Decisions in Risk and Reliability: An Explanatory Perspective

: The paper discusses issues that surround decisions in risk and reliability, with a major emphasis on quantitative methods. We start with a brief history of quantitative methods in risk and reliability from the 17th century onwards. Then, we look at the principal concepts and methods in decision theory. Finally, we give several examples of their application to a wide variety of risk and reliability problems: software preventive adversarial and the defend-attack problem. These illustrate how the general framework of game and decision theory plays a relevant part in risk and reliability.


Introduction
Decision (and game) theory is becoming more relevant to addressing reliability and risk issues under uncertainty. A recent contribution was made by Ríos Insua et al. [1]. For many applications, quantifying risk and reliability measures is a means to an end; to be useful, those values must be used to derive optimal policies to minimise risk, to decide on maintenance strategies, or to make some other decision. The methods of decision theory provide coherent mathematical approaches to doing this. When decisions are made in an environment where there are competing players, game theory is the relevant mathematical approach; examples include adversarial commercial situations or minimising risks from criminal or terrorist threats.
In this paper, we address these topics with illustrative examples taken mainly (but not exclusively) from our work. Some of them are worked out analytically, while others require numerical computations; however, the reasoning behind each example is explained, and the reader is referred to the relevant references for a complete discussion. The target of the paper is twofold. On one hand, it is addressed to people who have no or limited knowledge about methods and models in decision theory applied to reliability and risk problems. On the other hand, this paper illustrate recent approaches, such as adversarial risk analysis, or possible uses of older but less known methods such as Bayesian robustness; therefore, this paper could also interest readers with more in-depth knowledge. There are so many methods, models, and application fields that could be used to achieve the above goals but they are limited to a few in this paper. The choice has fallen on a few topics in reliability (although also related to risk) and a particular risk, from finance. In reliability, we identified three relevant areas (software testing, maintenance, and acceptance sampling) while portfolio selection has been discussed in the context of financial risk. We were compelled to leave out many other works, for example, on natural disasters (flooding and earthquakes), or other papers of ours such as Ebert et al. [2] on queues at immigration control in airports and Trucco et al. [3] on human and organisational factors affecting safety in maritime transport. The examples chosen not only are representative of some areas in Stats 2021, 4 the field but also allow us to introduce approaches that could be of interest for readers such as influence diagrams, decision trees, Bayesian robustness, and adversarial risk analysis.
In Section 2, we give a historical account of how the development of risk and reliability methods is connected to the progress in probability theory and utility theory for normative decision making. In Section 3.1, we introduce the basic concept of utility-based decisionmaking. Decision problems are best framed with the help of graphical representations, so we consider decision trees and influence diagrams in Section 3.2. Examples of applications of decision trees for replacement in maintenance optimisation follow in Section 3.3. In Section 4, we include other application examples where a single decision maker deals with software testing, preventive maintenance, and portfolio selection. In Section 5, we examine problems in risk and reliability analysis that involve two or more actors with competing interests in the adversarial risk analysis framework. Section 6 concludes the paper.

A Brief History of Quantitative Risk and Reliability
The section is not intended to provide a complete history of how risk and reliability became the object of quantitative study and then of interest in decision theory. Rather it mentions some works that have had an impact on this process. It shows how the current research in decision analysis, as applied to risk and reliability, is the result of centuries of work, which have grown independently until they have found common ground. More extensive illustrations can be found in papers about history of statistics such as Singpurwalla and Wilson [4].
The history of quantitative risk methods is tied closely to the history of probability theory, both of which have roots in insurance. Christiaan Huygens (1629-1695) was one of the earliest scientists to think mathematically about risk, motivated by problems in annuities widely due, at that time, to states and towns borrowing money. Huygens wrote up the solution, due to Fermat and Pascal, to a gambling problem called "The Problem of Points", where the question is to determine the fair bet for a game where each player has an equal chance of winning and the bet is won as soon as either player wins the game a predetermined number of times. Huygens stated an axiom on the value of a fair game, which is considered the first approach to the notion of expectation. Huygens [5] is thus credited with publishing the first book on probability theory.
The idea of a fair price was linked to probability by Jacob Bernoulli (1654-1705) in a book [6] published posthumously by his nephew Nicholas as the first substantial treatment of probability. Jacob Bernoulli changed the focus from expected values, which were tediously calculated by a recursive approach, towards probabilities using his Law of Large Numbers. Expected value then became a derived concept, and the calculation of probabilities was direct and faster as it did not require the recursion that Huygens used. The connection between fair prices and probability is the basis for insurance pricing and came about during a period of rapid development of the insurance market, driven by the growth of maritime commerce in the 17th and 18th centuries. Soon after the publication of Bernoulli's work, corporations began to engage in insurance. They were first chartered in England in 1720, and in 1735, the first insurance company in the American colonies was founded at Charleston, S.C. Therefore, by 1750, the idea of probability used in risk quantification, such as probability distributions, expected values, and fair price, and mortality were in use in insurance.
Later in the 18th century, a notable name is that of Thomas Bayes (1702-1761) and his famous essay on inverse probability [7,8]. Decision theory makes extensive use of Bayes's Law as a way to express the uncertainty about factors that affect the consequence of a decision from expert opinion and data. Another important aspect of decision theory is the idea of utility to quantify preferences of consequences of adverse events, an important component in the process of managing risks in a coherent manner. The idea of utility arose through Daniel Bernoulli in 1738 and utilitarian philosophers such as Bentham (1748-1832). Around this time, the industrial revolution meant that manufacturing and transport carried far graver risks than before, and we do see the first attempts at risk management through regulation. In the United Kingdom, the Factory Act of 1802 (named the "Health and Morals of Apprentices Act") started a sequence of such acts that attempted to improve health and safety at work.
The foundations of modern utility theory, from which a prescription for normative decision making comes about that is the basis of decision theory, had to wait until the early 20th century with the work by Ramsey [9]. The mathematical basis of today's quantitative risk analysis is indeed normative decision theory. The impetus for a formal approach to utility came from von Neumann and Morgenstern [10] with their interest in rational choice, game theory, and the modelling of preferences.
Although Pearson [11] names the exponential distribution for the first time, it was only in the 1950s that the field of statistical reliability emerged and we began to see some of the methods that are in common use today. Here, we see Weibull's (1887Weibull's ( -1961 advocacy of the Weibull distribution [12,13], the statistical analysis of failure data by Davis [14], the proposal of Epstein and Sobel [15] that the exponential distribution should be used as a basic tool for reliability analysis, and the approach of Kaplan and Meier [16] for estimating the survival function under censoring. We begin to see the idea of system reliability emerging at this time as well. Drenick [17] looked at the failure characteristics of a complex system with the replacement of failed units; then, Birnbaum et al. [18] investigated the structural representation of systems of components. Fault trees also appeared in this decade; see the work by Watson [19]. Much of this work is summarised in the two books of Barlow and Proschan [20,21].
The last fifty years have been marked by many developments and the quantity of publications in the literature is rather overwhelming. From a historical perspective, perhaps the most important trend is the availability of computation to facilitate more complex risk and reliability analyses. However, the fundamental link between quantitative risk and reliability methods to probability and decision making has remained.

