This is the accessible text file for GAO report number GAO-04-538T 
entitled 'Homeland Security: Risk Communication Principles May Assist 
in Refinement of the Homeland Security Advisory System' which was 
released on March 16, 2004.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Testimony Before the Subcommittee on National Security, Emerging 
Threats, and International Relations, Committee on Government Reform, 
House of Representatives: 

United States General Accounting Office: 

GAO: 

For Release on Delivery Expected at 10: 00 a.m. EST: 

Tuesday, March 16, 2004: 

Homeland Security: 

Risk Communication Principles May Assist in Refinement of the Homeland 
Security Advisory System: 

Statement of Randall A. Yim Managing Director Homeland Security and 
Justice Issues: 

GAO-04-538T: 

GAO Highlights: 

Highlights of GAO-04-538T, a testimony before the Subcommittee on 
National Security, Emerging Threats, and International Relations, 
Committee on Government Reform, House of Representatives 

Why GAO Did This Study: 

Established in March 2002, the Homeland Security Advisory System was 
designed to disseminate information regarding the risk of terrorist 
acts to federal, state, and local government agencies, private 
industry, and the public. However, this system generated questions 
among these entities regarding whether they were receiving the 
necessary information to respond appropriately to heightened alerts.

GAO obtained information on how the Homeland Security Advisory System 
operates, including the process used to notify federal, state, and 
local government agencies, private industry, and the public of changes 
in the threat level. GAO also reviewed literature on risk communication 
to identify principles and factors to be considered when determining 
when, what, and how information should be disseminated about threat 
level changes. Additionally, GAO researched what type of information 
had been provided to federal, state, and local agencies, private 
industry, and the public regarding terrorist threats. GAO also 
identified protective measures that were suggested for these entities 
to implement during code-orange alerts. Last, GAO identified additional 
information requested by recipients of threat information.

What GAO Found: 

On the basis of intelligence information, the Secretary, Department of 
Homeland Security (DHS), in consultation with members of the Homeland 
Security Council, determines whether the national threat level should 
be elevated. After the Secretary makes this decision, DHS and others 
begin the process of notifying federal, state and local government 
agencies, private industry, and the general public through various 
means, such as conference calls, e-mails, telecommunication systems, 
and press releases.

Risk communication principles may provide useful guidance for 
disseminating terrorist threat information to the public. Public 
warning systems should, to the extent possible, include specific, 
consistent, accurate, and clear information on the threat at hand, 
including the nature of the threat, location, and threat time frames. 
Additionally, public warnings should include guidance on actions to be 
taken in response to the threat. The public’s perception of the threat 
can also be affected by the content and method of public warnings. 
Without adequate threat information, the public may ignore the threat 
or engage in inappropriate actions, some of which may compromise rather 
than promote the public’s safety.

Federal, state, and local governments, private industry, and the public 
typically received general information from DHS on why the national 
threat level was changed, but did not receive specific information such 
as threat locations or time frames. However, for the December 21, 2003, 
to January 9, 2004, code-orange alert period, DHS announced that the 
aviation industry and certain geographic locations were at particularly 
high risk.

DHS and others, such as the American Red Cross, provided federal, 
state, and local government agencies, private industries, and the 
public with suggested protective actions for responding to increases in 
the threat level from code yellow to code orange. For example, the 
American Red Cross suggested that private industries and the public 
report suspicions activity to proper authorities and review emergency 
plans during code-orange alerts.

To determine appropriate protective measures to implement for code-
orange alerts, federal, state, and local government officials have 
requested more specific threat information. Federal agencies indicated 
that, particularly, region-, sector-, site-, or event-specific threat 
information, to the extent it is available, would be helpful. One state 
official said that receiving more specific information about likely 
threat targets would enable the state to concentrate its response 
rather than simply blanketing the state with increased general security 
measures. One local official also noted that specific information about 
the location of a threat should be provided to law enforcement agencies
throughout the nation—not just to localities that are being 
threatened—thus allowing other local governments to determine whether 
there would be an indirect impact on them and to respond accordingly.

www.gao.gov/cgi-bin/getrpt?GAO-04-538T.

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Randall Yim at (202) 
512-8777 or yimr@gao.gov.

[End of section]

Mr. Chairman and Members of the Subcommittee: 

Thank you for this opportunity to participate in this hearing examining 
the Homeland Security Advisory System. We last testified before this 
Subcommittee on February 3, 2004, describing the key characteristics of 
effective national strategies for homeland security and comparing and 
contrasting the extent to which seven national homeland security 
strategies contained such characteristics. Our purpose was to assist in 
continual improvement and refinement of these strategies. At that 
hearing, we emphasized that the true measure of the value of these 
strategies was both (a) the extent to which each strategy was useful as 
guidance for the relevant federal, state and local government agencies, 
private industry, not-for-profits, and the general public; and (b) the 
extent to which these strategies were actually used in the 
implementation of the major missions of homeland security; namely, 
prevention, vulnerability assessment and reduction, response, and 
recovery.

