Abstract
Measuring risk in multiple dimensions is vital for a comprehensive understanding and for risk analysis. Therefore, we here propose to use multiple impact categories. This yield generalized multi-categorical risk measures, depending on how the likelihood of occurrence is measured. For the one-dimensional case, risk is measured through a vector, while in the multi-dimensional case an entire matrix of risk scores arises. This multidimensional view is supposed to increase the understanding of relevant risks and provides valuable input to risk treatment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
AIT: SAURON propagation engine (2020). https://atlas.ait.ac.at/sauron/
BABS: Katastrophen und notlagen schweiz - methode zur risikoanalyse methode zur risikoanalyse von katastrophen und notlagen für die schweiz (2013)
Beck, A., Rass, S.: Using neural networks to aid CVSS risk aggregation - an empirically validated approach. J. Innov. Digit. Ecosyst. 3(2), 148–154 (2016). https://doi.org/10.1016/j.jides.2016.10.002
Bier, V.M., Cox, L.A.: Probabilistic risk analysis for engineered systems. In: Edwards, W. (ed.) Advances in Decision Analysis, pp. 279–301. Cambridge University Press (2007)
Bloomfield, R.E., Popov, P., Salako, K., Stankovic, V., Wright, D.: Preliminary interdependency analysis: An approach to support critical-infrastructure risk-assessment. Reliab. Eng. Syst. Saf. 167, 198–217 (20117). https://doi.org/10.1016/j.ress.2017.05.030, https://linkinghub.elsevier.com/retrieve/pii/S0951832017305963
Bundesministerium für Inneres: Risikomanagement im katastrophenmanagement (2018)
Cimpanu, C.: WannaCry ransomware infects actual medical devices, not just computers (2017). https://www.bleepingcomputer.com/news/security/wannacry-ransomware-infects-actual-medical-devices-not-just-computers/
Cococcioni, M., Pappalardo, M., Sergeyev, Y.D.: Lexicographic multi-objective linear programming using grossone methodology: theory and algorithm. Appl. Math. Comput. 318, 298–311 (2018). https://doi.org/10.1016/j.amc.2017.05.058, https://linkinghub.elsevier.com/retrieve/pii/S0096300317303703
Department of Health: Investigation: wannacry cyber attack and the NHS (2018). https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf
Dimitrakos, T., Bicarregui, J., Stølen, K.: CORAS - a framework for risk analysis of security critical systems. ERCIM News, April 2002
Ehrgott, M.: Discrete decision problems, multiple criteria optimization classes and lexicographic max-ordering. In: Fandel, G., Trockel, W., Stewart, T.J., van den Honert, R.C. (eds.) Trends in Multicriteria Decision Making. Lecture Notes in Economics and Mathematical Systems, vol. 465, pp. 31–44. Springer, Heidelberg (1998). https://doi.org/10.1007/978-3-642-45772-2_3
ENISA: Mehari (2019). https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_mehari.html
Espinoza, S., Poulos, A., Rudnick, H., de la Llera, J.C., Panteli, M., Mancarella, P.: Risk and resilience assessment with component criticality ranking of electric power systems subject to earthquakes. IEEE Syst. J. 14(2), 2837–2848 (2020). https://doi.org/10.1109/JSYST.2019.2961356, https://ieeexplore.ieee.org/document/8999572/
European Commission: Council conclusions on further developing risk assessment for disaster management within the European Union. https://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/121462.pdf (2011)
European Parliament, European Council: Directive (EU) 2016/ 1148 of 6 July 2016 - concerning measures for a high common level of security of network and information systems across the union, 06 July 2016. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN
Fekete, A.: Critical infrastructure cascading effects. disaster resilience assessment for floods affecting city of Cologne and Rhein-Erft-Kreis. J. Flood Risk Manage. 13(2), e312600 (2020). https://doi.org/10.1111/jfr3.12600
Fernandez, F.R., Monroy, L., Puerto, J.: Multicriteria goal games. J. Optim. Theory Appl. 99(2), 403–421 (1998). C:\(\backslash \)Users\(\backslash \)stefan\(\backslash \)Documents\(\backslash \)Citavi5\(\backslash \)Projects\(\backslash \)Literaturdatenbank\(\backslash \)CitaviAttachments\(\backslash \)Houmb,Franqueira2009-EstimatingToERiskLevelusing.pdf
Fielder, A., Konig, S., Panaousis, E., Schauer, S., Rass, S.: Uncertainty in cyber security investments. arXiv preprint arXiv:1712.05893 (2017)
