Abstract
The disruption of any critical infrastructural sector has the potential to create significant direct consequences and cross-sectoral effects in a short period of time. In this article, we suggest a consequence-, time- and interdependency-based risk assessment approach that seeks to identify which direct consequences and intersectoral effects are likely to emerge in what time frame. We argue that critical infrastructures with the capacity to cause the greatest societal consequences and strongest intersectoral negative effects in the shortest time represent the most risky infrastructures. Such a direct risk assessment was further improved by a network-based risk calculation that takes not only first-order effects into account, but also the n-order intersectoral cascading effects. Applying this model to 17 infrastructural subsectors in Slovenia shows that the network transfer of effects among critical infrastructures can considerably and unpredictably change their initially calculated risk. The riskiest subsectors at the maximal level of network effects turned out to be those on which other subsectors heavily directly and indirectly depend: electricity, ICT, road transport and financial instruments. Risk management in the critical infrastructure protection field and related defence in depth should focus its limited resources on those infrastructures with the biggest network-based risk.
Similar content being viewed by others
Notes
In the case of Italy, the whole country was affected except for the islands. In the other case, Ohio, Michigan, Pennsylvania, New York, Vermont, Massachusetts, Connecticut, New Jersey and even Ontario were affected by the massive blackout.
A normalized dependency matrix is obtained by dividing all values by 4 to obtain a scale from 0 to 1.
α can at most be 1/λ, where λ is the highest eigenvalue of the N matrix. Higher values could lead to negative risks.
The process of designing the questionnaire was based on preliminary theoretical studies of critical infrastructure, case studies of other countries, and EU policy in this field. The first version of the questionnaire was tested by our academic colleagues for its clarity and methodological consistency and also commented on by the (subsectoral) experts from practice. These comments confirmed the empirical usability of the questionnaire and led us to adapt some questions. The three questions on consequences, time effects and interdependency were closed and quantitative, whereas the remaining questions (not part of this article) were predominantly qualitative and open (see Prezelj et al, 2012).
Larger values would result in negative risk values.
References
Anderson, C.W., Santos, J.R. and Haimes, Y.Y. (2007) A risk-based input-output methodology for measuring the effects of the August 2003 Northeast blackout. Economic Systems Research 19 (2): 183–204.
Ashmore, W.C. (2009) Impact of alleged Russian cyber attacks. Baltic Security & Defence Review 11: 4–40.
Aven, T. (2011a) Quantitative Risk Assessment. Cambridge, UK: Cambridge University Press.
Aven, T. (2011b) A risk concept applicable for both probabilistic and non-probabilistic perspectives. Safety Science 49 (8–9): 1080–1086.
Barker, K. and Santos, J.R. (2010) A risk-based approach for identifying key economic and infrastructure systems. Risk Analysis 30 (6): 962–974.
Batagelj, V. and Mrvar, A. (2011) Pajek 2.03, http://pajek.imfm.si/doku.php?id=download, accessed 11 April 2011.
Ben-Ari, A. and Or-Chen, K. (2009) Integrating competing conceptions of risk: A call for future direction of research. Journal of Risk Research 12 (6): 865–877.
Biedleman, S.W. (2011) Defining and deterring cyber war. Military Technology 35 (11): 57–62.
Bier, V.M., Haimes, Y.Y., Lambert, J.H., Matalas, N.C. and Zimmerman, R. (1999) A survey of approaches for assessing and managing the risk of extremes. Risk Analysis 19 (1): 83–94.
Boin, A., Lagadec, P., Michel-Kerjan, E. and Overdijk, W. (2003) Critical infrastructures under threat: Learning from the anthrax scare. Journal of Contingencies and Crisis Management 11 (3): 99–104.
Bonacich, P. (1972) Factoring and weighting approaches to status scores and clique identification. Journal of Mathematical Sociology 2 (1): 113–120.
Bonacich, P. (1987) Power and centrality: A family of measures. American Journal of Sociology 92 (5): 1170–1182.
Bonacich, P. and Lloyd, P. (2001) Eigenvector-like measures of centrality for asymmetric relations. Social Networks 23 (3): 191–201.
Borgatti, S.P. (2005) Centrality and network flow. Social Networks 27 (1): 55–71.
Borgatti, S.P. and Everett, M.G. (1999) Models of core/periphery structures. Social Networks 21 (4): 375–395.
Borgatti, S.P. and Everett, M.G. (2006) A graph-theoretic perspective on centrality. Social Networks 28 (4): 466–484.
Borgatti, S.P., Mehra, A., Brass, D.J. and Labianca, G. (2009) Network analysis in the social sciences. Science 323 (5916): 892–895.
Bradley, J. (2007) Time period and risk measures in the general risk equation. Journal of Risk Research 10 (3): 355–369.