Similarly, our purpose in providing observations on the Homeland 
Security Advisory System in this testimony is to identify key 
characteristics of effective public warning systems, to explore 
principles to be considered and balanced when determining what 
information to disseminate, and to assist in the Department of Homeland 
Security's (DHS) continued refinement of the Homeland Security Advisory 
System. As with the national strategies, the true value of the Homeland 
Security Advisory System will be the extent to which it is useful as 
guidance for and actually used in the implementation of prevention, 
vulnerability reduction, and response and recovery measures by relevant 
parties, including the general public. Further, the Homeland Security 
Advisory System is not and should not be considered the only means by 
which the threat and response information is disseminated.

Specific threat and vulnerability information is received by federal 
agencies and used by the executive branch in determining when to raise 
or lower the terrorist threat advisory levels. Key issues for the 
Homeland Security Advisory System are to what extent, when, and with 
whom such information should be shared. This Subcommittee suggested 
that there is a link between information sharing and the ability of the 
recipients to act upon such information. Each change in the national 
threat level presents unique facts and circumstances, which influence 
what, when, and with whom threat information, should be shared. 
Principles of risk communication[Footnote 1] may provide useful 
guidance for information sharing, thus assisting in the refinement of 
the Homeland Security Advisory System. Risk communication principles 
can and should assist not only in prevention, but also in implementing 
action to reduce vulnerabilities and preparation for enhanced response 
and recovery should a terrorist attack occur. On the other hand, poor 
risk communication could lead to complacency and misallocation of 
valuable limited resources and could be disruptive and expensive for 
affected parties. Preservation of credibility and public confidence are 
also important considerations in the refinement of the current 
terrorist threat advisory system.

Today, my testimony will focus on: 

* how the Homeland Security Advisory System operates, including a 
description of the process used to determine the national threat level 
and the notification process DHS uses to disseminate threat level 
information to federal, state, and local government agencies, private 
industry, and the general public;

* what principles and factors experts suggest should be considered when 
determining information to be disseminated about threat level changes;

* what information DHS currently shares regarding threats;

* what protective measures DHS and others have suggested for federal, 
state, and local government agencies, private industry, and the public 
for code-orange alerts; and: 

* additional information requested and improvements to the advisory 
system suggested by recipients of threat information.

To address these objectives, we examined reports, guidance, and other 
documents from individuals and organizations with expertise in homeland 
security and disaster response, including the American Red Cross, the 
ANSER Institute for Homeland Security, ASIS International, the Center 
for Strategic and International Studies, the Congressional Research 
Service, the Council of State Governments, the Harvard Center for Risk 
Analysis, and the Partnership for Public Warning. We also extracted 
information from our correspondence,[Footnote 2] which provides 
information collected during our ongoing review of the Homeland 
Security Advisory System and guidance and information used by federal, 
state, and local government agencies to determine protective measures 
to implement when the national threat level is raised to code-orange 
alert. We are conducting this review at the request of the House Select 
Committee on Homeland Security. We expect to complete the review and 
report the final results later this year. We conducted our work from 
July 2003 to March 2004 in accordance with generally accepted 
government auditing standards.

In brief, on the basis of intelligence analysis, the Secretary of 
Homeland Security, in consultation with members of the Homeland 
Security Council,[Footnote 3] determines whether the national threat 
level should be elevated or lowered. Once the Secretary makes this 
decision, DHS and others begin the process of notifying federal, state 
and local government agencies, private industries, and the public 
through various means, such as conference calls. According to experts, 
risk communication principles may assist in determining the nature, 
timing, and extent of warnings regarding threats to public safety. 
Additionally, experts suggest that effective public warning systems 
should include specific, consistent, accurate, and clear information on 
threats. Until recently, DHS announcements of national threat level 
changes included general information on why the threat level was 
changed, but not specific information on threats. Experts also suggest 
that public warnings include guidance on appropriate actions to take in 
response to threats. DHS and various organizations, such as the 
American Red Cross, suggested protective measures federal, state, and 
local agencies, private industries, and the public could take in 
response to code-orange alerts. To help determine what measures to 
implement for code-orange alerts, federal, state, and local government 
officials indicated they would prefer more specific threat information.

Background: 

Homeland Security Presidential Directive 3 (HSPD-3) established the 
Homeland Security Advisory System in March 2002. Through the creation 
of the Homeland Security Advisory System, HSPD-3 sought to produce a 
common vocabulary, context, and structure for an ongoing discussion 
about the nature of threats that confront the nation and the 
appropriate measures that should be taken in response to those threats. 
Additionally, HSPD-3 established the Homeland Security Advisory System 
as a mechanism to inform and facilitate decisions related to securing 
the homeland among various levels of government, the private sector, 
and the general public.

The Homeland Security Advisory System is comprised of five color-coded 
threat conditions, which represent levels of risk related to potential 
terror attack. As defined in HSPD-3, risk includes both the probability 
of an attack occurring and its potential gravity. Since its 
establishment in March 2002, the Homeland Security Advisory System 
national threat level has remained at elevated alert--code yellow--
except for five periods during which the administration raised it to 
high alert--code orange. The periods of code-orange alert follow: 

* September 10 to 24, 2002: 

* February 7 to 27, 2003: 

* March 17 to April 16, 2003: 

* May 20 to 30, 2003: 

* December 21, 2003, to January 9, 2004.

