Skip to main content
SpringerLink
Log in

Multi-categorical Risk Assessment for Urban Critical Infrastructures

  • Conference paper
  • First Online:
Critical Information Infrastructures Security (CRITIS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13139))

  • 650 Accesses

Abstract

Measuring risk in multiple dimensions is vital for a comprehensive understanding and for risk analysis. Therefore, we here propose to use multiple impact categories. This yield generalized multi-categorical risk measures, depending on how the likelihood of occurrence is measured. For the one-dimensional case, risk is measured through a vector, while in the multi-dimensional case an entire matrix of risk scores arises. This multidimensional view is supposed to increase the understanding of relevant risks and provides valuable input to risk treatment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. AIT: SAURON propagation engine (2020). https://atlas.ait.ac.at/sauron/

  2. BABS: Katastrophen und notlagen schweiz - methode zur risikoanalyse methode zur risikoanalyse von katastrophen und notlagen für die schweiz (2013)

    Google Scholar 

  3. Beck, A., Rass, S.: Using neural networks to aid CVSS risk aggregation - an empirically validated approach. J. Innov. Digit. Ecosyst. 3(2), 148–154 (2016). https://doi.org/10.1016/j.jides.2016.10.002

    Article  Google Scholar 

  4. Bier, V.M., Cox, L.A.: Probabilistic risk analysis for engineered systems. In: Edwards, W. (ed.) Advances in Decision Analysis, pp. 279–301. Cambridge University Press (2007)

    Google Scholar 

  5. Bloomfield, R.E., Popov, P., Salako, K., Stankovic, V., Wright, D.: Preliminary interdependency analysis: An approach to support critical-infrastructure risk-assessment. Reliab. Eng. Syst. Saf. 167, 198–217 (20117). https://doi.org/10.1016/j.ress.2017.05.030, https://linkinghub.elsevier.com/retrieve/pii/S0951832017305963

  6. Bundesministerium für Inneres: Risikomanagement im katastrophenmanagement (2018)

    Google Scholar 

  7. Cimpanu, C.: WannaCry ransomware infects actual medical devices, not just computers (2017). https://www.bleepingcomputer.com/news/security/wannacry-ransomware-infects-actual-medical-devices-not-just-computers/

  8. Cococcioni, M., Pappalardo, M., Sergeyev, Y.D.: Lexicographic multi-objective linear programming using grossone methodology: theory and algorithm. Appl. Math. Comput. 318, 298–311 (2018). https://doi.org/10.1016/j.amc.2017.05.058, https://linkinghub.elsevier.com/retrieve/pii/S0096300317303703

  9. Department of Health: Investigation: wannacry cyber attack and the NHS (2018). https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf

  10. Dimitrakos, T., Bicarregui, J., Stølen, K.: CORAS - a framework for risk analysis of security critical systems. ERCIM News, April 2002

    Google Scholar 

  11. Ehrgott, M.: Discrete decision problems, multiple criteria optimization classes and lexicographic max-ordering. In: Fandel, G., Trockel, W., Stewart, T.J., van den Honert, R.C. (eds.) Trends in Multicriteria Decision Making. Lecture Notes in Economics and Mathematical Systems, vol. 465, pp. 31–44. Springer, Heidelberg (1998). https://doi.org/10.1007/978-3-642-45772-2_3

  12. ENISA: Mehari (2019). https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_mehari.html

  13. Espinoza, S., Poulos, A., Rudnick, H., de la Llera, J.C., Panteli, M., Mancarella, P.: Risk and resilience assessment with component criticality ranking of electric power systems subject to earthquakes. IEEE Syst. J. 14(2), 2837–2848 (2020). https://doi.org/10.1109/JSYST.2019.2961356, https://ieeexplore.ieee.org/document/8999572/

  14. European Commission: Council conclusions on further developing risk assessment for disaster management within the European Union. https://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/121462.pdf (2011)

  15. European Parliament, European Council: Directive (EU) 2016/ 1148 of 6 July 2016 - concerning measures for a high common level of security of network and information systems across the union, 06 July 2016. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN

  16. Fekete, A.: Critical infrastructure cascading effects. disaster resilience assessment for floods affecting city of Cologne and Rhein-Erft-Kreis. J. Flood Risk Manage. 13(2), e312600 (2020). https://doi.org/10.1111/jfr3.12600

  17. Fernandez, F.R., Monroy, L., Puerto, J.: Multicriteria goal games. J. Optim. Theory Appl. 99(2), 403–421 (1998). C:\(\backslash \)Users\(\backslash \)stefan\(\backslash \)Documents\(\backslash \)Citavi5\(\backslash \)Projects\(\backslash \)Literaturdatenbank\(\backslash \)CitaviAttachments\(\backslash \)Houmb,Franqueira2009-EstimatingToERiskLevelusing.pdf

    Google Scholar 

  18. Fielder, A., Konig, S., Panaousis, E., Schauer, S., Rass, S.: Uncertainty in cyber security investments. arXiv preprint arXiv:1712.05893 (2017)

  19. Ghose, D.: A necessary and sufficient condition for Pareto-optimal security strategies in multicriteria matrix games. J. Optim. Theory Appl. 68(3), 463–481 (1991), https://doi.org/10.1007/BF00940065

  20. Goerlandt, F., Reniers, G.: On the assessment of uncertainty in risk diagrams. Saf. Sci. 84, 67–77 (2016). https://doi.org/10.1016/j.ssci.2015.12.001, https://linkinghub.elsevier.com/retrieve/pii/S0925753515003215

  21. Gouglidis, A., König, S., Green, B., Rossegger, K., Hutchison, D.: Protecting water utility networks from advanced persistent threats: a case study. In: Rass, S., Schauer, S. (eds.) Game Theory for Security and Risk Management. SDGTFA, pp. 313–333. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75268-6_13

    Chapter  Google Scholar 

  22. Greenerg, A.: The untold story of NotPetya, the most devastating cyberattck in history (2018). https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

  23. Göllner, J., Peer, A., Gronalt, M., Quirchmayr, G.: Risk analysis for supply chain networks. In: I3M: The 11th International Multidisciplinary Modelling & Simulation Multiconference - HMS-track: Intermodal transportation systems and services. University of Bordeaux, France, , 10 September 2014

    Google Scholar 

  24. Haimes, Y., Santos, J., Crowther, K., Henry, M., Lian, C., Yan, Z.: Risk analysis in interdependent infrastructures. In: Goetz, E., Shenoi, S. (eds.) ICCIP 2007. IIFIP, vol. 253, pp. 297–310. Springer, Boston, MA (2008). https://doi.org/10.1007/978-0-387-75462-8_21

    Chapter  Google Scholar 

  25. Hogganvik, I.: A graphical approach to security risk analysis. Ph.D. thesis, University of Oslo - Faculty of Mathematics and Natural Sciences (2007)

    Google Scholar 

  26. Houmb, S.H., Franqueira, V.N.L.: Estimating toe risk level using CVSS. In: International Conference on Availability, Reliability and Security, pp. 718–725. IEEE Computer Society Press (2009)

    Google Scholar 

  27. Informationstechnik, B.f.S.i.d.: BSI-Standard 100–2: IT-grundschutz methodology (2008). https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/BSIStandards/standard_100-2_e_pdf.pdf?__blob=publicationFile&v=1

  28. Karpak, B., Zionts, S. (eds.): Multiple Criteria Decision Making and Risk Analysis Using Microcomputers. NATO ASI Series, Series F, vol. 56. Springer, Heidelberg (1989)

    MATH  Google Scholar 

  29. Keeney, R.L., Raiffa, H.: Decisions with Multiple Objectives: Preferences and Value Tradeoffs. Wiley Series in Probability and Mathematical Statistics, Wiley (1976)

    Google Scholar 

  30. Kelly, D., Smith, C.: Bayesian Inference for Probabilistic Risk Assessment: A Practitioner’s Guidebook. Springer, Reliability Engineering, London (2011). https://doi.org/10.1007/978-1-84996-187-5