Buldyrev, S.V., Parshani, R., Paul, G., Stanley, H.E. and Havlin, S. (2010) Catastrophic cascade of failures in interdependent networks. Nature 464 (7291): 1025–1028.
Bundesamt für Sicherheit in der Informationstechnik. (2008) Analyse Kritischer Infrastrukturen: Die Methode AKIS, https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Kritis/AKIS_2008_pdf.pdf?__blob=publicationFile, accessed 21 December 2011.
Copas, J. (1999) Statistical modelling for risk assessment. Risk Management 1 (1): 35–49.
CSIS Conference. (1998) The Y2 K crisis: A global ticking time bomb? The Washington Quarterly 21 (4): 147–166.
Di Mauro, C., Bouchon, S., Logtmeijer, C., Pride, R.D., Hartung, T. and Nordvik, J.P. (2010) A structured approach to identifying European critical infrastructures. International Journal of Critical Infrastructures 6 (3): 277–292.
Dunn, M. (2004) Analysis of methods and models for CII assessment. In: M. Dunn and I. Wiegert (eds.) International CIIP Handbook 2004: An Inventory and Analysis of Protection Policies in Fourteen Countries. Zurich, Switzerland: ETH – Swiss Federal Institute of Technology, pp. 219–297.
Dunn, M. (2005) The socio-political dimensions of critical information infrastructure protection. International Journal of Critical Infrastructures 1 (2/3): 258–268.
Dunn, M. and Mauer, V. (eds.) (2006) Introduction. In:International CIIP Handbook 2006 – Vol II: Analyzing Issues, Challenges and Prospects. Zurich, Switzerland: Center for Security Studies.
Dunjo, J., Fthenakis, V., Vilchez, J. and Arnaldos, J. (2010) Hazard and operability (HAZOP) analysis: A literature review. Journal of Hazardous Materials 173 (1–3): 19–32.
European Commission. (2006) Proposal for a Directive of the Council on the Identification and Designation of European Critical Infrastructures, 16933/06, 2006/0276(CNS), 18 December, Brussels.
Freeman, L.C. (1979) Centrality in social networks conceptual clarification. Social Networks 1 (3): 215–239.
Fischer, F. (2010) Kritische Infrastrukturen Denkweisen, Zusammenhänge, Visualisierungen, Karlsruher Institut für Technologie (K.I.T.), Institut für Kern- und Energietechnik (IKET), Karlsruhe.
Gorman, S.P. (2005) Networks, Security and Complexity: The Role of Public Policy in Critical Infrastructure Protection. Cheltenham, UK: Edward Elgar.
Haimes, Y.Y. (2004) Risk Modeling, Assessment, and Management. Hoboken, NJ: John Wiley & Sons.
Haimes, Y.Y. (2009) On the complex definition of risk: A systems-based approach. Risk Analysis 29 (11): 1647–1654.
Hansen, M. (1999) Y2 K the year 2000: Apocalypse soon. Professional Safety 44 (2): 37–42.
Hansson, S.O. (2010) Risk: Objective or subjective, facts or values. Journal of Risk Research 13 (2): 231–238.
International Risk Governance Council. (2006) White Paper on Risk Governance: Towards an Integrative Approach, Geneva, http://www.irgc.org/IMG/pdf/IRGC_WP_No_1_Risk_Governance__reprinted_version_.pdf, accessed 20 December 2011.
Kaplan, S. (1997) The words of risk analysis. Risk Analysis 17 (4): 407–417.
Kletz, A.T. (1997) Hazop – Past and future. Reliability Engineering and System Safety 55 (3): 263–266.
Koubatis, A. and Schonberger, J.Y. (2005) Risk management of complex critical systems. International Journal of Critical Infrastructures 1 (2/3): 195–215.
Le Grand, G., Springinsfeld, F. and Riguidel, M. (2003) Policy Based Management for Critical Infrastructure Protection: ACIP Project. Paper presented at the Annual Meeting ‘Informatik 2003’ of the German Informatics Society, Johann Wolfgang Goethe-Universitä’, Frankfurt am Main.
Leontief, W.W. (1951) Input–output economics. Scientific American 185 (4): 15–21.
Lewis, T. (2006) Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation. New Jersey: Wiley Interscience.
Lian, C. and Haimes, Y.Y. (2006) Managing the risk of terrorism to interdependent infrastructure systems through the dynamic inoperability input–output model. Systems Engineering 9 (3): 241–258.
Lowrance, W. (1976) Of acceptable Risk: Science and the Determination of Safety. Los Altos, CA: William Kaufmann.
Luiijf, E., Burger, H. and Klaver, M. (2003) Critical infrastructure protection in the Netherlands: A quick scan. Paper presented at the ECAIR Conference on Best Paper Proceedings in Copenhagen, http://www.crypto.rub.de/imperia/md/content/lectures/kritis/bpp_13_cip_luiijf_burger_klaver.pdf.