When HSPD-3 first established the Homeland Security Advisory System, it 
provided the Attorney General with responsibility for administering the 
Homeland Security Advisory System, including assigning threat 
conditions in consultation with members of the Homeland Security 
Council, except in exigent circumstances. The Attorney General could 
assign threat levels for the entire nation, for particular geographic 
areas, or for specific industrial sectors. In November 2002, Congress 
enacted the Homeland Security Act of 2002, P.L. 107-296, which 
established the Department of Homeland Security. Under the Homeland 
Security Act of 2002, the DHS Under Secretary for Information Analysis 
and Infrastructure Protection (IAIP) is responsible for administering 
the Homeland Security Advisory System. In February 2003, in accordance 
with the Homeland Security Act, the administration issued Homeland 
Security Presidential Directive 5 (HSPD-5), which amended HSPD-3 by 
transferring authority for assigning threat conditions and conveying 
relevant information from the Attorney General to the Secretary of 
Homeland Security.

How the Homeland Security Advisory System Currently Operates: 

According to DHS officials, the intelligence community continuously 
gathers and analyzes information regarding potential terrorist 
activity. This includes information from such agencies as DHS,[Footnote 
4] the Central Intelligence Agency, the Federal Bureau of Investigation 
(FBI), and the Terrorist Threat Integration Center.[Footnote 5] 
Analyses from these and other agencies are shared with DHS's IAIP, 
which is engaged in constant communication with intelligence agencies 
to assess potential homeland security threats.

DHS officials told us that when intelligence information provides 
sufficient indication of a planned terrorist attack, and is determined 
to be credible, IAIP recommends to the Secretary of Homeland Security 
that the national threat level should be raised. To decide whether to 
lower the national threat level, DHS officials told us that the 
department reviews threat information to determine whether time frames 
for threats have passed and whether protective measures in place for 
the code-orange alerts have been effective in mitigating the threats. 
DHS officials further told us that analysis of the threat information 
and determination of threat level changes are specific for each time 
period and situation and include a certain amount of subjectivity. They 
said no explicit criteria or other quantifiable factors are used to 
decide whether to raise or lower the national threat level.

After reviewing threat information and analyses, the Secretary of 
Homeland Security consults with the other members of the Homeland 
Security Council on whether the national threat level should be 
changed.[Footnote 6] DHS officials told us that if the Homeland 
Security Council members could not agree on whether to change the 
national threat level, the President would make the decision. After the 
determination has been made to raise or lower the national threat 
level, DHS begins its notification process.

As discussed in our February correspondence,[Footnote 7] DHS used the 
following methods, among others, to notify federal, state, and local 
agencies of changes in the national threat level,

* conference calls between the Secretary of Homeland Security and state 
governors and/or state homeland security officials;

* telephone calls from Federal Protective Service (a component of DHS) 
officials to federal agencies;

* e-mail or telephone communications from Homeland Security Operations 
Center (HSOC) representatives to the federal, state, or local agencies 
they represent;

* HSOC electronic systems, such as the Joint Regional Information 
Exchange System;

* FBI electronic systems, such as the National Law Enforcement 
Telecommunications System; and: 

* e-mail and/or telephone communications with federal agencies' chief 
of staff and public affairs offices.

As discussed in the Congressional Research Service's January 2004 
report on the Homeland Security Advisory System,[Footnote 8] DHS also 
provides information to chief executive officers of the nation's top 
businesses and industries through the Business Roundtable's Critical 
Emergency Operations Communications Link (CEO COM LINK), a secure 
telecommunications system activated during national crises and threats. 
Chief executive officers are asked to dial into a secure conference 
call, and after each officer goes through a multistep authentication 
process to ensure security, DHS or other federal officials brief them 
on threats. DHS also calls other critical infrastructure and business 
associations to notify them of national threat level changes. DHS 
provides information on changes in the national threat level and 
related threat information to the public through press conferences, 
press releases, and other announcements or statements released on Web 
sites or media sources.

DHS officials told us that they have not yet formally documented 
protocols for notifying federal, state, and local government agencies 
and the private sector of national threat level changes. They told us 
that they are working to document their protocols. However, they could 
not provide us with a specific time frame as to when DHS expects to 
complete this effort. For an entity to control its operations, it must 
have relevant, reliable, and timely communications relating to internal 
as well as external events.[Footnote 9] As we have previously reported, 
to establish channels that facilitate open and effective communication, 
agencies should clearly set out procedures, such as communication 
protocols, that they will consistently follow when doing their 
work.[Footnote 10] Communications protocols would, among other things, 
help foster clear understanding and transparency regarding federal 
agencies' priorities and operations. Moreover, protocols can help 
ensure that agencies interact with federal, state, local, and other 
entities using clearly defined and consistently applied policies and 
procedures.

