papers use stochastic network interdiction models to
determine how to locate sensors. Morton et al. (2007) propose
two stochastic network interdiction models to minimize the suc-
cess of a potential terrorist. The first model is deterministic, which
assumes that the path and location of the radiation detectors are
known to all. In the second model, only a subset of radiation detec-
tors is known by the smuggler, and the views of the interceptor
and smuggler differ. These models are used to select sensor loca-
tions to minimize a terrorist’s probability of being successful at
smuggling nuclear material across the borders. Dimitrov et al.
(2011) use stochastic network interdiction models to determine
how to locate radiation detectors on a network, given a large num-
ber of potential threat scenarios. They identify computationally-
efficient methods for estimating detection probabilities. Nehme
(2009) analyzes two-person stochastic network interdiction mod-
els for determining how to locate radiation detectors on a network.
Three classes of models consider sequential games, simultaneous
games, and games with hidden information.
524 L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529
In contrast to previous work in this area that seeks to determine
sensor operating characteristics while assuming that an escalating
primary security alarm is in place (i.e, at least one alarm yields a
primary screening alarm), this paper explores the complementary
issue of how to define a primary screening alarm in a risk-based
security system while assuming that the sensor operating
characteristics remain constant in order to shed light on optimal,
risk-based security system design and operation. The additional
issue of exploring threshold-based screening policies provides
insight into the tradeoffs when there are restrictions on screening
decisions.
3. Screening framework and model
In this section, terminology and parameters are introduced for
the two linear programming models, and the proposed models
are formally stated. The Multilevel Knapsack Screening Problem
(MKSP) examines the particular case when containers undergo
prescreening prior to primary screening, based on the output of
ATS and other forms of prescreening, and it investigates how to de-
fine a primary screening alarm given the container’s prescreening
classification and the number of primary screening sensor alarms.
MKSP examines primary screening alarms for the general screen-
ing case, whereas the Multilevel Threshold Knapsack Screening
Problem (MTKSP) examines the restriction that all primary screen-
ing alarms are defined according to a threshold policy.
First, a prescreening system is used to classify each cargo con-
tainer into one of m risk groups, with m P 1. Cargo containers en-
ter a security station (e.g., exit lanes at a port) to undergo primary
screening, where n sensors screen each container. Each sensor
yields an alarm or clear response, based on how the sensor oper-
ates and the characteristics of the cargo container, and hence, the
total number of sensor alarms is between zero and n. The sensor
alarms depend on the true underlying container contents (e.g.,
whether a nuclear weapon is in the container), which are likewise
reflected in each of the risk groups. Ideally, the system yields a
clear response for all of the non-threat containers and yields an
alarm response for all of the threat containers.
Based on the total number of sensor alarms, a primary screening
system response is given. This allows the system response (either
alarm or clear) to be defined in one of several ways (Kobza and Jac-
obson, 1996; Kobza and Jacobson, 1997). The primary screening
system response has one of two outcomes, either an alarm is given
or the container is cleared. If the cargo container is cleared, it exits
the security station and continues along its path to its destination.
The cargo containers that yield a primary screening alarm undergo
secondary screening. The objective is to determine which containers
yield a primary screening alarm in order to maximize the total
security. It is assumed that the total security captures the expected
number of threat containers that are selected for secondary screen-
ing, although other objective functions could be used. Although
selecting threat containers for secondary screening does not guar-
antee that the threats are detected, secondary screening inspection
procedures, such as using RIIDs and unpacking the containers, have
a high probability of detecting a threat. Threat containers that are
not selected for secondary screening are cleared, and hence, they
cannot be detected by screening procedures (although they could
be interdicted by local law enforcement before an attack). Note
that this framework is defined generally for any type of radiologi-
cal and nuclear sensor, and it makes no assumptions about how the
sensors work together.
MKSP and MTKSP have the following parameters:
 m = number of prescreening risk groups,
 n = number of sensors for screening cargo containers, each
yielding a binary outcome,
 ri,k= security level associated with selecting containers of risk
group i that yield k alarms for secondary screening (i.e., the
reward), i = 1, 2, . . . , m, k = 0,1, . . . ,n,
 wi,k= the number of containers of risk group i that yield k alarms
(i.e., the weight), i = 1, 2, . . . , m, k = 0, 1, . . . , n,
 c = the budget associated with secondary screening.