Lyall, C. and Tait, J. (eds.) (2005) Shifting policy debates and the implications for governance. In: New Modes of Governance: Developing an Integrated Policy Approach to Science, Technology, Risk and the Environment. Aldershot, UK: Ashgate, pp.1–17.
North American Electric Reliability Council. (2004) Technical Analysis of the August 14, 2003, Blackout: What Happened, Why, and What Did We Learn? (2004), Report to the NERC Board of Trustees by the NERC Steering Group, July 13, http://www.nerc.com/docs/docs/blackout/NERC_Final_Blackout_Report_07_13_04.pdf, accessed 9 May 2012.
Mandel, R. (1999) Deadly Transfers and the Global Playground: Transnational Security Threats in a Disorderly World. Westport, CT: Praeger.
Perrow, C. (1999) Normal Accidents: Living with the High-Risk Technologies. Princeton, NJ: Princeton University Press.
Prezelj, I., Kopač, E., Svete, U. and Žiberna, A. (2012) Cross-sectoral scanning of critical infrastructures: From functional differences to policy-relevant similarities. Journal of Homeland Security and Emergency Management 9 (1): 1–29.
Quiggin, J. (2005) The Y2 K scare: Causes, costs and cures. Australian Journal of Public Administration 64 (3): 46–55.
Quirk, M.D. and Fernandez, S.J. (2005) Infrastructure robustness for multiscale critical missions. Journal of Homeland Security and Emergency Management 2 (2), Article 2. doi: 10.2202/1547-7355.1092.
Reeve, S. and McGhee, C. (1996) The Millennium Bomb: Countdown to a £400 Billion Catastrophe. London: Vision Paperbacks.
Rinaldi, S.M., Peerenboom, J.P. and Kelly, T.K. (2001) Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Systems Magazine 21 (6): 11–25.
Rosenthal, U., Charles, M. and T'hart, P. (1989) The world of crisis and crisis management. In: U. Rosenthal and P. T'hart (eds.) Coping with Crises: The Management of Disaster, Riots and Terrorism. Springfield, MA: Charles Thomas.
Santos, J.R. and Haimes, Y.Y. (2004) Modeling the demand reduction input-output (i-o) inoperability due to terrorism of interconnected infrastructures. Risk Analysis 24 (6): 1437–1451.
Shackelford, S.J. (2009) From nuclear war to net war: Analogizing cyber attacks in international law. Berkeley Journal of International Law 27 (1): 192–251.
Smith, D. and Fischbacher, M. (2009) The changing nature of risk and risk management: The challenge of borders, uncertainty and resilience. Risk Management 11 (1): 1–12.
Sophie, A. (2003) Blackout in Italy underlines need for new power plants. Christian Science Monitor 95 (213): 7.
Standards Australia & New Zealand. (2009) Risk Management – Principles and Guidelines, AS/NZS ISO 31000:2009, Council of Standards Australia and Council of Standards New Zealand: Sydney and Wellington.
The Council of The European Union. (2008) Council Directive 2008/114/EC of 8 December 2008 on the Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve their Protection. 2008/114/EC.Sect. L 345: 75–82.
U.S.–Canada Power System Outage Task Force. (2004) Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations. April, https://reports.energy.gov/BlackoutFinal-Web.pdf, accessed 9 May 2012.
Van Asselt, M.B.A. and Renn, O. (2011) Risk governance. Journal of Risk Research 14 (4): 431–449.
Willis, H.H. (2007) Guiding resource allocations based on terrorism risk. Risk Analysis 27 (3): 597–606.
Willis, H.H., Morral, A.R., Kelly, T.K. and Medby, J. (2005) Estimating Terrorism Risk. Santa Monica, CA: RAND Corporation.
Zimmerman, R. (2004) Decision-making and the vulnerability of interdependent critical infrastructure. Systems, Man and Cybernetics, 2004 IEEE International Conference 5 (213): 4059–4063.
Acknowledgements
The empirical part of this article was made possible by a grant from the Slovenian Research Agency and the Ministry of Defense (project title: Definition and Protection of Critical Infrastructures, CRP M5-0159). We are grateful for the comments on early drafts provided by Rae Zimmerman, Andrej Blejec, Alain de Beuckelaer and the two anonymous reviewers.
Author information
Authors and Affiliations
Corresponding author
Additional information
The article was presented in 2011 at the twentieth SRA-Europe Meeting in Stuttgart.
Rights and permissions
About this article
Cite this article
Prezelj, I., Žiberna, A. Consequence-, time- and interdependency-based risk assessment in the field of critical infrastructure. Risk Manag 15, 100–131 (2013). https://doi.org/10.1057/rm.2013.1
Published:
Issue Date:
DOI: https://doi.org/10.1057/rm.2013.1