EURO Journal on Decision Processes

, Volume 3, Issue 3–4, pp 305–337 | Cite as

Collaborative risk management for national security and strategic foresight

Combining qualitative and quantitative operations research approaches
  • Matthias Dehmer
  • Silja Meyer-Nieberg
  • Goran Mihelcic
  • Stefan Pickl
  • Martin Zsifkovits
Original Article


Public decision makers are faced with the great challenge of detecting and identifying future risks. This concerns especially the field of national security. Decision makers must be able to identify threats in order to react to them adequately and so reduce risks. For this reason, a general risk management support guideline for public decision makers is developed which focuses on national security. The objective of the framework is to identify future risks, to analyze, and to evaluate them, so that concrete actions can be set to tackle the threats. The risk management framework is based on the core of the ISO 31000 risk management norm and guides the decision maker stepwise through the complex process. Therefore, several potential techniques and tools are combined in order to gain an overall picture of several scenarios. A collaboration of subject matter experts of several disciplines constitutes an important part of the process.


Risk management Collaborative processes Knowledge management Strategic foresight Network analyses 

Mathematics subject classification




The authors would like to thank Heinrich Buch and Dieter Budde for their invaluable discussions and insights. The support by the Planungsamt der Bundeswehr is gratefully acknowledged.


  1. Aalst WVD, van Hee KM (2002) Workflow management. Models, methods, and systems. Cooperative information systems. MIT Press, CambridgeGoogle Scholar
  2. Adamic L, Huberman B (2000) Power-law distribution of the world wide web. Science 287:2115aCrossRefADSGoogle Scholar
  3. Aggestam L (2006) Learning organization or knowledge management—which came first, the chicken or the egg? Inf Technol Control 35(3A):295–302Google Scholar
  4. Amanatidou E, Butter M, Carabias V, Könnölä T, Leis M, Saritas O, Schaper-Rinkel P, van Rij V (2012) On concepts and methods in horizon scanning: lessons from initiating policy dialogues on emerging issues. Sci Public Policy 39(2):208–221CrossRefGoogle Scholar
  5. Andress J, Winterfeld S (2014) Cyber warfare: techniques, tactics and tools for security practitioners, 2nd edn. Elsevier, SyngressGoogle Scholar
  6. Barabási AL, Oltvai ZN (2004) Network biology: understanding the cell’s functional organization. Nat Rev Genet 5(2):101–113CrossRefPubMedGoogle Scholar
  7. Barth R, Meyer-Nieberg S, Pickl S, Schuler M, Wellbrink J (2012) A toolbox for operational analysis. In: Proceedings of the 2012 symposium on emerging applications of M&S in industry and academia symposium, Society for Computer Simulation International, San Diego, CA, EAIA’12, pp 3:1–3:8.
  8. Bodrow W (2006) Knowledge management in small and medium-sized enterprises. In: Wang K, Kovacs G, Wozny M, Fang M (eds) Knowledge enterprise: intelligent strategies in product design, manufacturing, and management, IFIP International Federation for Information Processing, vol 207. Springer, Boston, pp 41–53. doi: 10.1007/0-387-34403-9_5
  9. Bonchev D (1983) Information theoretic indices for characterization of chemical structures. Research Studies Press, ChichesterGoogle Scholar
  10. Bonchev D (1995) Topological order in molecules 1. Molecular branching revisited. J Mol Struct 336(2–3):137–156CrossRefGoogle Scholar
  11. Bundesamt für Sicherheit in der Informationstechnik (2013) ICS-Security-Kompendium.
  12. Bundesministerium des Innern (2009) Nationale Strategie zum Schutz Kritischer Infrastrukturen (KRITIS-Strategie).
  13. Bundesministerium des Innern (2011) Cyber-Sicherheitsstrategie für Deutschland. Technical report, Bundesministerium des Innern.