Basic Concepts
The final goal of a risk analysis and a reliability study is, in general, a decision that reduces the social, economic, environmental, etc. negative consequences (losses) for an individual or a group, or increases their utility. A plethora of work has been published on decision theory and decision analysis, and we refer to the works of Wald [22], DeGroot [23], Berger [24], and French and Ríos Insua [25] for a thorough illustration. We consider decision-making under uncertainty and we present a Bayesian approach through definitions, properties, and a simple example related to risk. There are many critical aspects in the stages of a decision process: problem structuring, belief modelling, preference modelling, optimisation, and sensitivity analysis. Here, we are interested in illustrating some aspects, mostly related to sensitivity, arising when considering belief and preference modelling. In a Bayesian framework, beliefs over possible states of nature are modelled through a (prior) probability distribution, which in the presence of additional information, is updated via Bayes's theorem, whereas preferences over consequences are modelled using utility functions (or, more commonly in the statistical community, loss functions). The consequences are the result of actions chosen within a feasible set combined with states of nature, and the goal is to find an optimal action, namely the one maximising the expected utility. The assessment of beliefs and preferences is a difficult task, especially when there are several decision makers and/or experts. Sensitivity analysis (often called Bayesian robustness in this framework) deals with the uncertainty in specifying prior distributions and utility/loss functions; see the book by Ríos Insua and Ruggeri [26] for a thorough survey.
More formally, we assume that the decision maker has to choose among a set A of feasible actions a. Prior beliefs on the state variable θ ∈ Θ are assessed through a prior distribution with density π, and they are updated, via Bayes's theorem, into a posterior distribution, with density π(·|x), where x is the result of an experiment with likelihood l x (θ) over a sample space X. A consequence c ∈ C is associated to each pair (a, θ), and preferences over the consequences c(a, θ) are modelled with a utility function u(c(a, θ)), which we simply denote by u(a, θ). We associate with each action a its posterior expected utility: According to the Maximum Expected Utility Principle, we look for the optimal action a * , which maximises T(u, π, a).
However, the assessment of u and π, and the choice of the model l x , are performed with limited knowledge and some degree of arbitrariness. Such uncertainty in the specification has an impact on the optimal action and its expected utility, the model output in our case. A thorough review of the literature on how to handle such issues is provided in the book by Ríos Insua and Ruggeri [26]. Here, we present a simple, no data example adapted from Ruggeri et al. [27], which should make clear the importance of investigating the consequences of assessing probabilities and utilities imprecisely.
A football team is interested in signing a new player on a one-year contract. Two players, a and b, are available, and the team expects to have a (utility) gain in signing one of them, which depends on the possibility of qualifying (θ 1 ) or not (θ 2 ) for the European Champions League the next year. The probability of qualification is π(θ 1 ) = p 1 . The team managers believe that the monetary consequence of signing a and not being qualified is equivalent to the one obtained with signing b and being qualified. The other two possible consequences are, in general, different. We could represent the consequences in Table 1: Table 1. Monetary consequences of signing players.
In the team, there is uncertainty, maybe due to different opinions among the managers, about both the probability of being qualified and the monetary consequences. As a result, ranges are obtained for all of them: 0.4 ≤ p 1 ≤ 0.6, 0.5 ≤ u(c 1 ) ≤ 1, 0.25 ≤ u(c 2 ) ≤ 0.75, and 0 ≤ u(c 3 ) ≤ 0.5, where utilities are in million euros. We consider ( Table 2) the following four utility-probability pairs associated with the bounds on utilities and probabilities: Table 2. Expected utilities of signing players. Since in all four cases, T(u, π, a) > T(u, π, b), the team managers might decide to hire a but such a choice would not necessarily be optimal, e.g., considering p 1 = 0.6, u(c 1 ) = 0.5, u(c 2 ) = 0.75, and u(c 3 ) = 0.5, then it would be T(u, π, a) = 0.6 and T(u, π, b) = 0.65, raising doubts about the preference of a over b.
Martin et al. [28] addressed the issue of the choice of actions when the priors and the utilities (losses in their work) are in the classes Γ and U, respectively, as is done here. They proposed to consider non-dominated actions, i.e., the actions a ∈ A such that there exists no other action b ∈ A such that T(u, π, b) ≥ T(u, π, a), for all u ∈ U, π ∈ Γ, with strict inequality for one pair (u, π).