Risk Communication Principles May Provide Useful Guidance for 
Refinement of the Homeland Security Advisory System: 

Risk communication principles have been used in a variety of public 
warning contexts, from alerting the public about severe weather or 
providing traffic advisories to less commonplace warnings of infectious 
disease outbreaks or potential dangers from hazardous materials or 
toxic contamination.[Footnote 11] These principles can be considered 
when determining the nature, timing, and extent of warnings regarding 
threats to public safety. In general, risk communication principles 
seek to maximize public safety by ensuring that the public has 
sufficient information to determine actions to take to prevent or to 
respond to emergencies. Appropriately warning the public of threats can 
help save lives and reduce the costs of disasters. In providing such 
warnings, experts say that citizens should be given an accurate 
portrayal of risk, without overstating the threat or providing false 
assurances of security. According to David Ropeik of the Harvard Center 
for Risk Analysis and Dr. Paul Slovic of Decision Research, 
understanding and respecting the ways people make risk judgments can 
help governments assist citizens in keeping their sense of risk in 
perspective. In turn, this helps citizens make wiser, healthier 
decisions and focuses social concern on the relatively greater 
risks.[Footnote 12]

Differences between warnings about terrorist threats and relatively 
more familiar warnings about infectious disease must also be recognized 
in effective risk communication principles. For example, specific 
terrorist threat warnings may allow terrorists to alter tactics or 
targets in response or increase general anxiety for those clearly not 
at risk. Moreover, government agencies may not always have specific 
information on terrorist threats or may not be able to publicly share 
specific information in threat warnings.

Experts have identified the following as important principles for 
individuals when making risk management decisions: 

* Specific information on the potential threat including, to the 
greatest extent possible,

* the nature of the threat,

* when and where it is likely to occur, and: 

* over what time period, and: 

* Guidance on actions to be taken.

Additionally, experts have noted that such information should be 
consistent, accurate, clear, and provided repeatedly.

Inadequately adhering to these principles can compromise public safety 
and erode public confidence. For example, at a March 5, 2004, hearing 
before the House Committee on Government Reform,[Footnote 13] it was 
noted that the residents of the District of Columbia received 
incomplete and inconsistent information regarding appropriate 
protective measures to take in response to high concentrations of lead 
in drinking water. Specifically, the District of Columbia Water and 
Sewer Authority initially recommended that residents flush water lines 
for 1 to 2 minutes prior to using water for drinking or cooking. Later, 
District residents received different instructions to flush water lines 
for 10 minutes.

Similarly, in his testimony before this Subcommittee in November 
2001,[Footnote 14] Dr. Kenneth Shine, the president of the Institute of 
Medicine, the National Academies, provided an example of how the public 
may take inappropriate actions due to inadequate information associated 
with the anthrax incidents. He said that better and earlier information 
on the extent to which Americans were at risk of harm from anthrax 
might have prevented the premature exhaustion of the supply of 
Ciprofloxacin[Footnote 15] and might have prevented the nearly 20 
percent of those who took the antibiotic unnecessarily from possibly 
experiencing harmful side effects. David Ropeik and Dr. George Gray, 
both at the Harvard Center for Risk Analysis, also cited the risk of 
inadequate information to the public with regard to anthrax. They said 
that if the government does not manage the public's perception of the 
risk of terrorism, the public may be more apt to take actions that may 
cause them harm.[Footnote 16]

Moreover, as we testified in July 2003, Severe Acute Respiratory 
Syndrome, better known as SARS, was able to spread worldwide due to 
delayed warnings about the appearance of the disease.[Footnote 17] 
However, the outbreak was subsequently controlled because, according to 
health officials, rapid and frequent communications of crucial 
information about the disease--such as the level of outbreak worldwide 
and recommended infectious disease control measures--were vital to 
efforts to contain its spread.

Some experts caution government officials about providing too much 
threat information and highlight the need to balance the possible 
consequences of providing threat information that is either too 
specific or too general. For example, according to the Senior Advisor 
for Public Health Risk Communication at the Department of Health and 
Human Services, providing too much information to the public regarding 
terrorist threats could result in public panic and disorganization, 
while providing too little information could result in public denial, 
apathy, and inaction. She suggests that those informing the public must 
balance the information they provide so that the public's fear will 
translate into concern and, in turn, result in the implementation of 
self-protective measures by citizens. She also suggests that such 
balance can be achieved by emphasizing to the public that there is a 
response plan in place; avoiding over-reassurance; acknowledging that 
there is uncertainty about the threat; giving people things to do; 
acknowledging the shared misery; and addressing "what if" questions.

Other experts assert that it is not the amount of information that 
causes the public to respond inappropriately to warnings of threats, 
but rather, it is the adequacy of the information provided that will 
determine the public's response. For instance, in a report prepared for 
the Federal Emergency Management Agency (FEMA),[Footnote 18] public 
warnings experts John Sorensen and Dennis Mileti and the Partnership 
for Public Warning[Footnote 19] assert that the public rarely, if ever, 
is given too much information in an official warning. [Footnote 20] 
Furthermore, they noted that even though mass panic is commonly 
expected by civil authorities, it almost never occurs.[Footnote 21]

Decisions regarding who should receive threat information, as well as 
the nature, timing, and extent of information to be shared, should be 
related to the willingness and ability of the recipients to use such 
information.

Mr. Ropeik and Dr. Slovic identified several key factors relevant to a 
recipient's risk perception and management: 

* Dread---the more horrific a threat, the more people fear it.