  14. Bunke H (2000) Graph matching: theoretical foundations, algorithms, and applications. Proc Vis Interface 2000:82–88Google Scholar
  15. Caralli RA, Stevens JF, Young LR, Wilson WR (2007) Introducing OCTAVE allegro: improving the information security risk assessment process. Technical Report CMU/SEI-2007-TR-012, Software Engineering Institute, Carnegie Mellon University. Accessed on 13 Nov 2014
  16. Carneiro HA, Mylonakis E (2009) Google trends: a web-based tool for real-time surveillance of disease outbreaks. Clin Infect Dis 49(10):1557–1564CrossRefPubMedGoogle Scholar
  17. Chakrabarti S (2002) Mining the web: discovering knowledge from hypertext data. Morgan Kaufmann, San FranciscoGoogle Scholar
  18. Chauke Nehme C, de Miranda Santos M, Fellows Filho L, Massari Coelho G (2012) Challenges in communicating the outcomes of a foresight study to advise decision-makers on policy and strategy. Sci Public Policy. doi: 10.1093/scipol/scs015
  19. Choi H, Varian H (2012) Predicting the present with Google trends. Econ Rec 88(1):2–9CrossRefGoogle Scholar
  20. Dehmer M (2006) Strukturelle analyse web-basierter dokumente. Multimedia und Telekooperation. Deutscher Universitäts Verlag, WiesbadenGoogle Scholar
  21. Dehmer M (2008) Information processing in complex networks: graph entropy and information functionals. Appl Math Comput 201:82–94zbMATHMathSciNetCrossRefGoogle Scholar
  22. Dehmer M, Emmert-Streib F (2014) Quantitative graph theory, theory and applications. CRC Press, Boca RatonGoogle Scholar
  23. Dehmer M, Emmert-Streib F, Graber A, Salvador A (eds) (2011) Applied statistics for network biology. Quantitative and network biology. Wiley-Blackwell, New YorkGoogle Scholar
  24. Dehmer M, Grabner M, Varmuza K (2012) Information indices with high discriminative power for graphs. PLoS ONE 7(e31):214Google Scholar
  25. Dehmer M, Kraus V, Emmert-Streib F, Pickl S (2014) What is quantitative graph theory? CRC Press, Boca Raton, pp 1–33Google Scholar
  26. Dorogovtsev SN, Mendes JFF (2003) Evolution of networks from biological networks to the internet and WWW. Oxford University Press, OxfordzbMATHCrossRefGoogle Scholar
  27. Douramanis M (2014) Risk assessment for cyber threats to networked critical infrastructure. Master’s thesis, Universiteit Leiden, Universität der Bundeswehr MünchenGoogle Scholar
  28. Emmert-Streib F, Dehmer M (eds) (2010a) Analysis of microarray data: a network-based approach. Wiley VCH Publishing, WeinheimGoogle Scholar
  29. Emmert-Streib F, Dehmer M (2010b) Identifying critical financial networks of the DJIA: towards a network based index. Complexity 16(1):24–33CrossRefGoogle Scholar
  30. Emmert-Streib F, Dehmer M (2010c) Influence of the time scale on the construction of financial networks. PLoS ONE 5(9):e12884PubMedCentralCrossRefPubMedADSGoogle Scholar
  31. Emmert-Streib F, Dehmer M (2011) Networks for systems biology: conceptual connection of data and function. IET Syst Biol 5:185–207CrossRefPubMedGoogle Scholar
  32. Epstein J (2008) Generative social science studies in agent-based computational modelling. Princeton University Press, PrincetonGoogle Scholar
  33. Erdös P, Rényi P (1960) On the evolution of random graphs. Magyar Tud Akad Mat Kutató Int Közl 5:17–61zbMATHGoogle Scholar
  34. Federal Office for Civil Protection (2014) Integrated risk management. Bern, SwitzerlandGoogle Scholar
  35. German Alliance for Cybersecurity (2014).
  36. Goldstone JA, Bates RH, Epstein DL, Gurr TR, Lustik MB, Marshall MG, Ulfelder J, Woodward M (2010) A global model for forecasting political instability. Am J Political Sci 54(1):190–208CrossRefGoogle Scholar
  37. Habegger B (2010) Strategic foresight in public policy: reviewing the experiences of the UK, Singapore, and the Netherlands. Futures 42(1):49–58MathSciNetCrossRefGoogle Scholar
  38. Harary F (1969) Graph theory. Addison Wesley Publishing Company, Reading, MAGoogle Scholar