All parameters are deterministic. The m risk groups reflect the
prescreening risk assessments performed on each container, based
on ATS and other forms of prescreening. The risk groups could be
defined to capture screening outcomes at foreign ports, document
checks, and expert judgement. Therefore, this framework captures
a broad range of security screening operations. In the simplest case,
there would be two risk groups, associated with containers per-
ceived as high-risk or low-risk (Strohm, 2006; McLay and Dreiding,
2011). The n sensors could be radiation detectors such as RPMs,
which screen each cargo container for radiation that is emitted
by nuclear material such as plutonium and highly enriched ura-
nium (HEU). The budget for secondary screening c is a determinis-
tic value based on available resources. Is based on information
collected and analyzed by the Department of Homeland Security
(DHS) and CBP (Huizenga, 2005; Rooney, 2005). It is in part based
on salaries paid to the employees hired to perform secondary
screening. Note that the budget can be selected to take delay costs
into account, and hence, delays are implicitly handled by this mod-
el, which assumes that the cost to resolve an alarm with secondary
screening is the same for all types of containers.
The rewards and weights, ri,k and wi,k, i = 1, 2, . . . , n, k = 0, 1, . . . , n,
reflect the containers’ threat and alarm probabilities. To define the
knapsack rewards and weights, the following parameters are
needed:
 N = number of cargo containers screened at the security station,
 TðTÞ ¼ set of threat (non-threat) scenarios, where T and T are
mutually exclusive and exhaustive subsets of the set of con-
tainer scenarios,
 Pt= the probability a cargo container is in threat or nonthreat
P
scenario t 2 T [ T, with t2T[T Pt ¼ 1,
R
 Pijt ¼ the conditional probability that a cargo container is classi-
fied into risk group i given its scenario, i ¼ 1; 2; . . . ; m; t 2 T \ T,
 PjAjt\i ¼ the conditional probability that a container in risk group
i and scenario t yields an alarm (A) at sensor j; j ¼ 1; 2; . . . ;
n; i ¼ 1; 2; . . . ; m; t 2 T [ T,
 PkA—t\i= the conditional probability that a container in risk
group i and scenario t yields k alarms, k ¼ 0; 1; . . . ; n; i ¼
1; 2; . . . ; m; t 2 T [ T.
The total number of containers N represents the number of car-
go containers that pass through a given station in a year, or another
period of time. The threat scenarios T reflect possible sources for
the nuclear weapon, weapon construction, and how the nuclear
weapon is stored in the container, such as whether it is masked
by naturally occurring radioactive material (NORM) or shielded
with lead. Likewise, the non-threat scenarios (T) reflect the charac-
teristics of containers that do not contain a nuclear weapon. The
non-threat scenarios T could be defined to capture the container
contents, such as whether a container contains NORM, since con-
tainer contents are important for predicting alarm probabilities
(Huizenga, 2005). Likewise, the probabilities associated with the
threat and non-threat scenarios reflect the proportion of containers
passing through a security station that take on the associated
characteristics.
The conditional probability that a cargo container is classified
into risk group i given scenario t; PRijt for t 2 T [ T, reflects the qual-
ity of prescreening. These probabilities are based on the proportion
of containers passing through a security station that are classified
 L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529 525

in risk group i, i = 1, 2, . . . , m, once a large number of cargo contain- Alternatively, MTKSP can be formulated as an particular instance of
ers has been evaluated. Ideally, the threat containers are captured the multiple-choice knapsack problem (MCKP). In MCKP, there are a
in risk groups that are matched with screening policies that are de- set of classes, where the classes form a partition of the set of items.
signed to detect them. Exactly one item in each class must be added to the knapsack. As in
The conditional probability that a container in risk group i and KP, there is a single capacity constraint and the objective is to max-
scenario t yields a k alarms, PkA—t\i, reflects the likelihood of imize the total reward.
observing a given number of alarms, based on the risk level and Each class in the MCKP formulation for MTKSP corresponds to a
scenario. Methods by McLay and Dreiding (2011) can be used to risk group, resulting in m classes. The rewards in the MCKP formu-
compute the conditional probabilities of observing k-of-n alarms lation for MTKSP, Ri,k, are interpreted as the expected number of
given a container’s risk group and scenario. These k-of-n alarm threats in risk group i given yielding k or more alarms, resulting
P
probabilities PkA—t\i can be computed using a reliability model gi- in Ri;k ¼ nj¼k r i;j ; k ¼ 1; 2; . . . ; n, with Ri,n+1 = 0, i = 1, 2, . . . , m. The
ven the individual alarm probabilities PjAjt\i , i ¼ 1; 2; . . . ; m; t 2 T weights in the MCKP formulation are the expected number of con-
[T; j ¼ 1; 2; . . . ; n (Koucky, 2003). In the case when each sensor tainers in risk group i yielding k or more alarms, resulting in
P
operates independently and identically with the probability of a W i;k ¼ nj¼k wi;j ; k ¼ 0; 1; . . . ; n, with Wi,n+1 = 0, i = 1, 2, . . . , m. The
single sensor alarm P Ajt\i ; i ¼ 1; 2; . . . ; m; t 2 T [ T, then the num- knapsack capacity remains c. MTKSP is stated as a linear program-
ber of alarms can be modeled as a Binomial random variable with ming model:
parameters n and PA—t\i.