* Control--the more control individuals have over a situation, the 
smaller they perceive the risk; (e.g., driving one's own car versus 
traveling in a commercial airliner that is piloted by a stranger).

* Is the risk natural or is it human-made?--a man-made source of risk, 
such as radiation from cellular telephones, evokes greater fear among 
people than does radiation from natural sources such as the sun.

* Choice--risks that are chosen evoke less fear than those that are 
imposed on us.

* Children--threats to children are perceived as worse than those to 
adults, even when the risks are from the same source, such as asbestos.

* Is the risk new?--emerging threats generate more anxiety among 
individuals than those that are known.

* Awareness--greater awareness of risks likely heightens concern: 

* Can it happen to me? --risks seem greater if one believes he or she 
or someone close may be a victim.

* The risk-benefit tradeoff--a perceived benefit from a behavior or 
choice makes the associated risk seem smaller.

* Trust--greater trust in those communicating the risk and responsible 
for action lessens anxiety.

Many of the principles and factors described above appear to be 
relevant to sharing information about terrorist threats, and 
consideration of the relevance of these factors may be useful in future 
refinements of the Homeland Security Advisory System. Further, it is 
important to recognize that this Advisory System is not and should not 
be considered the only means by which threat and response information 
is disseminated.

In certain contexts, risk communication principles have been codified-
-incorporated in legislation. For example, legislation, such as the 
Emergency Planning and Community Right-To-Know Act of 1986, recognizes 
the importance of providing information to the public regarding 
hazardous materials in their community. [Footnote 22] Section 313 of 
the act generally requires facilities that manufacture, process, or 
otherwise use toxic chemicals to report the amounts of various toxic 
chemicals that they release to the environment and requires the 
Environmental Protection Agency (EPA) to make this information 
available to the public. Fire departments and other emergency 
responders have access to this information to help develop response 
plans before they arrive at the scene of a chemical accident or at a 
fire at a facility using hazardous chemicals. [Footnote 23] In 
addition, occupational safety and health requirements mandate that 
materials safety data sheets accompany hazardous materials to provide 
information and warnings about potential dangers and appropriate 
protective or response measures.[Footnote 24]

The Safe Drinking Water Act and its amendments require public water 
systems to provide information to the public that would allow them to 
respond to violations of the National Primary Drinking Water 
Regulations--standards that protect public health by limiting the 
levels of contaminants in drinking water. Included in these 
notifications should be a description of the violation, any potential 
adverse health effects, what the system is doing to correct the 
problem, and whether consumers should use an alternate source of 
water.[Footnote 25]

Why Is It Important for the Homeland Security Advisory System to 
Incorporate Risk Communication Principles?

While federal agencies, state and local governments, the private sector 
and the general public routinely make risk management decisions (even 
though they may not think of them as such), threats of terrorism within 
the United States remain relatively unfamiliar. As noted by David 
Ropeik and Dr. Paul Slovic, greater recognition of the underpinnings of 
the fear of terrorism, and respect for the social and psychological 
dynamics of response, can assist policy makers in incorporating such 
realities as well as fact-based analysis into risk communication 
principles. As Ropeik and Slovic explain, understanding the reasons 
people perceive risk as they do, policy makers can communicate with 
various audiences about these issues in terms and language relevant to 
people's concerns, and as a result risk communication or warnings are 
likely to be more successful in helping people make more informed 
choices about the risks they face.[Footnote 26]

Finally, implementation of risk communication principles could prevent 
complacency or inaction in the face of elevated threat warnings of the 
Homeland Security Advisory System. For example, it is assumed that when 
warnings are not followed by the occurrence of the hazard, the public 
will ignore future warnings. However, the Dr. Baruch Fischhoff, 
professor in the Department of Social and Decision Sciences at Carnegie 
Mellon University, and the Partnership for Public Warnings suggested 
otherwise. They said that it is not the number of perceived false 
alarms that will cause the public to ignore future warnings and develop 
a sense of complacency about the hazard; rather, it is the lack of 
information provided to the public regarding the perceived false alarm 
that will cause the warning system to lose its credibility. The 
Partnership for Public Warning suggests that the real concern is 
educating the public about the uncertainty of the threat so that they 
can comprehend that false alarms arise from inherent uncertainty rather 
than from poor professional practice.[Footnote 27] Similarly, Dr. 
Fischhoff, citing the color-coded levels of the Homeland Security 
Advisory System, suggested that the public needs to be educated 
regarding the philosophy underlying each threat level to help the 
public understand why false alarms are inevitable, thus minimizing 
cumulative apathy among the public.[Footnote 28]

Information Currently Shared by DHS: 

Until recently, DHS's announcements of increases in the national threat 
level to code orange have included general information on why the 
threat level was raised and general suggestions for protective measures 
the public could take during code-orange alert periods. However, these 
announcements generally did not include information on locations of 
potential threats and threat time frames. For example, on the occasion 
of the third code-orange alert, March 17 to April 16, 2003, the 
Secretary of Homeland Security made the decision to raise the threat 
level based on intelligence indicating the possibility of terrorist 
attacks due to a military campaign in Iraq. Similarly, for the code-
orange alert from May 20 to 30, 2003, the Secretary provided general 
information on why the national threat was raised. For example, the 
Secretary announced that the threat level was changed based on the U.S. 
intelligence community's belief that, in the wake of terrorist bombings 
in Saudi Arabia and Morocco, Al-Qaida had entered an operational 
period, which may include attacks in the United States.