  39. Hauschild D, Leopold A, Lohmann S, Masala C, Meyer-Nieberg S, Pickl S, Plenk S, Tepel T, Zsifkovits M (2014) Quantitative methods of future studies, final report. Universität der Bundeswehr München, Technical reportGoogle Scholar
  40. International Organization for Standardization (2009) ISO 31000:2009 risk management—guidelines for principles and implementation of risk managementGoogle Scholar
  41. Klipper S (2011) Information security risk management, Risikomanagement mit ISO/IEC 27001, 27005 und 31010. Springer, New YorkGoogle Scholar
  42. Kosala R, Blockeel H (2000) Web mining research: a survey. SIGKDD Explor 2(1):1–15Google Scholar
  43. Kushner D (2013) The real story of Stuxnet. IEEE Spectr 50(3):48–53MathSciNetCrossRefGoogle Scholar
  44. Leigh A (2003) Thinking ahead: Strategic foresight and government. Aust J Public Adm 62(2):3–10. doi: 10.1111/1467-8497.00320 CrossRefGoogle Scholar
  45. Li X, Gutman I (2006) Mathematical aspects of Randić-type molecular structure descriptors. University of Kragujevac and Faculty of Science Kragujevac, Mathematical Chemistry MonographsGoogle Scholar
  46. Liljenstam M, Liu J, Nicol DM, Yuan Y, Yan G, Grier C (2006) Rinse: the real-time immersive network simulation environment for network security exercises (extended version). Simulation 82(1):43–59. doi: 10.1177/0037549706065544 CrossRefGoogle Scholar
  47. Lovász L, Pelikán J (1973) On the eigenvalues of trees. Period Math Hung 3(1–2):175–182zbMATHCrossRefGoogle Scholar
  48. Lund MS, Solhaug B, Stølen K (2011) Model-driven risk analysis: the CORAS approach. Springer, BerlinGoogle Scholar
  49. Macal CM, North MJ (2010) Tutorial on agent-based modelling and simulation. J Simul 4(3):151–162CrossRefGoogle Scholar
  50. Maier R (2004) Knowledge management systems. Information and communication technologies for knowledge management. Springer, BerlinGoogle Scholar
  51. Maier R (2007) Knowledge management systems—information and communication technologies for knowledge management. Springer, BerlinGoogle Scholar
  52. Masala C, Pickl S (2013) Foresight analysis: quantitative methoden der Zukunftsanalyse. In: Wehrwissenschaftliche Forschung—Jahresbericht 2013, Bundesministerium der Verteidigung, pp 58–59Google Scholar
  53. Masala C, Pickl S, Klüfers P, Leopold A, Lohmann S, Tsetsos K, Tepel T (2014) Future methods catalogue. Universität der Bundeswehr München, Technical reportGoogle Scholar
  54. Miles I, Saritas O (2012) The depth of the horizon: searching, scanning and widening horizons. Foresight 14(6):530–545. doi: 10.1108/14636681211284953
  55. Minoli D (1975) Combinatorial graph complexity. Atti Accad Naz Lincei, VIII Ser, Rend, Cl Sci Fis Mat Nat 59:651–661MathSciNetGoogle Scholar
  56. Mowsho-witz A, Dehmer M (2012) Entropy and the complexity of graphs revisited. Entropy 14(3):559–570MathSciNetCrossRefADSGoogle Scholar
  57. National Institute of Standards and Technology (2011) Managing information security risk: organization, mission, and information system view. Accessed 13 Nov 2014
  58. National Research Council (2010) Letter report for the committee on deterring cyberattacks: informing strategies and developing options for U.S. policy. Technical report, National Research CouncilGoogle Scholar
  59. Newman MEJ (2003) The structure and function of complex networks. SIAM Rev 45:167–256zbMATHMathSciNetCrossRefADSGoogle Scholar
  60. Noel S, Jajodia S, Wang L, Singhal A (2010) Measuring security risk of networks using attack graphs. Int J Next-Gener Comput 1(1):135–147Google Scholar
  61. NYS Office of Cyber Security (2012) Cybersecurity: risk management. Accessed 10 Aug 2014
  62. Palomino MA, Taylor T, Owen R (2012) Towards the development of an automated, web-based, horizon scanning system. In: Federated conference on computer science and information systems (FedCSIS), IEEE 2012, pp 1009–1016Google Scholar