X
m X
nþ1
The reward ri,k reflects the expected number of threat contain- zT ¼ max Ri;k yi;k ð7Þ
ers in risk group i that yield exactly k primary screening alarms, i¼1 k¼0
i = 1, 2, . . . , m, k = 0, 1, . . . , n: m X
X nþ1
X X subject to W i;k yi;k 6 c ð8Þ
r i;k ¼ N P kAji\t PRijt P t ¼N PkA\i\t : ð1Þ i¼1 k¼0
t2T t2T
X
nþ1

The weight wi,k reflects the expected number of containers in risk yi;k ¼ 1; i ¼ 1; 2; . . . ; m ð9Þ
k¼0
group i that yield exactly k primary screening alarms, i = 1, 2, . . . ,
m, k = 0, 1, . . . , n: 0 6 yi;k 6 1; i ¼ 1; 2; . . . ; m; k ¼ 0; 1; . . . ; n þ 1 ð10Þ
X X
wi;k ¼ N PkAji\t PRijt Pt ¼ N P kA\i\t : ð2Þ The decision variables yi,k set the threshold for containers in risk
t2T[T t2T[T
group i at k as follows, i = 1, 2, . . . , m, k = 0,1, . . . , n + 1. When yi,k take
on integer values, they define a deterministic threshold, where the
MKSP is formally stated. Its decision variables are xi,k, which capture threshold for risk group i is (not) set at k when yi,k = 1(0). When yi,k
the proportion of type i containers yielding k alarms that are se- take on linear values, they define a random threshold, where a ran-
lected for secondary screening, i = 1, 2, . . . , m, k = 0, 1, . . . , n. For sim- dom proportion of containers in risk group i yielding at least k
plicity, MKSP is stated as an linear programming model. alarms are selected for secondary screening. Containers that yield
X
m X
n k alarms are selected to secondary screening if the threshold is
z ¼ max r i;k xi;k ; ð3Þ set to k ore fewer alarms. If yi,n+1 = 1, then no containers in risk
i¼1 k¼0 group i are selected for secondary screening, i = 1, 2, . . . , m.
Xm X n
The objective in (7) captures the expected number of threats
subject to wi;k xi;k 6 c; ð4Þ
i¼1 k¼0
that are selected for secondary screening. The first constraint (8)
ensures that the screening decisions are capacity feasible. The sec-
0 6 xi;k 6 1; i ¼ 1; 2; . . . ; m; k ¼ 0; 1; . . . ; n: ð5Þ
ond set of constraints (9) ensures the multiple choice constraint,
The objective function (3) reflects the expected number of threats which enforces a threshold policy. The final set of constraints
that are selected for secondary screening. The first constraint (4) en- (10) provide the variable bounds.
sures that the screening decisions are capacity feasible. The final set
of constraints (5) provide linear bounds for the variables. Note that 4. Structural properties
MKSP is identical to the linear programming relaxation of the well-
known 0–1 Knapsack Problem (KP). This relationship will be ex- This section summarizes the structural properties of MKSP and
plored in greater detail in Section 4. MTKSP and their policies. The structural properties of the screening
Ideally, if a container yielding k alarms is selected for secondary policies implied by the optimal solutions to MKSP are first dis-
screening, k = 0, 1, . . . , n  1, then a container in the same risk group cussed, followed by a discussion of the MTKSP screening policies.
yielding k + 1 alarms is selected for secondary screening. Such a The proofs for all results can be found in McLay and Dreiding
policy is called a threshold policy. However, McLay and Dreiding (2011).
(2009) demonstrate that a threshold policy is not optimal using The prior probability that a container in risk group i is a threat
realistic parameter values. Note that a threshold policy would be (i.e., is contained in one of the threat scenarios) is:
optimal across all risk groups and capacity levels if: P Pn P Pn
X
t2T P i\t t2T P kA\i\t r i;k
ri;k r i;kþ1 P Rtji ¼ ¼ Pn P k¼0
Pn P ¼ Pnk¼0 :
< ; k ¼ 0; 1; . . . ; n  1; t2T
Pi k¼0 t2T P kA\i\t þ k¼0 t2T P kA\i\t k¼0 wi;k
wi;k wi;kþ1
for all i = 1, 2, . . . , m, due to the well-known solution to the linear The posterior probabilities capture the conditional probabilities
programming relaxation to KP (Kellerer et al., 2004, p. 18). MTKSP that a container is a threat given that it yields k alarms and is in risk
P
is identical to MKSP except that it enforces such a threshold policy, group i; t2T P tjkA\i . Theorem 1 defines the posterior probabilities.
which can be formulated by adding the following constraints to
(3)–(5), Theorem 1. The posterior probabilities that a container in risk group i
P
yielding k alarms is a threat, t2T P tjkA\i , is defined as the ratio of the
xi;k1 6 xi;k ; i ¼ 1; 2; . . . ; m; k ¼ 1; 2; . . . ; n: ð6Þ
reward to the weight, ri,k/wi,k, i = 1, 2, . . . , m, k = 0, 1, . . . , n.