    Book  MATH  Google Scholar 

  31. König, S.: Improving risk assessment for interdependent urban critical infrastructures. In: Proceedings of the Hamburg International Conference of Logistics (HICL), Institut für Logistik und Unternehmensführung, Technische Universität, Epubli, Hamburg 23 September 2020. https://doi.org/10.15480/882.3123, https://tore.tuhh.de/handle/11420/8013

  32. König, S.: Simultaneous treatment of risk and resilience (2021)

    Google Scholar 

  33. König, S., Gouglidis, A.: Random damage in interconnected networks. In: Rass, S., Schauer, S. (eds.) Game Theory for Security and Risk Management. SDGTFA, pp. 185–201. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75268-6_8

    Chapter  Google Scholar 

  34. König, S., Gouglidis, A., Green, B., Solar, A.: Assessing the impact of malware attacks in utility networks. In: Rass, S., Schauer, S. (eds.) Game Theory for Security and Risk Management. SDGTFA, pp. 335–351. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75268-6_14

    Chapter  Google Scholar 

  35. König, S., Grafenauer, T., Rass, S., Schauer, S.: Practical risk analysis in interdependent critical infrastructures - a how-to. In: SECURWARE 2018, The Twelfth International Conference on Emerging Security Information, Systems and Technologies, Venice, Italypp, pp. 150–157 (2018). http://www.thinkmind.org/download.php?articleid=securware_2017_6_30_38023

  36. Konnov, I.: On lexicographic vector equilibrium problems. J. Optim. Theory Appl. 118(3), 681–688 (2003). https://doi.org/10.1023/B:JOTA.0000004877.39408.80

    Article  MathSciNet  MATH  Google Scholar 

  37. van Lenteren, J., et al.: Environmental risk assessment of exotic natural enemies used in inundative biological control. BioControl 48(1), 3–38 (2003). https://doi.org/10.1023/a:1021262931608

  38. Macher, G., Sporer, H., Berlach, R., Armengaud, E., Kreiner, C.: SAHARA: a security-aware hazard and risk analysis method. In: Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 621–624. IEEE Conference Publications (2015). https://doi.org/10.7873/DATE.2015.0622, http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=7092463

  39. Mainik, G., Rüschendorf, L.: Ordering of multivariate risk models with respect to extreme portfolio losses. In: Rüschendorf, L. (ed.) Mathematical Risk Analysis. Dependence, Risk Bounds, Optimal Allocations and Portfolios, Springer Series in Operations Research and Financial Engineering, pp. 353–383. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-33590-7_14

  40. MSB, Lindstedt, U.: National risk assessment 2011–2013 - the swedish experience (2014). https://www.msb.se/RibData/Filer/pdf/26621.pdf

  41. Ogryczak, W., Śliwiński, T.: On direct methods for lexicographic min-max optimization. In: Gavrilova, M., et al. (eds.) ICCSA 2006. LNCS, vol. 3982, pp. 802–811. Springer, Heidelberg (2006). https://doi.org/10.1007/11751595_85

    Chapter  Google Scholar 

  42. Pruyt, E., Wijnmalen, D., Bökkerink, M.: What can we learn from he evaluation of the dutch national risk assessment?. Risk Anal. 33(8), 1385–1388 (2013)

    Google Scholar 

  43. Rass, S., Rainer, B.: Numerical computation of multi-goal security strategies. In: Poovendran, R., Saad, W. (eds.) GameSec 2014. LNCS, vol. 8840, pp. 118–133. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12601-2_7

    Chapter  MATH  Google Scholar 

  44. Rass, Stefan: Security strategies and multi-criteria decision making. In: Rass, Stefan, Schauer, Stefan (eds.) Game Theory for Security and Risk Management. SDGTFA, pp. 47–74. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75268-6_3

    Chapter  Google Scholar 

  45. Rass, S., König, S.: HyRiM: multicriteria risk management using zero-sum games with vector-valued payoffs that are probability distributions (2018). https://cran.r-project.org/package=HyRiM