During the most recent code-orange alert period, December 21, 2003, to 
January 9, 2004, there was heightened concern about the use of aircraft 
for potential terrorist attacks, and several geographic locations were 
also reported to be at particularly high risk. DHS provided specific 
recommendations for protective measures to industry sectors and for 
geographic areas in response to specific threat information. When the 
national threat level was lowered to yellow on January 9, 2004, DHS 
recommended that some sectors, such as the aviation industry, and 
certain geographic locations continue on a heightened alert status. 
According to the Deputy Secretary, this was the first time since the 
creation of the Homeland Security Advisory System that DHS lowered the 
national threat level but recommended maintaining targeted protections 
for a particular industry sector or geographic location.

In addition, DHS officials said that the department issues threat 
advisories and information bulletins for specific threats that do not 
require changes in the national threat level. Threat advisories contain 
information about incidents or threats targeting critical national 
infrastructures or key assets, such as pipelines. Information bulletins 
communicate information of a less urgent nature to nongovernmental 
entities and those responsible for the nation's critical 
infrastructures. The threat advisories and bulletins we reviewed also 
include advice on protective measures for law enforcement agencies.

Agencies and Organizations Have Suggested Actions for Federal, State, 
and Local Agencies, the Private Sector, and the Public: 

Various agencies and organizations such as DHS, the American Red Cross, 
and ASIS International have suggested general protective measures for 
federal, state, and local government agencies, private industries, and 
the public to consider for each Homeland Security Advisory System 
threat level, including code orange. Federal, state and local agencies, 
private industries, and the public may use measures suggested by these 
agencies and organizations, as well as others, to determine actions to 
take when the national threat level is raised to code orange.

For example, HSPD-3, the presidential directive that established the 
Homeland Security Advisory System, suggested general protective 
measures for each threat level for federal agencies. At code orange, 
the directive suggests that federal agencies consider coordinating 
necessary security efforts with federal, state, and local law 
enforcement agencies; taking additional precautions at public events; 
preparing to execute contingency procedures; and restricting facility 
access to essential personnel only.

For state and local government agencies, DHS requested that they 
implement protective measures during code-orange alerts, although 
compliance with the Homeland Security Advisory System is voluntary for 
state and local governments. For example, during the two most recent 
code-orange alerts (May 20 to 30, 2003, and December 21, 2003, to 
January 9, 2004), DHS suggested state governors and local government 
officials review security measures their agencies had in place and 
deploy additional measures to mitigate terrorist attacks. In addition, 
some states have developed their own protective measures for state and 
local government agencies for Homeland Security Advisory System threat 
levels. For example, at code-orange alert, the state of Washington's 
military department suggests that, among other measures, state and 
local agencies disseminate the orange advisory and share pertinent 
information with state and local agencies and officials; place all 
emergency management and specialized response teams on full alert 
status; and suspend public tours of critical infrastructure facilities.

For private industries, ASIS International, an international 
organization for security professionals, developed draft guidelines as 
a tool for private businesses and industries to consider when 
determining possible actions to be implemented at each Homeland 
Security Advisory System threat level.[Footnote 29] At code-orange 
alert, ASIS International suggests that private industries consider, 
among other measures, preparing for possible evacuation, closing, and 
securing facilities; increasing security patrols; conducting 
heightened screening and inspection of mail and deliveries; and 
discontinuing tours and other non-essential site visits. In addition, 
the American Red Cross recommends that businesses be alert to 
suspicious activity and report it to proper authorities; review 
emergency plans; and determine the need to restrict access to 
businesses.

FEMA, an entity of DHS, and the American Red Cross suggest general 
actions citizens should consider taking during periods of code-orange 
alert. For example, in its guide, Are You Ready? A Guide to Citizen 
Preparedness,[Footnote 30] FEMA recommends that citizens review 
preparedness measures (including evacuation and sheltering) for 
potential terrorist actions, including chemical, biological, and 
radiological attacks; avoid high profile or symbolic locations; and 
exercise caution when traveling. Likewise, the American Red Cross 
suggests that individuals and families be alert to suspicious activity 
and report it to proper authorities; review personal and family 
disaster and communication plans; and have shelter-in-place materials 
so that individuals and families can remain where they are located when 
incidents occur. Moreover, in public announcements of national threat 
level increases, the Secretary of Homeland Security recommended that 
citizens continue with their plans but be alert and report any 
suspicious activity to law enforcement agencies. In addition, according 
to the Deputy Secretary of Homeland Security, the department has 
launched a public information campaign to increase citizen and 
community preparedness. As part of the campaign, DHS developed the 
Ready.gov Web site in early 2003, which recommends actions individuals 
and families can take, such as creating family emergency plans and 
assembling emergency kits.