526 L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529
It is desirable to select containers for secondary screening
according to a threshold policy, which selects containers for sec-
ondary screening that yield more alarms rather than fewer alarms
according to the optimal solution to the linear programming relax-
ation for KP. MKSP may result in a threshold policy for a given set
of input parameters. Theorem 2 reports the conditions under
which a threshold policy occurs across all values of C. For each risk
group, the order that items are put into the knapsack (i.e., the order
in which containers are selected for secondary screening) depends
on sensor alarm dependencies.
Theorem 2. Containers in risk group i that yield k alarms occur before
containers in risk group i that yield k  1 alarms in the optimal
knapsack sequence,
r i;k r i;k1
P ;
wi;k wi;k1
only if
P P
P PkA\i\t
P t2T kA\i\t P P t2T : that a container in risk group i is a threat is not more than that
t2T P ðk1ÞA\i\t t2T
P ðk1ÞA\i\t
Corollary 1 illustrates when the conditions in Theorem 2 hold
for the particular case when each sensor operates independently
and identically with common single sensor true alarm and false
alarm probabilities, when there is one threat and non-threat sce-
nario (i.e., jTj ¼ jTj ¼ 1), and when alarm probabilities depend on
the presence of a threat but not the risk group. In Corollary 1, T
and T denote the events that a container is a threat and non-threat,
respectively, rather than sets of threat and non-threat scenarios.
Corollary 1. When sensor alarms are independently and identically
distributed with true alarm and false alarm probabilities PA—T and PAjT ,
r i;k r
respectively, then wi;k P wi;k1
i;k1
only if PAjT P PAjT .
Several types of screening technologies (e.g., RPMs) may be
more effective at identifying NORM containers than threat contain-
ers, and hence, the conditions in Corollary 1 may not hold. There-
fore, a threshold policy may not be optimal under realistic
assumptions. This motivates the need to address the challenges
associated with cargo container security system design. Section 5
illustrates this issue for a computational example.
The analysis thus far has focused on the optimal solution to
MKSP. The solution value to both MKSP and MTKSP reflects the ex-
pected number of threat containers selected for secondary screen-
ing. Enforcing a threshold policy in MTKSP reduces the expected
number of threats detected as compared to MKSP, and this reduc-
tion is arbitrarily worse in the worst-case.
Proposition 1. The ratio between the objective values for MTKSP and
MKSP, ZT/Z, is arbitrarily bad.
To see this, consider the following example.
Example. Two sensors screen three containers (N = 3) with a
single risk group (m = 1). There is one threat scenario and one
nonthreat scenario ðjTj ¼ jTj ¼ 1Þ. One of the three containers is a
threat. There are three equally likely primary screening outcomes:
zero, one, or two alarms (i.e., w1,0 = w1,1 = w1,2 = 1). A threat
container would have probability e of yielding two alarms and
probability 1  e of yielding one alarm (i.e., r1,0 = 0, r1,1 = 1  e,
r1,2 = e), with e < 1/2. If one container can be selected for secondary
screening (c = 1), the optimal MKSP solution would select the
container yielding one alarm. When enforcing a threshold policy,
the optimal MTKSP solution would select the container yielding
two alarms, with ZT/Z = e/(1  e), which is arbitrarily bad as e
approaches 0. h
Consider a fixed risk group i. A threshold set at k indicates that a
container yielding k alarms or more is selected for secondary
screening, and a container yielding strictly fewer than k alarms is
not selected for secondary screening. The threshold for risk group
i is either deterministic (i.e., yi,k = 1 for some k) or random (i.e.,
0 < yi,k < 1 for at least one k, which means that some containers
are randomly selected for secondary screening). Proposition 2 indi-
cates that the threshold for at most one risk group is random; the
other thresholds are deterministic.
Proposition 2. In an optimal solution to MTKSP, there are at most
two fractional variables. If there are two fractional variables, then they
are in the same risk group.
Proposition 3 indicates that certain thresholds are dominated. A
threshold k in risk group i is dominated if its posterior probability
of threshold k  1. The pruned version of MTKSP removes these
thresholds (and their associated variables), since the variable asso-
ciated with a dominated threshold level is always set to zero in an
optimal solution. Corollary 2 indicates how to construct the
screening policy given a solution to MTKSP.