Ghose, D.: A necessary and sufficient condition for Pareto-optimal security strategies in multicriteria matrix games. J. Optim. Theory Appl. 68(3), 463–481 (1991), https://doi.org/10.1007/BF00940065
Goerlandt, F., Reniers, G.: On the assessment of uncertainty in risk diagrams. Saf. Sci. 84, 67–77 (2016). https://doi.org/10.1016/j.ssci.2015.12.001, https://linkinghub.elsevier.com/retrieve/pii/S0925753515003215
Gouglidis, A., König, S., Green, B., Rossegger, K., Hutchison, D.: Protecting water utility networks from advanced persistent threats: a case study. In: Rass, S., Schauer, S. (eds.) Game Theory for Security and Risk Management. SDGTFA, pp. 313–333. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75268-6_13
Greenerg, A.: The untold story of NotPetya, the most devastating cyberattck in history (2018). https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Göllner, J., Peer, A., Gronalt, M., Quirchmayr, G.: Risk analysis for supply chain networks. In: I3M: The 11th International Multidisciplinary Modelling & Simulation Multiconference - HMS-track: Intermodal transportation systems and services. University of Bordeaux, France, , 10 September 2014
Haimes, Y., Santos, J., Crowther, K., Henry, M., Lian, C., Yan, Z.: Risk analysis in interdependent infrastructures. In: Goetz, E., Shenoi, S. (eds.) ICCIP 2007. IIFIP, vol. 253, pp. 297–310. Springer, Boston, MA (2008). https://doi.org/10.1007/978-0-387-75462-8_21
Hogganvik, I.: A graphical approach to security risk analysis. Ph.D. thesis, University of Oslo - Faculty of Mathematics and Natural Sciences (2007)
Houmb, S.H., Franqueira, V.N.L.: Estimating toe risk level using CVSS. In: International Conference on Availability, Reliability and Security, pp. 718–725. IEEE Computer Society Press (2009)
Informationstechnik, B.f.S.i.d.: BSI-Standard 100–2: IT-grundschutz methodology (2008). https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/BSIStandards/standard_100-2_e_pdf.pdf?__blob=publicationFile&v=1
Karpak, B., Zionts, S. (eds.): Multiple Criteria Decision Making and Risk Analysis Using Microcomputers. NATO ASI Series, Series F, vol. 56. Springer, Heidelberg (1989)
Keeney, R.L., Raiffa, H.: Decisions with Multiple Objectives: Preferences and Value Tradeoffs. Wiley Series in Probability and Mathematical Statistics, Wiley (1976)
Kelly, D., Smith, C.: Bayesian Inference for Probabilistic Risk Assessment: A Practitioner’s Guidebook. Springer, Reliability Engineering, London (2011). https://doi.org/10.1007/978-1-84996-187-5
König, S.: Improving risk assessment for interdependent urban critical infrastructures. In: Proceedings of the Hamburg International Conference of Logistics (HICL), Institut für Logistik und Unternehmensführung, Technische Universität, Epubli, Hamburg 23 September 2020. https://doi.org/10.15480/882.3123, https://tore.tuhh.de/handle/11420/8013
König, S.: Simultaneous treatment of risk and resilience (2021)
König, S., Gouglidis, A.: Random damage in interconnected networks. In: Rass, S., Schauer, S. (eds.) Game Theory for Security and Risk Management. SDGTFA, pp. 185–201. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75268-6_8
König, S., Gouglidis, A., Green, B., Solar, A.: Assessing the impact of malware attacks in utility networks. In: Rass, S., Schauer, S. (eds.) Game Theory for Security and Risk Management. SDGTFA, pp. 335–351. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75268-6_14
König, S., Grafenauer, T., Rass, S., Schauer, S.: Practical risk analysis in interdependent critical infrastructures - a how-to. In: SECURWARE 2018, The Twelfth International Conference on Emerging Security Information, Systems and Technologies, Venice, Italypp, pp. 150–157 (2018). http://www.thinkmind.org/download.php?articleid=securware_2017_6_30_38023
Konnov, I.: On lexicographic vector equilibrium problems. J. Optim. Theory Appl. 118(3), 681–688 (2003). https://doi.org/10.1023/B:JOTA.0000004877.39408.80
van Lenteren, J., et al.: Environmental risk assessment of exotic natural enemies used in inundative biological control. BioControl 48(1), 3–38 (2003). https://doi.org/10.1023/a:1021262931608
Macher, G., Sporer, H., Berlach, R., Armengaud, E., Kreiner, C.: SAHARA: a security-aware hazard and risk analysis method. In: Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 621–624. IEEE Conference Publications (2015). https://doi.org/10.7873/DATE.2015.0622, http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7092463