Additional Information Requested and Improvements to the Advisory 
System Suggested by Relevant Parties: 

As noted in our February correspondence,[Footnote 31] some federal 
agencies for which we collected information indicated that without 
specific information on threats, they cannot effectively focus 
resources on protective measures to respond to possible threats. 
Likewise, Governor Mitt Romney of Massachusetts testified in June 
2003[Footnote 32] that state and local officials need specific 
information if they are to match their response to an increased threat 
level appropriate to the increased risk.

Federal, state, and local government officials reported that receiving 
information with greater specificity about threats, if available, would 
have been helpful in determining additional actions to take in response 
to code-orange alerts. For example, 14 of 15 federal agencies that 
provided us with information indicated that information on region-, 
sector-, site-, or event-specific threats, if available, would have 
been helpful. Additionally, all of the 15 federal agencies that 
provided us with information noted that information on threat time 
frames, if available, would have assisted them in determining 
appropriate actions to take in responding to the code-orange alerts. 
Fourteen federal agencies also indicated that receiving information on 
recommended measures for preventing incidents would have been helpful 
in determining appropriate protective measures to implement or enhance 
for each code-orange alert period.

Similarly, one state official noted that receiving more specific 
information about the type of threat--against bridges and dams, for 
example--would enable the state to concentrate its response in those 
areas, a more effective approach than simply blanketing the state with 
increased general security measures. One local official also noted that 
specific information about the location of a threat should be provided 
to law enforcement agencies throughout the nation--not just to 
localities that are being threatened--thus allowing other local 
governments to determine whether there would be an indirect impact on 
them and to respond accordingly. Additionally, according to a national 
survey on the public's priorities regarding receipt of terror-related 
information, the public wants honest and accurate information about 
terror-related situations, even if that information worries 
them.[Footnote 33]

DHS officials told us that the Homeland Security Advisory System is 
constantly evolving based on their ongoing review of the system. DHS 
officials told us they adjust the system based on feedback from 
federal, state and local government and private sector officials; tests 
of the system; and experience with previous periods of code-orange 
alert. For example, during the most recent code-orange alert, there was 
heightened concern about the use of aircraft for potential terrorist 
attacks, and several geographic locations were also reported to be at 
particularly high risk. In a recent testimony, the Deputy Secretary of 
Homeland Security noted that DHS provided specific recommendations for 
protective measures to industry sectors and for geographic areas in 
response to specific threat information.

Concluding Observations: 

Specific terrorist threats present unique factors that will necessarily 
influence what information can and should be shared, when it should be 
disseminated, and to whom. Other factors to be considered include (a) 
the extent to which relevant parties can actually act upon such 
information, not only to prevent attacks, but also to identify and 
reduce vulnerabilities and enhance their response and recovery should 
an attack occur; (b) the danger of mis-allocation of limited valuable 
resources through sharing of incorrect or vague information; (c) the 
disruption incurred as a result; and (d) the erosion of public 
confidence and credibility through ineffective risk communication. Risk 
communication principles used in areas such as hazardous materials 
management, disease prevention, or law enforcement, may provide useful 
guidance as DHS continues to refine the Homeland Security Advisory 
System.

Mr. Chairman, this completes my prepared statement. I would be happy to 
respond to any questions you or other Members of the Subcommittee may 
have at this time.

GAO Contacts and Staff Acknowledgments: 

For further information about this testimony, please contact Randall A. 
Yim at (202) 512-8777. Other key contributors to this statement were 
David P. Alexander, Fredrick D. Berry, Nancy A. Briggs, Kristy N. 
Brown, Philip D. Caramia, Christine F. Davis, Katherine M. Davis, 
Michele Fejfar, Rebecca Gambler, William O. Jenkins, Debra B. 
Sebastian, Gladys Toro, Jonathan R. Tumin, and Kathryn G. Young.

FOOTNOTES

[1] According to the National Research Council, risk communication is 
the exchange of information among individuals and groups regarding the 
nature of risk, reactions to risk messages, and legal and institutional 
approaches to risk management. 

[2] See U.S. General Accounting Office, Homeland Security Advisory 
System: Preliminary Observations Regarding Threat Level Increases from 
Yellow to Orange, GAO-04-453R (Washington, D.C.: Feb. 26, 2004).

[3] Members of the Homeland Security Council include the President; the 
Vice President; the Secretaries of Defense, Health and Human Services, 
Homeland Security, Transportation, and the Treasury; the Attorney 
General; the Director of the Federal Emergency Management Agency; the 
Director of the Federal Bureau of Investigation; the Director of 
Central Intelligence; and the Assistant to the President for Homeland 
Security. 

[4] DHS's Homeland Security Operations Center and its IAIP Directorate 
monitor threats and conduct information assessments on a daily basis. 
The Center is comprised of representatives from DHS component entities, 
other federal agencies, and local law enforcement agencies.

[5] The Terrorist Threat Integration Center is responsible for 
analyzing and sharing terrorist-related information that is collected 
domestically and abroad. It is an interagency joint venture that is 
comprised of elements of DHS, the FBI's Counterterrorism Division, the 
Director of Central Intelligence Counterterrorist Center, the 
Department of Defense, and other agencies.

[6] Under HSPD-5, the Secretary can change the national threat level 
without consulting other Homeland Security Council members in exigent 
circumstances. However, DHS officials told us that this did not occur 
for any of the three most recent code-orange alerts. 