Proposition 3. If the posterior probability that container in risk
group i yielding k  1 alarms is a threat is at least as large as the
posterior probability that a container in risk group i yielding k alarms
is a threat (i.e., ri,k/wi,k 6 ri,k1/wi,k1), then the risk group i threshold is
not set to k alarms (i.e., yi,k = 0), k = 0, 1, . . . , n + 1, i = 1, 2, . . . , m.
Corollary 2. If there are fractional variables in MTKSP, then they are
adjacent variables in the pruned version of MTKSP, in which domi-
0
nated thresholds are removed. If the two fractional variables are k
00 0 00
and k in class i with k < k , then the optimal policy is to screen all con-
00
tainers yielding at least k alarms and to randomly screen a proportion
0 00
yi;k0 of containers yielding at least k alarms but strictly less than k
alarms.
This section summarizes the structural properties of the opti-
mal policies for both MKSP and MTKSP. They indicate that whether
or not there is a threshold in a given MKSP instance, all risk groups
except at most one have deterministic screening policies in MKSP
and MTKSP. These properties are illustrated in a computational
example in Section 5.
5. Computational example
This section reports results for a computational example to ex-
plore the tradeoffs with using a multilevel prescreening system
when a threshold policy is and is not enforced. The analysis consid-
ers cargo containers screened by a series of sensors that are inde-
pendent and operate identically based on the true classification of
the cargo container. Therefore, the number of alarms for each type
of container is modeled as a Binomial random variable with
parameters n and its single sensor alarm probability, where each
risk group contains a mixture of containers in the threat and
non-threat scenarios. Although this independence assumption is
not realistic, it sheds light on how a primary screening alarm can
be defined in a multi-layered security system. Note that (McLay
and Dreiding, 2011) illustrate that the highly dependent devices
can be modeled using a single screening device.
The proposed model is analyzed for a hypothetical single secu-
rity station over a time horizon of one year. It is assumed that
 L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529 527

N = 1 M containers enter the security station during the time hori- 1

P Case 1
zon. The probability that a container is a threat is t2T Pt ¼ 1=N,
Case 2
which is selected such that one threat is expected to pass through 0.95 Case 3
the security station. As a result, the objective function value for
both MKSP and MTKSP captures the detection probability, i.e., the
0.9
conditional probability that a threat is selected for secondary
screening.
A system with n = 10 sensors is considered with m = 4 risk 0.85
groups. The risk groups capture reflect a hypothetical prescreening

Z
system that classifies each container as (1) high-risk (HR) or low 0.8
risk (LR) based on whether the container is perceived as a threat
and (2) high-background (HB) or low-background (LB) based on
0.75
whether the container is perceived as having high levels of back-
ground radiation due to NORM. This results in four prescreening
risk groups based on combinations of these two prescreening lay- 0.7

ers, with risk group 1 = HR, HB; 2 = HR, LB; 3 = LR, HB; and 4 = LR, LB.
Three cases are considered for determining how accurate the
prescreening system is at identifying threat containers, given by
the HR or LR designation. Each case compares each HR risk group
to its corresponding LR risk group for HB and LB, thus comparing
risk groups 1 to 3 and risk groups 2 to 4 (McLay and Dreiding,
2011). The three cases are (1) High-risk and low-risk containers
are equally likely to capture a threat container, (2) High-risk con-
tainers are ten times more likely to capture a threat container than
low-risk containers, and (3) High-risk containers are 100 times
more likely to capture a threat container than low-risk containers.
McLay and Dreiding (2011) describe in detail how the input
parameters are computed using realistic input parameters. For
simplicity, only the MKSP input parameters are reported, with
Table 1 reporting ri,k and wi,k, i = 1, 2, . . . , m, k = 0, 1, . . . , n.
To interpret the results, recall that the fraction of containers
yielding a particular number of primary alarms that are randomly
selected for secondary screening defines the screening policy in
MKSP. In MTKSP, Proposition 2 indicates that there are at most
two fractional variables and that at most one risk group has a ran-
dom screening policy.
The results are reported as a function of c to considering varying
levels of the secondary screening budget, with 0.01N 6 c 6 0.20N.
Fig. 1 shows the detection probabilities across the values of c. It
suggests that the differences in the detection probabilities is
0.65
0 0.5 1 1.5 2
c x 10
5
Fig. 1. MKSP and MTKSP detection probabilities Z as a function of c.
greatest when c is small, with virtually identical detection proba-
bilities across Cases 1, 2, 3 for c > 3  104 (0.03N). Therefore, presc-
reening appears to be most important when few containers are
selected for secondary screening, which is currently the practice
at US seaports (Rooney, 2005; Lava, 2008). The same policy being
optimal across Cases 1, 2, and 3 suggests that prescreening could
essentially not a factor in improving detection probabilities in cer-
tain scenarios.