Decision Trees
Decision problems can be represented graphically using decision trees, where decision nodes are typically represented by a rectangle; chance (or random) nodes are represented by a circle; and outcomes, which are functions of decision actions and uncertainties, lie at the terminal points of the branches of the tree. Figure 1 shows the decision tree representation of a single-period decision problem. In the tree, the decision node is denoted by D 1 and the chance node is denoted by R 1 . The branches of the decision node D 1 represent the different decision actions a whereas the branches of R 1 represent possible values of the random quantity θ, which is commonly referred to as the state of nature.
The decision tree is a chronological representation of the events in a decision problem. In Figure 1, first, a decision action a is taken at the decision node D 1 and then a possible value of the state of nature θ is observed at the chance node R 1 where uncertainty about θ is described by the probability distribution π(θ). Each combination of the (a, θ) pair implies an outcome or utility value u(a, θ) at the terminal point of a specific path of the tree. The solution to the single-period decision problem in Figure 1 is obtained by folding back the tree (see Lindley [29]) starting at the terminal nodes. This is done by working backwards, taking the expectation of u(a, θ) at a random node such as R 1 , and by maximising E[u(a, θ)] with respect to action a at a decision node such as D 1 . The optimal action a * obtained at D 1 maximises the expected utility, as discussed in Section 3.1.
Later, we consider an example of a single-period decision tree that arises in the development of replacement strategies for components/systems in reliability analysis.

Influence Diagrams
An influence diagram (ID) is a graphical representation of a decision problem that contains the same information encoded by an equivalent decision tree. It is possible to convert an ID into a decision tree and vice versa. An ID is a directed acyclic graph containing three types of nodes: chance nodes that are represented by circles, decision nodes that are represented by squares, and deterministic nodes that are represented by squares with rounded edges. If an ID contains only chance nodes, then it is called a belief or Bayes network. A deterministic node is so-called because its value is a function of those taken by its parent nodes. A special type of deterministic node is a value node, which contains the value taken by utility as a function of its parent nodes. The advantage of an ID over decision tree is that the former provides a more compact and high-level representation of the decision problem because its size does not increase exponentially as additional decisions or uncertainties are added to an analysis. In fact, it displays the dependence among variables and the state of information under which decisions are made but it does not show the possible values associated with each decision or chance variable. Therefore, it is often the case that a problem is first represented as an ID and, afterwards, is converted to a decision tree for computation of the solution, which means finding the expected utility of all possible decisions, to be maximised over the decision space. The single-period replacement problem in Section 3.3.1 provides a simple example of the more compact representation of an ID, as shown in Figure 2, where there are no multiple arcs from the nodes. The decision node contains the value of τ, the chance node contains N(τ), the value node contains C(τ, N(τ)), the decision node influences the chance node, and the value node is influenced by both of them. The problem representation is completed by information on the conditional distributions of chance nodes given the parent nodes, that is, the conditional distribution of N(τ) given τ for the specific example. The ID representation of the stopping problem tree in Section 3.3.2 is not a simplification because decision nodes in the multi-stage decision are binary, each stage is represented in the same way in a repetitive fashion, and the tree always has a terminal leaf after a stop branch.
In Figure 3, we show a simple example with a nonrepetitive structure adapted from Bedford and Cooke [30], which also shows that an ID enables the derivation of conditional independence relationships among nodes. The chance nodes in the ID are described as follows: fault can take values of yes or no, repair can take values of repairman is sent or repairman is not sent, and both primary alarm and secondary alarm can take values of alarm signals a fault or no signal. The decision node is self explanatory and the cost node can take two values if no secondary alarm is installed: one is the cost of sending a repairman after a false alarm; the second one adds the actual repair cost if a fault has really occurred. With the secondary alarm, the two previous cost values are increased by the installation cost. It is assumed that the alarms never fail to signal a fault, but false alarms can occur. Thus, unnecessary repairs can be reduced by installing a secondary alarm and by calling the repairman only if both alarms signal a fault. If the decision is not to install the secondary alarm, the value of its node is always alarm signals a fault. The repair node is in fact a deterministic node because its state is entirely known given the state of the alarms; however, it is regarded as a chance node with a degenerate distribution for later use. The problem description is completed by assigning probabilities to the following events: a fault occurs, the primary alarm signals a fault given that there is no fault, and the secondary alarm signals a fault given that there is no fault. From the ID, we can find out conditional independence relationships using the global Markov property on any belief network determined by assigning a value to decision nodes. Suppose that the decision is to install a secondary alarm and to consider the repair node. Take the set of all its ancestors, which includes the two alarm nodes and the fault node (not the decision node because its value has been assigned) and remove all the remaining nodes (the cost node). Now moralise this subgraph by joining all unmarried parents using an undirected arc (the two alarm nodes in this case), and change all the directed arcs to undirected: the repair node is independent from the fault node given the pair of alarm nodes because all paths between them always go through the set of alarm nodes. With the same method, we can discover that the two alarm nodes are independent conditionally upon the fault node. The two moralised subgraphs are shown in Figure 4a   The decision tree structure for this problem is more complex. It starts with the decision node with two outgoing branches, each terminating with the fault node, from which two more branches come out and terminate with an alarm node. From this node, either four or two branches come out, depending on which subtree we are in. If we decide to install the secondary alarm, there are four branches, one for every pair of states for the two alarms. The terminal nodes are the costs associated with every path in the tree.

Install secondary alarm
To complete this illustration, let π be the probability of a fault and let p be the probability of a false alarm using any of the two alarms, which are assumed to be devices of the same type. Let also c S be the cost of sending a repairman, c R be the cost of an actual repair, and c I be the cost of a secondary alarm installation. Then, the costs of the decision of installing and not installing a secondary alarm are given by respectively, where A 1 , A 2 , and F belong to {0, 1} and are random variables representing the state of the two alarms and the presence of a fault. The expected costs are easily derived using the conditional independence properties derived earlier, and it is found that it is convenient to install a secondary alarm if Banks et al. [31] remarked that the graphical structure of an ID has the property that there is a directed path containing all decision nodes that specifies the order in which decisions are made by the decision maker. The authors pointed out also a drawback of IDs, i.e., their impossibility of representing problems in which there is no predetermined order for the decisions, for example, in medical diagnosis, where the decision about subsequent tests depends on the results of previous ones. In those cases, asymmetric decision trees are better graphical tools, but they might have too many branches as a consequence of having to consider as many subtrees as all possible test orders. The authors suggested, as a possible alternative, to consider multiple IDs, one for each possible test order, and to compare the solutions.
A simple introduction to IDs can be found in Bedford and Cooke [30], whereas a more advanced introduction is given by Banks et al. [31].

