Risk-Based Criticality Analysis

  • Marianthi Theoharidou
  • Panayiotis Kotzanikolaou
  • Dimitris Gritzalis
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 311)


Critical infrastructure protection requires the evaluation of the criticality of infrastructures and the prioritization of critical assets. However, criticality analysis is not yet standardized. This paper examines the relation between risk and criticality. It analyzes the similarities and differences in terms of scope, aims, impact, threats and vulnerabilities; and proposes a generic risk-based criticality analysis methodology. The paper also presents a detailed list of impact criteria for assessing the criticality level of infrastructures. Emphasis is placed on impact types that are society-centric and/or sector-centric, unlike traditional risk analysis methodologies that mainly consider the organization-centric impact.


Risk analysis criticality impact 


  1. 1.
    E. Adar and A. Wuchner, Risk management for critical infrastructure protection challenges: Best practices and tools, Proceedings of the First IEEE International Workshop on Critical Infrastructure Protection, 2005.Google Scholar
  2. 2.
    C. Alberts and A. Dorofee, Managing Information Security Risks: The OCTAVE Approach, Addison-Wesley/Pearson, Boston, Massachusetts, 2003.Google Scholar
  3. 3.
    A. Bialas, Information security systems vs. critical information infrastructure protection systems – Similarities and differences, Proceedings of the International Conference on the Dependability of Computer Systems, pp. 60–67, 2006.Google Scholar
  4. 4.
    E. Brunner and M. Suter, International CIIP Handbook 2008/2009: An Inventory of 25 National and 7 International Critical Infrastructure Protection Policies, Center for Security Studies, ETH Zurich, Zurich, Switzerland, 2008.Google Scholar
  5. 5.
    E. Casalicchio and E. Galli, Metrics for quantifying interdependencies, in Critical Infrastructure Protection II, M. Papa and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 215–227, 2008.Google Scholar
  6. 6.
    Emergency Management Australia, Critical Infrastructure Emergency Risk Management and Assurance Handbook, Mount Macedon, Australia, 2003.Google Scholar
  7. 7.
    European Commission, Communication from the Commission of 12 December 2006 on a European Programme for Critical Infrastructure Protection, COM (2006)786 Final, Brussels, Belgium, 2006.Google Scholar
  8. 8.
    European Commission, Proposal for a Directive of the Council on the Identification and Designation of European Critical Infrastructure and the Assessment of the Need to Improve Their Protection, COM(2006)787 Final, Brussels, Belgium, 2006.Google Scholar
  9. 9.
    Insight Consulting, CRAMM User Guide, Issue 5.1, Walton-on-Thames, United Kingdom, 2005.Google Scholar
  10. 10.
    International Organization for Standardization, ISO/IEC Guide 73:2002: Risk Management – Vocabulary – Guidelines for Use in Standards, Geneva, Switzerland, 2002.Google Scholar
  11. 11.
    J. Kopylec, A. D’Amico and J. Goodall, Visualizing cascading failures in critical cyber infrastructures, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 351–364, 2007.CrossRefGoogle Scholar
  12. 12.
    KPMG Peat Marwick, Vulnerability Assessment Framework 1.1, U.S. Critical Infrastructure Assurance Office, Washington, DC, 1998.Google Scholar
  13. 13.
    W. Kroger, Critical infrastructures at risk: A need for a new conceptual approach and extended analytical tools, Reliability Engineering and System Safety, vol. 93(12), pp. 1781–1787, 2008.Google Scholar
  14. 14.
    R. Likert, A technique for the measurement of attitudes, Archives of Psychology, vol. 140(22), pp. 1–55, 1932.Google Scholar
  15. 15.
    E. Luiijf, Threat Taxonomy for Critical Infrastructures and Critical Infrastructure Risk Aspects at the EU-Level, Version 1.04, Deliverable D1.2, Technical Report VITA PASR-2004-004400, TNO Defence, Security and Safety, The Hague, The Netherlands, 2006.Google Scholar
  16. 16.
    E. Luiijf, H. Burger and M. Klaver, Critical infrastructure protection in the Netherlands: A quick-scan, Proceedings of the EICAR Conference, 2003.Google Scholar
  17. 17.
    Ministry of the Interior and Kingdom Relations, National Risk Assessment Method Guide 2008, The Hague, The Netherlands, 2008.Google Scholar
  18. 18.
    J. Moteff, Risk Management and Critical Infrastructure Protection: Assessing, Integrating and Managing Threats, Vulnerabilities and Consequences, CRS Report for Congress, Document RL32561, Congressional Research Service, Library of Congress, Washington, DC, 2005.Google Scholar
  19. 19.
    A. Nieuwenhuijs, E. Luiijf and M. Klaver, Modeling dependencies in critical infrastructures, in Critical Infrastructure Protection II, M. Papa and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 205–213, 2008.Google Scholar
  20. 20.
    North American Electric Reliability Corporation, Standard CIP-002-1, Cyber Security – Critical Asset Identification, Washington, DC, 2006.Google Scholar
  21. 21.
    P. Pederson, D. Dudenhoeffer, S. Hartley and M. Permann, Critical Infrastructure Interdependency Modeling: A Survey of U.S. and International Research, Technical Report INL/EXT-06-11464, Idaho National Laboratory, Idaho Falls, Idaho, 2006.Google Scholar
  22. 22.
    Public Safety and Emergency Preparedness Canada, Selection Criteria to Identify and Rank Critical Infrastructure Assets, Ottawa, Canada, 2004.Google Scholar
  23. 23.
    S. Rinaldi, J. Peerenboom and T. Kelly, Identifying, understanding and analyzing critical infrastructure interdependencies, IEEE Control Systems, vol. 21(6), pp. 11–25, 2001.CrossRefGoogle Scholar
  24. 24.
    R. Setola, S. Bologna, E. Casalicchio and V. Masucci, An integrated approach for simulating interdependencies, in Critical Infrastructure Protection II, M. Papa and S. Shenoi, (Eds.), Springer, Boston, Massachusetts, pp. 229–239, 2008.Google Scholar
  25. 25.
    G. Stoneburner, A. Goguen and A. Feringa, Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology, Special Publication 800-30, National Institute of Standards and Technology, Gaithersburg, Maryland, 2002.Google Scholar
  26. 26.
    U.S. Department of Homeland Security, National Infrastructure Protection Plan 2009, Washington, DC, 2009.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Marianthi Theoharidou
  • Panayiotis Kotzanikolaou
  • Dimitris Gritzalis

There are no affiliations available

Personalised recommendations