In order to capture the degradation to the detection probability
when enforcing a threshold policy, Fig. 2 shows the ratio in the
MKSP objective function value to the MTKSP objective function va-
lue, ZT/Z. It reports that ZT/Z = 1 for c P 3  104, which indicates
that the threshold policies are sub-optimal only for very small val-
ues of c. For all cases considered, ZT/Z > 0.9995, which suggests that
for realistic input parameters, the detection probability would not
be significantly altered by enforcing a threshold policy, despite
having no worst-case performance guarantee (see Proposition 1).

Table 1
Rewards and weights

Parameter Case i k=0 k=1 k=2 k=3 k=4 k=5 k=6 k=7 k=8 k=9 k = 10
ri,k 1 1 1.88E08 1.88E07 8.46E07 2.26E06 4.00E06 5.91E06 2.25E05 2.04E04 1.44E03 6.07E03 1.15E02
2 1.95E05 1.95E04 8.78E04 2.34E03 4.10E03 4.92E03 4.10E03 2.35E03 9.34E04 4.32E04 4.69E04
3 4.51E07 4.51E06 2.03E05 5.42E05 9.60E05 1.42E04 5.40E04 4.89E03 3.45E02 1.46E01 2.77E01
4 4.68E04 4.68E03 2.11E02 5.62E02 9.83E02 1.18E01 9.84E02 5.64E02 2.24E02 1.04E02 1.13E02
ri,k 2 1 1.38E07 1.38E06 6.22E06 1.66E05 2.94E05 4.35E05 1.66E04 1.50E03 1.06E02 4.46E02 8.47E02
2 1.43E04 1.43E03 6.46E03 1.72E02 3.01E02 3.62E02 3.01E02 1.73E02 6.87E03 3.17E03 3.45E03
3 3.32E07 3.32E06 1.49E05 3.98E05 7.06E05 1.04E04 3.97E04 3.60E03 2.54E02 1.07E01 2.03E01
4 3.44E04 3.44E03 1.55E02 4.13E02 7.23E02 8.68E02 7.23E02 4.15E02 1.65E02 7.62E03 8.28E03
ri,k 3 1 3.79E07 3.79E06 1.71E05 4.55E05 8.06E05 1.19E04 4.54E04 4.11E03 2.90E02 1.22E01 2.32E01
2 3.93E04 3.93E03 1.77E02 4.72E02 8.26E02 9.91E02 8.26E02 4.74E02 1.88E02 8.70E03 9.46E03
3 9.10E08 9.10E07 4.09E06 1.09E05 1.94E05 2.86E05 1.09E04 9.87E04 6.96E03 2.94E02 5.58E02
4 9.44E05 9.44E04 4.25E03 1.13E02 1.98E02 2.38E02 1.98E02 1.14E02 4.52E03 2.09E03 2.27E03
wi,k 1 1 37.2 3.7E01 1.7E03 8.4E05 2.6E03 5.9E02 9.3E01 10.1 71.8 303.3 576.3
2 38574.6 386.1 1.7 7.0E03 4.2E03 7.2E03 4.0E02 4.0E01 2.8 11.8 22.5
3 891.9 8.9 4.0E02 2.0E03 6.2E02 1.4 22.3 242.0 1724.0 7279.1 13830.3
4 925789.6 9267.2 41.8 1.7E01 1.0E01 1.7E01 1.0 9.5 67.3 283.9 539.4
wi,k 2 1 37.2 0.4 1.7E03 9.8E05 2.6E03 5.9E02 9.3E01 10.1 71.8 303.3 576.3
2 38574.3 386.1 1.7 2.2E02 3.0E02 3.8E02 6.6E02 4.1E01 2.8 11.8 22.5
3 891.9 8.9 4.0E02 2.0E03 6.2E02 1.4 22.3 242.0 1724.0 7279.1 13830.2
4 925789.9 9267.2 41.8 1.5E01 7.5E02 1.4E01 9.4E01 9.5 67.3 283.9 539.4
wi,k 3 1 37.2 3.7E01 1.7E03 1.3E04 2.7E03 5.9E02 9.3E01 10.1 71.9 303.4 576.5
2 38573.8 386.1 1.8 5.2E02 8.3E02 1.0E01 1.2E01 4.4E01 2.8 11.8 22.5
3 891.9 8.9 4.0E02 2.0E03 6.2E02 1.4 22.3 242.0 1724.0 7279.0 13830.1
4 925790.4 9267.2 41.7 1.2E01 2.2E02 7.9E02 8.9E01 9.4 67.2 283.9 539.4
528
1 difference between the MKSP and MTKSP policies. It illustrates that
Ratio of detection probabilities, Z T/ Z
0.9999
0.9998
0.9997
0.9996
0.9995
0 0.5
Fig. 2. Detection probability ratio ZT/Z as a function of c.