Single-Period Replacement Problem
Systems and components experience ageing or wear as a function of time and/or usage. For such systems, planned replacement strategies are used to prevent in-service failures that may be very costly relative to the cost associated with a planned replacement/repair. Mazzuchi and Soyer [32] proposed a Bayesian decision theoretic approach to develop optimal replacement strategies using age and block replacement protocols. In what follows, we consider a single-period block replacement problem under the assumption of minimal repair.
Typically, under the block replacement protocol, a planned replacement is made at time epochs τ, 2τ, . . ., irrespective of the age of the system and an in-service replacement is made whenever the system fails (the "good as new" scenario, since the replacement brings the reliability back to the initial one, assumed "good"). Another block replacement scenario was considered by Barlow and Hunter [33], where the system is minimally repaired upon failure but replaced at times τ, 2τ, . . .. This is known as block replacement with minimal repair where the item can be repaired so that its failure characteristics are restored to the state just prior to the failure (the "bad as old" scenario).
We let c P denote the cost of a planned replacement; c R be the cost of minimal repair, such that c P < c R ; and N(t) be the number of failures in a time interval of length t. Then, in a planned replacement cycle of length τ, the cost per unit time is given by The decision problem is to find τ such that the expected value of C(τ, N(τ)) is minimised. The decision tree for the problem is shown in Figure 5, where the random R 1 represents N(τ), an unknown number of repairs in a replacement cycle of length τ. Following Barlow and Hunter [33], we model N(t) as a non-homogeneous Poisson process (NHPP) with intensity function λ(t). For a system subject to ageing or wear, a commonly used model is the power law form for the intensity function, that is, where α > 0, β > 0, and values of β > 1 imply ageing over time. The mean value function Λ(t) for the NHPP is the cumulative intensity: The common approach in the literature is to assume that α and β are given (or estimated based on past data) and to select the optimal replacement interval, τ * , at the decision node D 1 of the tree by minimising with respect to τ. For β > 1, it can be shown that the optimal interval is given by Recent work in optimal replacement includes semiparametric policies considered by Merrick and Soyer [34], who considered block replacement for rail sections.

Multi-Period Stopping Problem
Decision trees are typically used in representing multi-period decision problems where a sequence of decisions are made and uncertainties are updated dynamically. Such problems arise in risk and reliability analysis in the context of the design of systems, life testing, optimal stopping, portfolio selection, etc. In this section, we present an example of an optimal stopping problem in software testing. The solution of sequential decision problems of this type relies on pre-posterior analysis and can become quite challenging to solve. These problems also arise in life testing; see, for example, van Dorp et al. [35], and Erkanli and Soyer [36].
Morali and Soyer [37] considered an optimal stopping problem in software testing and presented a Bayesian decision theoretic setup. In what follows, we use their notation and formulation of the multi-period problem. During the development phase, a new software goes through several stages of testing and, after each stage of testing, modifications are made to the software to fix the faults (or bugs). This process is known as debugging.
Let X i , i = 1, 2, . . . denote the life-length of the software during the ith stage of testing after the (i − 1)th modification made to it. Morali and Soyer [37] assumed that the failure rate θ i during the ith stage of testing is constant and, thus, that X i is exponentially distributed with rate θ i . The special feature of their model is that the failure rate θ i changes from one testing stage to another as a result of corrections made to the software.
The authors assumed that, at the end of each stage, following modifications made to the software, a decision must be made whether to terminate the debugging process. Thus, after completion of i stages of testing, the decision of whether to stop testing is based on X (i) = (X (0) , x 1 , x 2 , . . . , x i ), where X (0) represents the available information prior to any testing. Morali and Soyer [37] considered a loss function that reflects the tradeoff between additional testing versus releasing an unreliable piece of software. More specifically, they defined the loss associated with stopping and releasing the software after the ith stage of testing stage as where L T (·) represents the loss due to testing for one stage and L S (·) relates the loss associated with stopping and releasing the software. Note that, in this paper, we use both utilities and losses, choosing the notion more suitable for the topic at hand.
The stopping problem can be represented as a sequential decision problem as given by the m-stage decision tree in Figure 6 and can be solved using dynamic programming. The solution of the tree proceeds in the usual way by taking the expectation at random nodes and by minimising the expected loss at the decision nodes. At decision node i, the additional expected loss associated with the stop and the test decisions are given by the terms for i = 0, 1, . . ., and the optimal decision at decision node i then is the one associated with L * i .  Multi-period decision problems also arise in the design of life tests such as accelerated life tests. Some of the recent work in this area include Zhang and Meeker [38,39], Meeker et al. [40], and Polson and Soyer [41]. Figure 1 showed the structure of the simplest decision problem, that of a single-period problem where a decision is made, a state of nature is revealed, and an outcome follows. There is no opportunity to learn from data about the state of nature θ, and therefore, one relies entirely on the prior π(θ).

One-Stage Software Testing
Such a type of decision problem can be illustrated through its application to software testing. Here, we mention the paper by McDaid and Wilson [42] and the more recent book by Kenett et al. [43]. When developing software, bugs are often introduced and they cause it to fail, producing a result different from the specification. Developers are therefore interested in testing the software to discover and remove bugs before its release. Of course, they should be very careful to prevent the introduction of new bugs. There is an issue of the quality of testing and about the length of the test phase. There are conflicting aspects about costs: on one side, there could be excessive costs due to a very long test but, on the other side, early release might imply a less reliable software. There are other aspects such as the possible obsolescence of the software caused by a very delayed release, the loss of reputation due to a poor software, and the need to market the software before the release of similar ones by competitors. Therefore, it is important to determine an optimal release time, taking into account especially costs for testing and fixing software, with the latter strongly dependent on the number of bugs left in the software at its release. Such an optimal time could be easily found through a one-stage test.
In Figure 7, we present the decision tree for one-stage testing. In terms of the notation of this paper, the set of feasible actions are times a that one could test, A = {a | a ≥ 0}, and the state of nature is the number of bugs discovered during and after testing, denoted N(a) andN(a), respectively; hence, θ = (N(a),N(a)). The only deviation from Figure 1 is that θ is described by a probability model π(θ | ψ) with parameters ψ that are themselves unknown, and the prior distribution π(ψ) is directly specified on ψ. However, the Partition Law of probability gives the prior on θ directly by integrating out ψ:

