In: Nursing
Explain Risk management and risk analysis and their relationship to critical infrastructure protection.
Effective risk assessment methodologies are the cornerstone of a successful Critical Infrastructure
Protection programme. The extensive number of risk assessment methodologies for critical infrastruc-
tures clearly supports this argument. Risk assessment is indispensable in order to identify threats, assess
vulnerabilities and evaluate the impact on assets, infrastructures or systems taking into account the prob-
ability of the occurrence of these threats. This is a critical element that differentiates a risk assessment
from a typical impact assessment methodology.
There is a significant number of risk assessment methodologies for critical infrastructures. In gen-
eral the approach that is used is rather common and linear, consisting of some main elements: Identifica-
tion and classification of threats, identification of vulnerabilities and evaluation of impact. This is a well
known and established approach for evaluating risk and it is the backbone of almost all risk assessment
methodologies.
However, there is a huge differentiation of risk assessment methodologies based on the scope of the
methodology, the audience to which it is addressed (policy makers, decision makers, research institutes)
and their domain of applicability (asset level, infrastructure/system level, system of systems level). These
attributes are not mutually exclusive, in the sense that the domain of applicability defines to a certain
extent the target group of the methodology. For example, a risk assessment methodology that is applicable
to system of systems at national or even supranational level is mostly addressed to policy makers and
relevant authorities and less to operators or to asset managers at local level.
Methodologies developed for certain assets are well defined, tested and validated and the vast ma-
jority follows the linear approach already mentioned. However, methodologies that aim at assessing risksat a higher level e.g. networked systems require further refinement. Detailed risk assessment is not ap-
plicable any more and a certain level of abstraction is necessary. Representing all assets of a networked
system at the highest level of detail (mostly an operator’s approach) leads to unprecedented complexity
that is out of the scope for policy and decision makers. This target group requires simplified solutions
that can provide results even in real time.
The second important parameter that is entering the stage for the risk assessment methodologies of
networked infrastructures is the element of interdependencies. According to the work of Rinaldi et al.
[1] four types of interdependencies are identified for critical infrastructures:
• Physical: The operation of one infrastructure depends on the material output of the other.
• Cyber: Dependency on information transmitted through the information infrastructure.
• Geographic: Dependency on local environmental effects that affects simultaneously several infras-
tructures.
• Logical: Any kind of dependency not characterized as Physical, Cyber or Geographic.
Besides cross-sectoral interdependencies (e.g. ICT and Electricity, Satellite navigation and Trans-
port), at European level one can identify intra-sectoral interdependencies of national infrastructures that
form European infrastructures. As a concrete example we can mention the high voltage electricity grid
that is composed by the interconnected national high-voltage electricity grids.
As mentioned before, the domain of applicability of a risk assessment methodology may be the
most important attribute. According to this attribute, CIP risk assessment methodologies can be divided
in two major categories: Sectoral methodologies, when each sector is treated separately with its own risks
and ranking and systems approach that assess the critical infrastructures as an interconnected network.
Methodologies that have been initially conceptualised to fit in the second category are rather limited.
The vast majority of the existing work has been sectoral and mostly at asset level. These methodologieshave been then extended to cope with networked systems. This reflects the natural evolution of risk as-
sessment methodologies existing already at organizational level to address issues at sectoral level. These
methodologies reveal their limitations when cross-sectoral issues have to be addressed.
PLEASE DO LIKE??