Recall that the results of Theorem 2 (that guarantees a thresh-
old policy) does not apply to any of the four risk groups for all val-
ues of c considered. However, a threshold policy may be observed
for a given level of the budget.
Fig. 3 shows the optimal screening policies for each of the four
risk groups for Case 2. Fig. 3(a) illustrates the optimal MTKSP
thresholds for all risk groups. Since MKSP defines a threshold pol-
icy for risk groups 1, 2, 4 (and these thresholds are identical to
those for MTKSP in Fig. 3(a)).
All risk group thresholds are non-decreasing with c, which indi-
cates that as more containers can be inspected by secondary
screening procedures, fewer primary screening alarms warrant a
container being selected for secondary screening regardless of risk
group.
In some scenarios, primary screening is essentially not needed,
since all containers in a risk group are selected for secondary
screening regardless of how many primary screening sensors yield
an alarm (when c P 1.2  105, all risk group 1 containers are se-
lected for secondary screening, and when c P 1.6  105, all risk
group 2 and 3 containers are selected for secondary screening).
Fig. 3(b) illustrates the MKSP upper and lower thresholds as well
as the MTKSP threshold for risk group 3, thus capturing the
L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529
Case 1 a threshold policy is not optimal when c < 3  104. This further
Case 2
Case 3 suggests that there are few practical changes in the screening pol-
icies when a threshold policy is enforced.
6. Conclusions
This paper introduces two linear programming models for mul-
tilevel screening cargo containers for nuclear material at security
stations throughout the US using knapsack problem models. The
analysis provides a risk-based framework for determining how to
define a primary screening alarm when screening cargo containers
given limited screening resources. The second model enforces a
threshold policy to create screening policies that are easy to imple-
ment in practice. The structural properties of the two models are
analyzed in order to shed light on the optimal policies. Analysis
1 1.5 2
c 5
of this proposed model indicates that the optimal policy is not al-
x 10
ways a threshold policy under reasonable assumptions. However, a
computational example indicates that enforcing a threshold policy
may not lead to a significant decrease in the detection probability
nor significant changes in the resulting screening policy.
This paper investigates the issue of how to define a primary
screening alarm given a set of screening devices, rather than
depending on prespecified notions of how a primary screening
alarm should be defined. The proposed model can be used as a gen-
eral framework to determine how to design next-generation secu-
rity screening system as well as define a primary screening alarm
for any type of problem that relies on a series of screening devices
or methods, risk assessments, and a limited secondary screening
budget.
There are several possible extensions to this work that address
the limitations of the linear programming models considered. First,
this paper essentially assumes that each sensor alarm is equally
important for determining which cargo containers should be se-
lected by secondary screening. One extension is to examine the
mixture of sensor alarms – rather than the total number of sensor
alarms – that lead to secondary screening. A second extension is to
consider the proposed models as one component in a larger access
security system that operates in series, with dependencies be-
tween the components. A third extension to the proposed models
is to explore the impact of complementary technologies to detect
such threats (that detect alpha, beta, and gamma particles). Work
is in progress to address these extensions.
Fig. 3. Screening Thresholds as a function of c for b = 10, n = 5.
 L.A. McLay, R. Dreiding / European Journal of Operational Research 220 (2012) 522–529
Acknowledgements
This material is based upon work supported by the US Depart-
ment of Homeland Security under Grant Award Number 2008-DN-
077-ARI001-03. The computational work was done at Virginia
Commonwealth University. The views and conclusions contained
in this document are those of the authors and should not be inter-
preted as necessarily representing the official policies, either ex-
pressed or implied, of the US Department of Homeland Security.
The authors thank the referees for their helpful comments and sug-
gestions, which have resulted in a significantly improved
manuscript.
References
Bakir, N.O., 2008. A decision tree model for evaluating countermeasures to secure
cargo at United States Southwestern ports of entry. Decision Analysis 5 (4),
230–248.
Boros, E., Fedzhora, L., Kantor, P.B., Saeger, K., Stroud, P., 2009. Large scale LP model
for finding optimal container inspection strategies. Naval Research Logistics 56
(5), 404–420.
Boros, E., Goldberg, N., Kantor, P.B., Word, J., 2011. Optimal sequential inspection
policies. Annals of Operations Research 187 (1), 89–119.
Concho, A.L., Ramirez-Marquez, J., 2010. An evolutionary algorithm for port-of-
entry security optimization considering sensor thresholds. Reliability
Engineering & System Safety 95 (3), 255–266.