Decide Release
Test Time a u(a, ) N(a) bugs (a) bugs discovered in testing discovered after release Many models have been proposed for N(a); see, e.g., Singpurwalla and Wilson [44]). In this work a popular model of Goel and Okumoto [45] is used. The model assumes that N(a) is a Poisson process with mean function Λ(a) = ψ 1 (1 − e −ψ 2 a ), for parameters ψ 1 and ψ 2 that represent the expected total number of bugs to be discovered eventually in the software (at a = ∞) and the rate of discovery, respectively. Thus, N(a) is Poisson distributed with an expected value Λ(a). The motivation from this model comes from the fact that Λ(a) satisfies the differential equation: so that the rate of bug discovery is proportional to ψ 1 − Λ(a), the expected number of bugs remaining to be discovered at time a. Our knowledge about N(a) is quantified by the values of ψ 1 and ψ 2 . Expert opinion can be used to quantify this knowledge in the form of a probability distribution for ψ 1 and ψ 2 . In this approach, gamma distributions are used as they have a relatively simple form and can be defined to have an arbitrary positive mean and variance. The gamma distribution is defined by two parameters, a scale α and a shape β, and its density function has the form f (x) = α β x β−1 e −αx /Γ(β), where Γ(·) is the gamma function. The important thing to note here is that the mean and standard deviation are β/α and β/α, so that α and β can be uniquely determined if one has an opinion on the mean and standard deviation. McDaid and Wilson [42] described an elicitation process for these parameters that uses these relationships. Here, we assume that such an elicitation process has led to specifying a scale α 1 and a shape β 1 for ψ 1 and a scale α 2 and a shape β 2 for ψ 2 .
Given ψ 1 and ψ 2 , N(a) andN(a) are Poisson distributed. McDaid and Wilson [42] derived the unconditional prior π(θ) = π (N(a),N(a)) and showed that the expected values are as follows: ( With regard to utility function u(a, θ), the simple form for the utility of testing until time a and then releasing is as follows: where A is the profit from releasing the software without any testing, C is the cost of fixing a bug discovered in testing, D is the cost of fixing a bug post-release, and F is the cost per unit time of testing, that includes both the testing costs as well as lost sales and market opportunity. In practice, D should be considerably larger than C. Now, all the components of the decision problem have been specified. Solving the simple tree in Figure 7 involves taking the expectation with respect to the unknown states of nature N(a) andN(a) (making use of their expected values as in Equations (2) and (3)) and then maximising the resulting expected utility with respect to a to find the optimal testing time. Plugging Equations (2) and (3) into Equation (4) gives the expected utility of testing for a time a, and the value of a that maximises this function, and therefore, the optimal time to test, is as follows: This is not valid if D < C, a case that we do not anticipate in practice and would imply that the optimal strategy is not to test and just repair all bugs post-release. Figure 8 presents the expected utility and optimal testing time when the prior mean on ψ 1 is 100 (so that about 100 bugs are expected in the code), whereas the prior mean on ψ 2 is 0.01. For such a purpose, we take α 1 = 0.01, β 1 = 1, α 2 = 100 and β 2 = 1. As a consequence, the two standard deviations coincide with the prior means, i.e., 100 and 0.01, respectively. The utility parameters are chosen as the following values: A = 2000, C = 1, D = 20, and F = 0.5. The left plot shows T(u, π, a) as a function of a and identifies the optimal release time a * = 516.4 for an expected utility of 1333.6. The right plot shows how a * changes as a function of D, the cost of fixing a bug post-release; this shows how the testing time should increase as the relative cost of fixing bugs after testing rises. In this solution, the software is released regardless of the results of the testing. As a consequence, there is no opportunity to learn about its reliability from those results. In McDaid and Wilson [42], moving beyond this simplest case is also considered involving more than one stage of testing and in which learning about θ takes place.
A recent review of decision models for software testing including adversarial issues can be found in Ruggeri and Soyer [46].

Preventive Maintenance of Water Pumps
Christen et al. [47] analysed the operation data of a Worthington water pump, operating 24 h a day at the PEMEX Salamanca refinery in Guanajuato, Mexico. Data were recorded about operation hours before either maintenance or failure, whichever came first.
The authors considered a random sign censoring model to describe the maintenance and failure processes and, based on a maximum expected utility approach, they proposed a maintenance policy that improved upon the existing one. Here, we take a different approach, further elaborating on the ideas about sensitivity issues in decision analysis introduced in Section 3.1.
There are n = 34 observations, and they are presented in Table 3, split into 28 failure and 6 maintenance times. We consider independent and identically distributed exponential failure times with parameter θ, and we denote the observed times by X i , i = 1, . . . , 34. The likelihood function is given by based on the density θe −θx at a failure time and the survival probability e −θx at a maintenance time.
We assume that interventions are made at fixed times, even when failures occur, and we consider two possible actions: a = {intervention after 10 h} and b = {intervention after 20 h}. We consider the following loss functions: The integral component of the loss function is related to the cost incurred when the pump fails at time x and does not operate until an intervention occurs. We compare the two actions over a 20 h period so that we add the factor 2 in the first loss since failures can occur over two 10 h periods. The term C accounts for the cost of the extra intervention. A cost should multiply the integral part, but it is simpler to remove it and to consider the losses apart from a multiplicative constant.
If we consider a gamma distribution prior on θ, then we get a gamma distribution posterior π, which we denote G(α, β). It is possible to prove that, under such a distribution, the posterior expected losses are Therefore, it holds that We now suppose that there is uncertainty about both beliefs and preferences, namely on the prior distribution of θ and the value of C. In the former case, there could be different opinions on the expected failure time of the pump, given by 1/θ; in the latter case, there might be variability in the cost of the extra repair. The classes we entertain are very simplistic but useful for illustrative purpose. More sophisticated classes are presented in Ríos Insua and Ruggeri [26]. We consider the classes: L(a, θ) and L(b, θ) as above and 20 ≤ C ≤ 30}, Given the likelihood (6), then the posterior distribution belongs to the class If we take α = 30, β = 625, then the choice of C = 20 or C = 30 leads to opposite conclusions. In the former case, T(L, π, a) − T(L, π, b) = −7.52 implies that the intervention after 10 h is the optimal action whereas the intervention after 20 h is the optimal decision in the latter case since we get T(L, π, a) − T(L, π, b) = 2.48. This is a typical situation in which the decision maker needs extra effort to specify beliefs and preferences or to honestly report that there is no clear-cut decision.
Bayesian analysis of repairable systems is considered in Pievatolo and Ruggeri [48], and minimal repair models for train systems are discussed in Pievatolo and Ruggeri [49]. Maintenance strategies for machine tools are presented in Merrick et al. [50], and maintenance practices for railroads are discussed in Merrick et al. [51]. Recent developments in maintenance optimisation can be found in Damien et al. [52] and Belyi et al. [53]. Degradation-based maintenance policies are considered in Zhang et al. [54].