  63. Pickl S, Meyer-Nieberg S, Wellbrink J (2012) Reducing complexity with evolutionary data farming. SCS M&S Magazine, pp 47–53. ISBN 1-56555-374-8Google Scholar
  64. Pinson S, Moraitis P (1997) An intelligent distributed system for strategic decision making. Group Decis Negot 6(1):77–108. doi: 10.1023/A:1008640625674 CrossRefGoogle Scholar
  65. Rademaker M (2009) National security strategy of the netherlands: an innovative approach. Inf Secur 23(1):51–61Google Scholar
  66. Ralson P, Graham J, Hieb J (2007) Cyber security risk assessment for SCADA and DCS networks. ISA Trans 46:583–594CrossRefGoogle Scholar
  67. Roy Sarkar K (2010) Assessing insider threats to information security using technical, behavioural and organisational measures. Inform Secur Tech Rep 15(3):112–133CrossRefGoogle Scholar
  68. Schneeweiss CA (2003) Distributed decision making, 2nd edn. Springer, BerlinGoogle Scholar
  69. Schöhnbohm A (2011) Deutschlands sicherheit: cybercrime und cyberwar. Monsenstein und VannerdatGoogle Scholar
  70. Schutte M, Dehmer M (2013) Large-scale analysis of structural branching measures. J Math Chem 52(3):805–819MathSciNetCrossRefGoogle Scholar
  71. Shakarian P, Shakarian J, Ruef A (2013) Introduction to cyber-warfare. A multidisciplinary approach. Syngress/Elsevier, WalthamGoogle Scholar
  72. Singer P, Friedman J (2014) Cybersecurity and cyberwar. Oxford University Press, OxfordGoogle Scholar
  73. Soanes C, Stevenson A (eds) (2009) Oxford dictionary of English. Oxford University Press, OxfordGoogle Scholar
  74. Sobik F (1982) Graphmetriken und Klassifikation strukturierter Objekte. ZKI-Informationen, Akad Wiss DDR 2(82):63–122Google Scholar
  75. Sokolova A, Makarova E (2013) Integrated framework for evaluation of national foresight studies. In: Meissner D, Gokhberg L, Sokolov A (eds) Science, technology and innovation policy for the future. Springer, Berlin, pp 11–30. doi: 10.1007/978-3-642-31827-6_2
  76. Stenberg M (2006) Managing the knowledge of the organization. In: Zielinski C, Duquenoy P, Kimppa K (eds) The Information Society: emerging landscapes. IFIP International Federation for Information Processing, vol 195. Springer Boston, pp 223–242. doi: 10.1007/0-387-31168-8_14
  77. Stutzki J (2014) Multilingual trend detection in the web, In: Proceedings of the 4th student conference on operational research SCOR 2014, OASICS, vol 37, pp 16–24Google Scholar
  78. The SANS institute (2014). Accessed 04 Oct 2014
  79. Todeschini R, Consonni V, Mannhold R (2002) Handbook of molecular descriptors. Wiley-VCH, WeinheimGoogle Scholar
  80. US Enterprise Information Security Office (2014). Accessed 03 Oct 2014
  81. Vester F (2000) Die Kunst vernetzt zu denken: Ideen und Werkzeuge für einen neuen Umgang mit Komplexität. DVA StuttgartGoogle Scholar
  82. Wong KY (2005) Critical success factors for implementing knowledge management in small and medium enterprises. Ind Manage Data Syst 105(3):261–279CrossRefGoogle Scholar
  83. Zelinka B (1975) On a certain distance between isomorphism classes of graphs. Časopis pro \({\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\smile}$}}{\text{p}}}{\text{est}}\) Math 100:371–373Google Scholar
  84. Zentis T, Czech A, Prefi T, Schmitt R (2011) Technisches Risikomanagement in produzierenden Unternehmen. Apprimus Verlag, AachenGoogle Scholar
  85. Zsifkovits M, Pickl S, Meyer-Nieberg S (2014) Operations research for risk management in strategic foresight. Planet@Risk SubmittedGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg and EURO - The Association of European Operational Research Societies 2015

Authors and Affiliations

  • Matthias Dehmer
    • 1
  • Silja Meyer-Nieberg
    • 1
  • Goran Mihelcic
    • 1
  • Stefan Pickl
    • 1
  • Martin Zsifkovits
    • 1
  1. 1.Fakultät für InformatikUniversität der Bundeswehr MünchenNeubibergGermany

Personalised recommendations