Dimitrov, N., Michalopolous, D.P., Morton, D.P., Nehme, M.V., Pan, F., Popova, E.,
Schneider, E.A., Thoreson, G.G., 2011. Network deployment of radiation
detectors with physics-based detection probability calculations. Annals of
Operations Research (to appear).
Fritelli, J.F., 2005. Port and maritime security: Background issues for congress. CRS
Report for Congress, Congressional Research Service, The Library of Congress,
RL31733.
Gaukler, G., Li, C., Cannaday, R., Chirayath, S.S., Ding, Y., 2011. Detecting nuclear
materials smuggling: Using radiography to improve container inspection
policies. Annals of Operations Research 187 (1), 65–87.
Gaukler, G., Li, C., Cannaday, R., Chirayath, S.S., Ding, Y., 2012. Detecting nuclear
materials smuggling: Performance evaluation of container inspection policies.
Risk Analysis (to appear).
Huizenga, D., 2005. Detecting nuclear weapons and radiological material: How
effective is available technology? Statement before the Subcommittee on
Prevention of Nuclear and Biological Attacks and Subcommittee on Emergency
Preparedness, Science and Technology, The House Committee on Homeland
Security, June 21.
529
Kantor, P., Boros, E., 2010. Deceptive detection methods for effective security with
inadequate budgets: The testing power index. Risk Analysis 30 (4), 663–673.
Kellerer, H., Pferschy, U., Pisinger, D., 2004. Knapsack Problems. Springer-Verlag,
Berlin.
Kobza, J.E., Jacobson, S.H., 1996. Addressing the dependency problem in access
security system architecture design. Risk Analysis 16 (6), 801–812.
Kobza, J.E., Jacobson, S.H., 1997. Probability models for access security system
architectures. Journal of the Operational Research Society 48 (3), 255–263.
Koucky, M., 2003. Exact reliability formula and bounds for general k-out-of-n
systems. Reliability Engineering and System Safety 82, 229–231.
Lava, J., 2008. US Customs and Border Protection. DIMACS/DyDAn/LPS Workshop on
Port Security/Safety, Inspection, Risk Analysis, and Modeling, Piscataway, NJ,
November 17-18, 2008.
McLay, L.A., Dreiding, R., 2009. Risk-based policies for detecting nuclear material on
cargo containers with classification errors. Technical report, Virginia
Commonwealth University, Richmond, VA.
McLay, L.A., Dreiding, R., 2011. Multilevel, threshold-based policies for cargo
container security screening systems. Technical report, Virginia Commonwealth
University, Richmond, VA, available at <http://www.dl.dropbox.com/u/
6995461/TechnicalReports/2011SecurityThreshold.pdf>.
McLay, L.A., Lloyd, J.D., Niman, E., 2011. Interdicting nuclear material on cargo
containers using knapsack problem models. Annals of Operations Research 187
(1), 185–205.
Merrick, J.R.W., McLay, L.A., 2010. Is screening cargo containers for smuggled
nuclear threats worthwhile? Decision Analysis 7 (2), 155–171.
Morton, D.P., Pan, F., Saeger, K.J., 2007. Models for nuclear smuggling interdiction.
IIE Transactions 39, 3–14.
Nehme, M.V., 2009. Two-person games for stochastic network interdiction: Models,
methods, and complexities. Ph. D. thesis, The University of Texas, Austin, TX.
Ramirez-Marquez, J.E., 2008. Port-of-entry safety via the reliability optimization of
container inspection strategy through an evolutionary approach. Reliability
Engineering and System Safety 93, 1698–1709.
Rooney, B., 2005. Detecting nuclear weapons and radiological material: How
effective is available technology? Statement before the Subcommittee on
Prevention of Nuclear and Biological Attacks and Subcommittee on Emergency
Preparedness, The House Committee on Homeland Security.
Strohm, C., 2006. Investigators call cargo security program unreliable. GovExec.com.
April 6, available at <www.govexec.com/dailyfed/0406/040506cdam3.htm>,
accessed on November 22, 2006.
United States Customs and Border Protection, 2007. Secure Freight with CSI,
Megaports. Fact sheet, Washington, D.C.
United States Department of Transportation, 2007. America’s container ports:
Delivering the goods. Research and innovative technology administration,
Bureau of Transportation Statistics, Washington, D.C.
Wein, L.M., Liu, Y., Cao, Z., Flynn, S.E., 2007. The optimal spatiotemporal deployment
of radiation portal monitors can improve nuclear detection at overseas ports.
Science and Global Security 15, 211–233.
Wein, L.M., Wilkins, A.H., Baveja, M., Flynn, S.E., 2006. Preventing the importation of
illicit nuclear materials in shipping containers. Risk Analysis 26 (5), 1377–1393.