[7] GAO-04-453R.

[8] See Congressional Research Service, Homeland Security Advisory 
System: Possible Issues for Congressional Oversight (Washington, D.C.: 
Jan. 29, 2004).

[9] See U.S. General Accounting Office, Standards for Internal Control 
in the Federal Government, GAO/AIMD-00.21.3.1 (Washington, D.C.: 
November 1999).

[10] See U.S. General Accounting Office, Office of Compliance: Status 
of Management Control Efforts to Improve Effectiveness, GAO-04-400 
(Washington, D.C.: Feb. 3, 2004).

[11] Public warning systems in the weather and health sectors provide 
information to citizens that allow them to determine their actions to 
respond to threats. For example, for severe storms, the National 
Weather Service and the mass media attempt to alert the public in 
advance when they might pose a hazard to public safety. Similarly, the 
Centers for Disease Control and Prevention developed a nationwide 
reporting system that seeks to detect emerging epidemics and then to 
warn the public about the nature of the health threat.

[12] David Ropeik and Paul Slovic, "Risk Communication: A Neglected 
Tool in Protecting Public Health," Risk in Perspective, vol. 11, no. 2 
(Harvard Center for Risk Communication, Cambridge, Mass. 2003) 

[13] Chairman Tom Davis, "Public Confidence Down the Drain: The Federal 
Role in Ensuring Safe Drinking Water in the District of Columbia" 
(opening statement presented at a hearing before the House Committee on 
Government Reform, Washington, D.C.: Mar. 5, 2004).

[14] Dr. Kenneth Shine, "For a Hearing on Risk Communication: National 
Security and Public Health" (testimony presented to the Subcommittee on 
National Security, Veterans Affairs, and International Relations, House 
Committee on Government Reform, Washington, D.C.: Nov. 29, 2001).

[15] Ciprofloxacin is an antibiotic that was used to treat persons 
believed to be exposed to anthrax.

[16] George M. Gray and David P. Ropeik, Dealing with the Dangers of 
Fear: The Role of Risk Communication, Health Affairs. vol. 21, no. 6 
(2002) 1-2.

[17] See U.S. General Accounting Office, Severe Acute Respiratory 
Syndrome: Established Infectious Disease Control Measures Helped 
Contain Spread, but a Large-Scale Resurgence May Pose Challenges, GAO-
03-1058T (Washington, D.C.: July 30, 2003). SARS is believed to have 
originated in Guangdong Province, China, in mid-November 2002. 

[18] Dennis S. Mileti and John H. Sorensen, Communication of Emergency 
Public Warnings: A Social Science Perspective and State-of-the-Art 
Assessment, a report prepared for the Federal Emergency Management 
Agency, August 1990, 3-2. 

[19] The Partnership for Public Warning is a public/private not-for-
profit institute that works to promote and enhance efficient, 
effective, and integrated dissemination of public warnings and related 
information so as to save lives, reduce disaster losses, and speed 
recovery.

[20] Partnership for Public Warning, Developing a Unified All-Hazard 
Public Warning System (Emmitsburg, Md: Nov. 25, 2002) 8.

[21] Mr. Sorensen and Mr. Mileti reported that, according to research, 
panic occurs only in situations in which there is closed physical 
space, in which there is an immediate and clear threat of death, and in 
which escape routes will not accommodate all those in danger in the 
minutes before death comes to those left behind. 

[22] P.L. 99-499, Title III, Subtitle A (Oct. 17, 1986).

[23] See U.S. General Accounting Office, Environmental Information: 
Agencywide Policies and Procedures Are Needed for EPA's Information 
Dissemination, GAO/RCED-98-245 (Washington, D.C.: Sept. 24, 1998).

[24] See 29 C.F.R. 1910.1200(g).

[25] See 42 U.S.C. 300g-3(c)(2)(C); 40 C.F.R. 141.205.

[26] Ropeik and Slovic "Risk Communication" 3.

[27] Partnership for Public Warning, "Developing a Unified All-Hazard 
Public Warning System" 8.

[28] Baruch Fischhoff, "Assessing and Communicating the Risks of 
Terrorism," in Science and Technology in a Vulnerable World, 51-64 
(Washington, DC: American Association for the Advancement of Science, 
2003).

[29] ASIS International, Threat Advisory System Response (TASR) Draft 
Guideline: Guideline for Preparations Relative to the Department of 
Homeland Security Advisory System (November 24, 2003).

[30] Federal Emergency Management Agency, Are You Ready?: A Guide to 
Citizen Preparedness (Washington, D.C.: September 2002).

[31] GAO-04-453R.

[32] Governor Mitt Romney, "First Responders: How States, Localities 
and the Federal Government Can Strengthen Their Partnership to Make 
America Safer" (testimony presented to the House Select Committee on 
Homeland Security, Washington, D.C.: July 17, 2003). 

[33] Baruch Fischhoff, Roxana M. Gonzalez, Deborah A. Small, and 
Jennifer S. Lerner, "Evaluating the Success of Terror Risk 
Communications," Biosecurity and Bioterrorism: Biodefense Strategy, 
Practice, and Science, vol. 1, no. 4 (2003).