In the previous chapter we discussed the functioning of the bowtie model, and its significance for the development of security risk scenarios. We concluded that it can take a long time before causes and threats in the fault tree (the left side of the bowtie model) become evident in the event tree through the emergence of unwanted (immediate) effects and (later) consequences. Reason identified groups of events where wrong decisions (very) early in the fault tree may eventually lead to undesired events lining up, facilitating undesired accidents to happen at a much later time. Reason mainly looked at business processes but the same is true when it comes to terrorism, an important implicit motive in the attack vulnerability tables that we introduced in the previous chapters. In the case of (threat of) terrorist attacks the time between planning and execution can take years. The possibility of such attacks occurring depends - among others - on geopolitical circumstances and developments. Officials in charge of the protection of flood defenses told us that it is hardly feasible to calculate the likelihood of a terrorist attack. According to them, this is because there are no historical data. With this view we disagree. We think that enough data is available to say at least something about the likelihood of specific types of terrorist attack in specific circumstances. In this chapter we evaluate the probability of possible terrorist attacks against flood barriers (we use the Netherlands and Europe as an example). If we want to give a realistic estimate of the chance of such an attack occurring, we have to consider the historic context of terrorist attacks (in this case in the Netherlands). Additionally, in our quest for finding objective approaches to terrorist attack scenarios, we explore the application of game theory in scenario building in some detail.