Portfolio Selection
Markowitz [55] considered the single-period portfolio selection problem where an investor has to allocate a sum of money among K securities. A Bayesian decision theoretic setup to the problem was introduced by Winkler and Barry in [56], and the multi-period problem was discussed. In this section, we present a setup considered by Soyer and Tanyeri [57], who follow the formulation of Winkler and Barry [56].
We let W t denote the wealth of the investor at the end of time period t and W 0 denote the initial wealth of the investor. We define r k t to be the return from security k during time period t and assume that there are no transaction costs. If W k t is the amount invested in security k at the beginning of time period t + 1, then the wealth of the investor at the end of time period (t + 1) can be written as Following Winkler and Barry [56], we assume that the investor's objective is to maximise u(W T ), the utility of wealth at the end of a finite time period T (with dependence on θ omitted). In the multi-period problem with a finite horizon T, the investor maximises the utility u(W T ) by sequentially choosing the decision variables W k t , t = 0, . . . , T − 1 and k = 1, . . . , K at different points in time based on the available information. That is, the optimal allocation is revised as the random quantities r k t , t = 1, . . . , T are observed over time. The decision tree for the multi-period portfolio selection problem is shown in Figure 9  Given the initial wealth W 0 at D 0 , the investor determines W K 0 = (W 1 0 , . . ., W K 0 ), the amounts invested in K securities. The random node O 1 denotes, for time period t = 1, the observed returns from K securities, r 1 = (r 1 1 , r 2 1 , . . . , r K 1 ) . Given r 1 , the investor determines W K 1 = (W 1 1 , . . ., W K 1 ) at decision node D 1 , and this process is repeated at subsequent nodes. The solution of the problem involves dynamic programming formulation and backward induction by taking the expectation at random nodes and by maximising the expected utility at the decision nodes, as in Winkler and Barry [56].
As pointed out by Soyer and Tanyeri [57], at decision node (T − 1), given the observed returns from the first (T − 1) periods, the decision variables W K , where E T−1 denotes the expectation conditional on the returns from the first T − 1 periods. We denote the expected utility corresponding to the optimal allocation W K * . Then, at decision node T − 2, the optimal allocation is obtained by maximising Continuing in this manner at time 0, calculation of the optimal allocation for the first investment period involves implicit computation of expectations and maximisations at each time period. This can become quite cumbersome if the underlying parameters of the return distributions are unknown and a Bayesian approach is used for inference, as discussed in Winkler and Barry [56].
For the case of the single-period problem, that is, T = 1, one can obtain the solution analytically in some simple cases or use Monte Carlo-based methods. For example, if we consider a quadratic utility function for W 1 as where B > 0, we can obtain an analytical solution for the optimal allocation at t = 0 and if we assume that, at time period 1, the K dimensional return vector r 1 is normally distributed with mean vector µ and covariance matrix Σ, denoted as (r 1 |µ, Σ) ∼ N(µ, Σ) where µ and Σ are known, we can write and, using the quadratic utility function, obtain Then, it can be easily shown that the optimal allocation for investment period 1 is given by If we consider a two-period problem with a quadratic utility function for W 2 , that is, , then the dynamic programming solution can be obtained analytically under the assumption of independence of the return vectors. More specifically, if (r t |µ, Σ) ∼ N(µ, Σ) with µ and Σ known and r t s independent, then we can show that the optimal allocations for investment periods 1 and 2 are given by Furthermore, it can be shown by induction that, for the T period problem, the optimal allocations are given by for t = 0, 1, . . . , (T − 1). When the parameters of the return vectors are not known, the solution of the dynamic program becomes quite cumbersome even when r t is independent. Winkler and Barry [56] considered the case of unknown mean vector µ for the two-period problem with quadratic utility function and noted that the solution can be obtained using numerical methods. More recently, Soyer and Tanyeri [57] considered two-period portfolio selection problems with stochastic volatility and illustrated Bayesian solutions using Monte Carlo-based methods.