Mainik, G., Rüschendorf, L.: Ordering of multivariate risk models with respect to extreme portfolio losses. In: Rüschendorf, L. (ed.) Mathematical Risk Analysis. Dependence, Risk Bounds, Optimal Allocations and Portfolios, Springer Series in Operations Research and Financial Engineering, pp. 353–383. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-33590-7_14
MSB, Lindstedt, U.: National risk assessment 2011–2013 - the swedish experience (2014). https://www.msb.se/RibData/Filer/pdf/26621.pdf
Ogryczak, W., Śliwiński, T.: On direct methods for lexicographic min-max optimization. In: Gavrilova, M., et al. (eds.) ICCSA 2006. LNCS, vol. 3982, pp. 802–811. Springer, Heidelberg (2006). https://doi.org/10.1007/11751595_85
Pruyt, E., Wijnmalen, D., Bökkerink, M.: What can we learn from he evaluation of the dutch national risk assessment?. Risk Anal. 33(8), 1385–1388 (2013)
Rass, S., Rainer, B.: Numerical computation of multi-goal security strategies. In: Poovendran, R., Saad, W. (eds.) GameSec 2014. LNCS, vol. 8840, pp. 118–133. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12601-2_7
Rass, Stefan: Security strategies and multi-criteria decision making. In: Rass, Stefan, Schauer, Stefan (eds.) Game Theory for Security and Risk Management. SDGTFA, pp. 47–74. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75268-6_3
Rass, S., König, S.: HyRiM: multicriteria risk management using zero-sum games with vector-valued payoffs that are probability distributions (2018). https://cran.r-project.org/package=HyRiM
Rass, S., König, S., Alshawish, A.: R package ‘HyRiM’: multicriteria risk management using zero-sum games with vector-valued payoffs that are probability distributions, version 2.0.0 (2020). https://CRAN.R-project.org/package=HyRiM
Rass, S., Schauer, S., König, S., Zhu, Q.: Cyber-Security in Critical Infrastructures: A Game-Theoretic Approach. SpringerNature, Cham (2020)
Rass, S., Wiegele, A., König, S.: Security games over lexicographic orders. In: GameSec 2020. LNCS, vol. 12513, pp. 422–441. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64793-3_23
Rios Insua, D., Couce-Vieira, A., Rubio, J.A., Pieters, W., Labunets, K., G. Rasines, D.: An adversarial risk analysis framework for cybersecurity. Risk Anal. 41, 16–36 (2019). https://doi.org/10.1111/risa.13331
Robert, C.P.: The Bayesian Choice. Springer, Cham (2001)
Schaberreiter, T., Kittilä, K., Halunen, K., Röning, J., Khadraoui, D.: Risk assessment in critical infrastructure security modelling based on dependency analysis. In: Bologna, S., Hämmerli, B., Gritzalis, D., Wolthusen, S. (eds.) CRITIS 2011. LNCS, vol. 6983, pp. 213–217. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41476-3_20
Slovic, P., Fischhoff, B., Lichtenstein, S.: Rating the risks. In: Risk/Benefit Analysis in Water Resources Planning and Management, pp. 193–217. Springer, Boston (1981). https://doi.org/10.1007/978-1-4899-2168-0_17
Weiss, N., Schrötter, M., Hackenberg, R.: On threat analysis and risk estimation of automotive ransomware. In: ACM Computer Science in Cars Symposium on - CSCS 2019. pp. 1–9. ACM Press (2019). https://doi.org/10.1145/3359999.3360492, http://dl.acm.org/citation.cfm?doid=3359999.3360492
Zentralanstalt für Meteorologie und Geodynamik: Erdbeben in Österreich - Übersicht (2021). https://www.zamg.ac.at/cms/de/geophysik/erdbeben/erdbeben-in-oesterreich/uebersicht_neu
Acknowledgement
This work was supported by the research Project ODYSSEUS (“Simulation und Analyse kritischer Netzwerk-Infrastrukturen in Städten") funded by the Austrian Research Promotion Agency under Grant No.873539.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
König, S., Schauer, S., Rass, S. (2021). Multi-categorical Risk Assessment for Urban Critical Infrastructures. In: Percia David, D., Mermoud, A., Maillart, T. (eds) Critical Information Infrastructures Security. CRITIS 2021. Lecture Notes in Computer Science(), vol 13139. Springer, Cham. https://doi.org/10.1007/978-3-030-93200-8_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-93200-8_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-93199-5
Online ISBN: 978-3-030-93200-8
eBook Packages: Computer ScienceComputer Science (R0)