Risk Assessment of Multi-Order Dependencies between Critical Information and Communication Infrastructures

Risk Assessment of Multi-Order Dependencies between Critical Information and Communication Infrastructures

Panayiotis Kotzanikolaou (University of Piraeus, Greece), Marianthi Theoharidou (Athens University of Economics & Business, Greece) and Dimitris Gritzalis (Athens University of Economics & Business, Greece)
DOI: 10.4018/978-1-4666-2964-6.ch008

Abstract

Assessing risk in information and communication infrastructures is a challenging topic due to the complexity of critical infrastructures (CIs) and of the various dependencies between such infrastructures. This chapter discusses the basic concepts of risk assessment for CIs. Moreover, it describes a recently proposed methodology for criticality assessment. The main goal of this methodology is to assess the risk of an infrastructure (or a sector of critical infrastructures), taking into account the dependencies between CIs and/or sectors. The methodology is compatible with current information systems practices. The basic characteristic of the presented methodology is that it attempts to capture both organization-oriented and society-oriented consequences of possible security events, a feature which is not always embedded in mainstream information security risk assessment methodologies.
Chapter Preview
Top

Assessing Risk And Dependencies

Traditional risk assessment methodologies for ICT systems, i.e. the ISO27005 standard, assess information risk only within the system or organization in question. They do not assess parameters such as the potential effect of a failure or disruption to dependent infrastructures or the impact to society. This is natural in the context of a single organization, since the management is interested to know what are the possible consequences (economical, business, legal or other) for the organization in question, in case of a security incident. Recent research on targeted to CIP risk assessment methodologies however, has indicated the need to also consider external effects. From a macroscopic view, what makes an infrastructure “critical” is the fact that it affects many others connected with it, who are mostly outsiders for the organization operating the CI. Thus, the criticality of an asset depends not only on the potential impact of a security incident on the operator of a CI, but also on the outgoing societal risk caused to other dependent organizations (Theoharidou et al., 2009).

Complete Chapter List

Search this Book:
Reset