Basic Concepts of Adversarial Decision Problems
The decision problems presented in the previous sections involved a single decision maker and were solved using decision analysis methods. There are problems in risk and reliability analysis that may involve two or more actors with competing interests. These problems with adversarial components can be set up as games that can be solved using game theory methods; see, for example, Luce and Raiffa [58]. Examples of adversarial situations in reliability analysis can be found in areas such as acceptance sampling (see Lindley and Singpurwalla [59]), life testing (see Lindley and Singpurwalla [60]), reliability demonstration (see Rufo et al. [61]), and warranty analysis (see Singpurwalla and Wilson [62]). A recent review of adversarial issues in reliability and survival analysis can be found in Singpurwalla et al. [63].
Lindley and Singpurwalla [59] considered an adversarial situation with two actors: a manufacturer M and a consumer C. The manufacturer M tries to sell a batch of items to C, who may either accept (A) or reject (R) the batch provided by M based on his utility function u C . The decision by C depends on the "evidence" provided by M to C based on a sample from an inspection or a life test that M may perform. The decision M faces is whether to offer a sample to C and, if so, the size of the sample based on his utility function u M . It is assumed that both M and C are expected utility maximisers.
Lindley and Singpurwalla [59] presented their setup in the context of acceptance sampling where M tries to convince C about the quality of his product implied by the unknown quantity θ. We can think of θ as the percent of defective items in the batch in the quality control setting or as the failure rate (or mean time to failure) in the life testing context considered by Lindley and Singpurwalla [60]. The outcome of the inspection/test is denoted by D. Figure 10 shows the game tree associated with the problem. The decision node M in the game tree represents the manufacturer's decision about n, the sample size, that is offered to the consumer. The decision n = 0 implies that offering a sample to C is not beneficial to M, and in this case, the game is concluded. The random node D denotes the data, that is, the outcome of the inspection/test. In their development, the authors assume that both M and C agree about the probability model generating the data. Let p(D|θ) denote the common probability model for the data-generating process. The decision node C represents the consumer's decision to accept (A) or reject (R) the batch. Note that this decision is based on the observed sample data D, which is used by C for revising uncertainty about θ.
C updates his prior π C (θ) to posterior distribution using π C (θ|D) ∝ p(D|θ)π C (θ). Lindley and Singpurwalla [59] specified the utility function of C as u C = u C (A, θ) or u C = u C (R, θ). The utility function of M is specified as u M = u M (A, n, θ) or u M = u M (R, n, θ), implying that M's utility is a function of C's decision as well as n and θ.
M D u M, u C C Lindley and Singpurwalla [59] developed a solution for the game tree assuming that M knows C's decision criterion and the prior π C (θ). Thus, for a given (n, D), M is able to at decision node C. The authors denote the sets of Ds implying the acceptance and rejection regions for C using A(n) and R(n). Once the sets A(n) and R(n) are known, M chooses the optimal value of n at decision node M by maximising where π M (θ) denotes M's prior for θ. The authors developed the optimal strategy for M for Bernoulli, Poisson, and Gaussian sampling using numerical methods. An implementation of the proposed approach to the case of exponentially distributed life times is considered in Lindley and Singpurwalla [60]. More recently, Rufo et al. [61] extended the Lindley-Singpurwalla approach for life testing by introducing a Bayesian negotiation model. The proposed framework by Lindley and Singpurwalla [59,60] for adversarial testing problems is based on the assumption that the manufacturer knows both the decision criterion for C as well as C's prior for θ. In many cases, it may not be possible to obtain such information. The Bayesian approach to games involves a decision maker's assessment of probabilities of the opponent's actions. In their discussion of the Bayesian game theoretic approach, Kadane and Larkey [64] stated that "...a decision maker has a subjective probability opinion with respect to all of the unknown contingencies affecting his payoffs. In particular in a simultaneous-move two-person game, the player whom we are advising is assumed to have an opinion about the major contingency faced, namely what the opposing player is likely to do". Furthermore, the authors point out that "infinite regress" is not a problem for the Bayesian decision maker since "... all aspects of his opinion except his opinion about his opponent's behaviour are irrelevant, and can be ignored in the analysis by integrating them out of the joint opinion".
These and other criticisms of classical game theory have motivated the search for alternative solutions for decision problems with multiple actors. One such alternative is the adversarial risk analysis (ARA) approach recently proposed by Ríos Insua et al. [65]. ARA builds on the Kadane-Larkey approach by developing a model of the opponent's strategies. This is done by incorporating uncertainty via subjective probabilities of the decision maker. As noted by Banks et al.
[31], p. 1, the ARA model provides a probability distribution over the possible actions of the decision maker's opponent and, using this, the optimal action is chosen by maximising the expected utility of the decision maker. We present the ARA formulation of Lindley-Singpurwalla's adversarial life-testing problem in the next section.

Life Testing with Adversarial Modeling
Following Lindley and Singpurwalla [59,60], we consider the game tree of Figure 10 and analyse the manufacturer M's decision process. The manufacturer/consumer game of Figure 10 is a sequential game similar to the "defend-attack" models discussed in Rios and Ríos Insua [66]. As before, we have the priors π M (θ) and π C (θ) and the utility functions u M = u M (C, n, θ) and u C = u C (C, θ) for M and C, respectively. C = (A, R) denotes the consumer's decision actions at decision node C.
The first step in the ARA solution is converting the game tree in Figure 10 to the decision tree of the manufacturer M shown in Figure 11. This is achieved by converting the decision node C to a random node for the manufacturer. Given the manufacturer's decision n at node M and the outcome observed at random node D, the manufacturer needs to assess the probability of a consumer's actions. These are the manufacturer's subjective probabilities and we denote this discrete probability distribution by π M (C|n, D). The main issue is how to assess π M (C|n, D). This can be done directly as suggested in Kadane and Larkey [64] or by using the ARA approach, which takes into account the manufacturer's perception of the consumer's decision problem.

M
D u M C Figure 11. Decision tree for the manufacturer.
The decision tree in Figure 12 represents the consumer's decision problem as seen by the manufacturer. It is important to note that the consumer's decision tree is obtained by converting the manufacturer's decision node M to a random node. As before, the manufacturer analyses the consumer's decision problem by assuming that he is an expected utility maximiser. The analysis of the tree is used to estimate π M (C|n, D). To achieve this, the manufacturer needs to specify F M (π C , u C ), his probability distribution of the consumer's prior π C = π C (θ), and utilities u C . Once F M (π C , u C ) is specified, we can estimate π M (C|n, D) via Monte Carlo simulation. More specifically, we can simulate realisations of (π C , u C ) from F M (π C , u C ), and for each realisation, we can solve the tree for given values of (n, D) and obtain π M (C|n, D). In the final step, we use the manufacturer's decision tree in Figure 11, where the probabilities are given by π M (C|n, D) at the random node C. The optimal strategy for the manufacturer is computed by maximising expected utility. Implementation of the ARA approach may become complicated depending on the distributional assumptions and the form of the utility functions. In the Bernoulli sampling example of Lindley and Singpurwalla [59], the authors assumed a beta prior with parameters (α C , β C ) for the unknown proportion defective θ. The utility function of the consumer is specified as u C (A, θ) = a 1 + a 2 θ and u C (R, θ) = a 3 , where a 1 > a 3 > (a 1 + a 2 ), a 2 < 0. In the ARA setup, we can assume that the form of the probability distribution and the utility function are known but the respective coefficients are unknown. In other words, the manufacturer may know that the consumer's prior distribution is a beta density with unknown parameters (α C , β C ). Similarly, in the utility function u C , the coefficients a 1 , a 2 , and a 3 are unknown. Thus, the manufacturer specifies his distribution F M (π C , U C ) = F M (α C , β C , a 1 , a 2 , a 3 ), which is used in the solution of the consumer's decision tree shown in Figure 12. The same approach can be used in specifying F M (π C , U C ) for Poisson and Gaussian sampling cases as well as the adversarial life-testing example discussed in Lindley and Singpurwalla [60]. The approach above is thoroug y illustrated in Gonzalez-Ortega et al. [67] and we refer the interested reader to it. Other implementation issues in ARA and its applications in risk analysis can be found in Banks et al.

Defend-Attack Problems in an Adversarial Setting
As pointed out in Section 5.2, the model employed for the specific life-testing problem belongs to the category of ARA defend-attack models. Ríos Insua et al. [70] provided a general description of the approach through the use of IDs. In this setting, there are two decision makers: the defender and the attacker. The attacker, after observing decision d ∈ D taken by the defender, selects an attack a ∈ A. After both parties have made their choice, there is a random outcome S ∈ S of the attack, with the conditional distribution depending on the choices. The actions and the outcome will produce utilities u D (d, s) and u A (a, s) for the defender and the attacker, respectively. This problem can be represented through a Multi-Agent Influence Diagram (MAID), in which some nodes are owned by the defender, some are owned by the attacker, and some are shared. The MAID, displayed in Figure 13 with one chance node, can be viewed as the superposition of two IDs, in which chance nodes are usually shared and assigned different (conditional) probability distributions by the two decision makers. The defender must choose an action to maximise her expected utility without knowing the attacker's action. Therefore she expresses her uncertainty by placing a probability distribution on the set A, p D (a|d). The attacker's utility itself is no concern for the defender; therefore, from her point of view, the ID of the defend-attack model becomes as represented in Figure 14. The defender is now able to solve her ID: she computes her expected utility conditional on the attacker's action first and then marginalises it with respect to p D (a|d). Letting p D (s|d, a) denote the defender's conditional distribution of the outcome, we obtain ψ D (d|a) = u D (d, s)p D (s|d, a) ds ψ D (d) = ψ D (d|a)p D (a|d) da and the best decision d * is the one that maximises ψ D (d).
In order to assess p D (a|d), the defender has to make a guess on the attacker's utility and conditional distribution of the outcome, assuming he also is a utility maximiser, so that p D (a|d) is a probability distribution of the best action chosen by him. The defender's guess can be expressed as a probability distribution on the pair {u A (a, s), p A (s|d, a)}, so that the random optimal action of the attacker is A * (d), maximising Ψ A (a|d) = U A (a, s)P A (s|d, a)ds .
where the capitalised U A and P A emphasise that they are regarded as random quantities (and consequently also Ψ A ). The defender's distribution over (U A , P A ) can be considerably simplified using a parametric form. The cumulative distribution function of the defender over A is now found as p D (A ≤ a|d) = Pr(A * (d) ≤ a); it is often approximated via Monte Carlo simulations of (U A , P A ), as shown in Algorithm 1.

Algorithm 1 Approximation of p D (a|d).
for d ∈ D do for k = 1 to K do sample (U k A , P k A ) for a ∈ A do compute Ψ k A (a, d) end for find A k, * (d) = max a Ψ k A (a, d) end for compute the empirical distribution function of {A k, * (d)} K k=1 end for A worked-out case study in this framework is presented in Ríos Insua et al. [70] concerning a facility operator who wants to defend from a group of organised fare evaders (fare colluders).

Conclusions
In the paper, we presented many aspects of the use of decision theory methods in risk and reliability. Although advanced notions are introduced in the paper, we tried to present ideas and applications in a way useful for the learned readers and not only for researchers specialised on the topics so that they will be able to frame their problem in a rigorous and coherent way and to find pointers to specific analytic and computational techniques for their solution. The range of application areas that we included reflect our research interests, but the general principles of our work remain valid in other areas. Our experience also affected the approach (i.e., Bayesian) that we followed in the examples. Reliability has been one of the first applied areas in which Bayesian methods have been valued as very important due to the possible use of experts' opinions about very reliable systems. The first comprehensive Bayesian book in reliability was by Martz and Waller [71] and was quite mathematical, and applications were scarce because of limitations in statistical and computing power in the 1980s. The most recent book by Hamada et al. [72] provides a different perspective, mostly due to the development of powerful computational methods, such as Markov Chain Monte Carlo, and increased interest in stochastic processes; it addresses many issues in reliability, including some that would fit very well with the scope of the current paper. In particular, Chapter 9 presents methods for planning the optimal collection of reliability data using genetic algorithms as computational tools. Chapter 10 discusses assurance testing to ensure that a reliability-related quantity of interest meets the given requirements; different risk criteria are considered to determine the plans. Accelerated life tests, mentioned in Chapter 7, offer opportunities to use decision analysis methods in an optimal way. Two relevant books addressing both risk and reliability from a Bayesian viewpoint are the already cited one by Singpurwalla and Wilson [44] and one further by Singpurwalla [73]. The first book is about software testing, which was considered in Section 4. The second book is a must-read since it provides a rigourous and extensive illustration of decision theory applied to reliability, survival analysis, econometrics, and finance.
As mentioned earlier, risk is a notion related not only to reliability and finance but also to many other applied fields. A few examples are Varis and Kuikka [74] about environmental and natural resources management, Veneziano et al. [75] on seismic design of building, and Palomo et al. [76] on project management under disruptive events. For a discussion of approaches different from ours, we recommend Bedford and Cooke [30], Ben-Haim [77], Borgonovo et al. [78], and de Almeida et al. [79]. These sources are also valuable for the references therein.
Funding: This research received no external funding.