Abstract
Critical infrastructure protection requires the evaluation of the criticality of infrastructures and the prioritization of critical assets. However, criticality analysis is not yet standardized. This paper examines the relation between risk and criticality. It analyzes the similarities and differences in terms of scope, aims, impact, threats and vulnerabilities; and proposes a generic risk-based criticality analysis methodology. The paper also presents a detailed list of impact criteria for assessing the criticality level of infrastructures. Emphasis is placed on impact types that are society-centric and/or sector-centric, unlike traditional risk analysis methodologies that mainly consider the organization-centric impact.
Chapter PDF
Similar content being viewed by others
Keywords
References
E. Adar and A. Wuchner, Risk management for critical infrastructure protection challenges: Best practices and tools, Proceedings of the First IEEE International Workshop on Critical Infrastructure Protection, 2005.
C. Alberts and A. Dorofee, Managing Information Security Risks: The OCTAVE Approach, Addison-Wesley/Pearson, Boston, Massachusetts, 2003.
A. Bialas, Information security systems vs. critical information infrastructure protection systems – Similarities and differences, Proceedings of the International Conference on the Dependability of Computer Systems, pp. 60–67, 2006.
E. Brunner and M. Suter, International CIIP Handbook 2008/2009: An Inventory of 25 National and 7 International Critical Infrastructure Protection Policies, Center for Security Studies, ETH Zurich, Zurich, Switzerland, 2008.
E. Casalicchio and E. Galli, Metrics for quantifying interdependencies, in Critical Infrastructure Protection II, M. Papa and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 215–227, 2008.
Emergency Management Australia, Critical Infrastructure Emergency Risk Management and Assurance Handbook, Mount Macedon, Australia, 2003.
European Commission, Communication from the Commission of 12 December 2006 on a European Programme for Critical Infrastructure Protection, COM (2006)786 Final, Brussels, Belgium, 2006.
European Commission, Proposal for a Directive of the Council on the Identification and Designation of European Critical Infrastructure and the Assessment of the Need to Improve Their Protection, COM(2006)787 Final, Brussels, Belgium, 2006.
Insight Consulting, CRAMM User Guide, Issue 5.1, Walton-on-Thames, United Kingdom, 2005.
International Organization for Standardization, ISO/IEC Guide 73:2002: Risk Management – Vocabulary – Guidelines for Use in Standards, Geneva, Switzerland, 2002.
J. Kopylec, A. D’Amico and J. Goodall, Visualizing cascading failures in critical cyber infrastructures, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 351–364, 2007.
KPMG Peat Marwick, Vulnerability Assessment Framework 1.1, U.S. Critical Infrastructure Assurance Office, Washington, DC, 1998.
W. Kroger, Critical infrastructures at risk: A need for a new conceptual approach and extended analytical tools, Reliability Engineering and System Safety, vol. 93(12), pp. 1781–1787, 2008.
R. Likert, A technique for the measurement of attitudes, Archives of Psychology, vol. 140(22), pp. 1–55, 1932.
E. Luiijf, Threat Taxonomy for Critical Infrastructures and Critical Infrastructure Risk Aspects at the EU-Level, Version 1.04, Deliverable D1.2, Technical Report VITA PASR-2004-004400, TNO Defence, Security and Safety, The Hague, The Netherlands, 2006.
E. Luiijf, H. Burger and M. Klaver, Critical infrastructure protection in the Netherlands: A quick-scan, Proceedings of the EICAR Conference, 2003.
Ministry of the Interior and Kingdom Relations, National Risk Assessment Method Guide 2008, The Hague, The Netherlands, 2008.
J. Moteff, Risk Management and Critical Infrastructure Protection: Assessing, Integrating and Managing Threats, Vulnerabilities and Consequences, CRS Report for Congress, Document RL32561, Congressional Research Service, Library of Congress, Washington, DC, 2005.
A. Nieuwenhuijs, E. Luiijf and M. Klaver, Modeling dependencies in critical infrastructures, in Critical Infrastructure Protection II, M. Papa and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 205–213, 2008.
North American Electric Reliability Corporation, Standard CIP-002-1, Cyber Security – Critical Asset Identification, Washington, DC, 2006.
P. Pederson, D. Dudenhoeffer, S. Hartley and M. Permann, Critical Infrastructure Interdependency Modeling: A Survey of U.S. and International Research, Technical Report INL/EXT-06-11464, Idaho National Laboratory, Idaho Falls, Idaho, 2006.
Public Safety and Emergency Preparedness Canada, Selection Criteria to Identify and Rank Critical Infrastructure Assets, Ottawa, Canada, 2004.
S. Rinaldi, J. Peerenboom and T. Kelly, Identifying, understanding and analyzing critical infrastructure interdependencies, IEEE Control Systems, vol. 21(6), pp. 11–25, 2001.
R. Setola, S. Bologna, E. Casalicchio and V. Masucci, An integrated approach for simulating interdependencies, in Critical Infrastructure Protection II, M. Papa and S. Shenoi, (Eds.), Springer, Boston, Massachusetts, pp. 229–239, 2008.
G. Stoneburner, A. Goguen and A. Feringa, Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology, Special Publication 800-30, National Institute of Standards and Technology, Gaithersburg, Maryland, 2002.
U.S. Department of Homeland Security, National Infrastructure Protection Plan 2009, Washington, DC, 2009.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Theoharidou, M., Kotzanikolaou, P., Gritzalis, D. (2009). Risk-Based Criticality Analysis. In: Palmer, C., Shenoi, S. (eds) Critical Infrastructure Protection III. ICCIP 2009. IFIP Advances in Information and Communication Technology, vol 311. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04798-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-04798-5_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04797-8
Online ISBN: 978-3-642-04798-5
eBook Packages: Computer ScienceComputer Science (R0)