  46. Rass, S., König, S., Alshawish, A.: R package ‘HyRiM’: multicriteria risk management using zero-sum games with vector-valued payoffs that are probability distributions, version 2.0.0 (2020). https://CRAN.R-project.org/package=HyRiM

  47. Rass, S., Schauer, S., König, S., Zhu, Q.: Cyber-Security in Critical Infrastructures: A Game-Theoretic Approach. SpringerNature, Cham (2020)

    Google Scholar 

  48. Rass, S., Wiegele, A., König, S.: Security games over lexicographic orders. In: GameSec 2020. LNCS, vol. 12513, pp. 422–441. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64793-3_23

    Chapter  Google Scholar 

  49. Rios Insua, D., Couce-Vieira, A., Rubio, J.A., Pieters, W., Labunets, K., G. Rasines, D.: An adversarial risk analysis framework for cybersecurity. Risk Anal. 41, 16–36 (2019). https://doi.org/10.1111/risa.13331

  50. Robert, C.P.: The Bayesian Choice. Springer, Cham (2001)

    Google Scholar 

  51. Schaberreiter, T., Kittilä, K., Halunen, K., Röning, J., Khadraoui, D.: Risk assessment in critical infrastructure security modelling based on dependency analysis. In: Bologna, S., Hämmerli, B., Gritzalis, D., Wolthusen, S. (eds.) CRITIS 2011. LNCS, vol. 6983, pp. 213–217. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41476-3_20

    Chapter  Google Scholar 

  52. Slovic, P., Fischhoff, B., Lichtenstein, S.: Rating the risks. In: Risk/Benefit Analysis in Water Resources Planning and Management, pp. 193–217. Springer, Boston (1981). https://doi.org/10.1007/978-1-4899-2168-0_17

  53. Weiss, N., Schrötter, M., Hackenberg, R.: On threat analysis and risk estimation of automotive ransomware. In: ACM Computer Science in Cars Symposium on - CSCS 2019. pp. 1–9. ACM Press (2019). https://doi.org/10.1145/3359999.3360492, http://dl.acm.org/citation.cfm?doid=3359999.3360492

  54. Zentralanstalt für Meteorologie und Geodynamik: Erdbeben in Österreich - Übersicht (2021). https://www.zamg.ac.at/cms/de/geophysik/erdbeben/erdbeben-in-oesterreich/uebersicht_neu

Download references

Acknowledgement

This work was supported by the research Project ODYSSEUS (“Simulation und Analyse kritischer Netzwerk-Infrastrukturen in Städten") funded by the Austrian Research Promotion Agency under Grant No.873539.

Author information

Authors and Affiliations

  1. Center for Digital Safety and Security, Austrian Institute of Technology, Vienna, Austria

    Sandra König

  2. LIT Secure and Correct Systems Lab, Johannes Kepler University Linz, Linz, Austria

    Stefan Rass

  3. Institute for Artificial Intelligence and Cybersecurity, Universitaet Klagenfurt, Klagenfurt, Austria

    Stefan Rass

  4. Center for Digital Safety and Security, Austrian Institute of Technology, Klagenfurt, Austria

    Stefan Schauer

Authors
  1. Sandra König
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefan Schauer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stefan Rass
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sandra König .

Editor information

Editors and Affiliations

  1. University of Geneva, Geneva, Switzerland

    Dimitri Percia David

  2. armasuisse Science and Technology S+T, Thun, Switzerland

    Alain Mermoud

  3. University of Geneva, Geneva, Switzerland

    Thomas Maillart

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

König, S., Schauer, S., Rass, S. (2021). Multi-categorical Risk Assessment for Urban Critical Infrastructures. In: Percia David, D., Mermoud, A., Maillart, T. (eds) Critical Information Infrastructures Security. CRITIS 2021. Lecture Notes in Computer Science(), vol 13139. Springer, Cham. https://doi.org/10.1007/978-3-030-93200-8_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-93200-8_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-93199-5

  • Online ISBN: 978-3-030-93200-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation