Risk Assessment of Multi-Order Dependencies between Critical Information and Communication Infrastructures

Assessing Risk And Dependencies

Traditional risk assessment methodologies for ICT systems, i.e. the ISO27005 standard, assess information risk only within the system or organization in question. They do not assess parameters such as the potential effect of a failure or disruption to dependent infrastructures or the impact to society. This is natural in the context of a single organization, since the management is interested to know what are the possible consequences (economical, business, legal or other) for the organization in question, in case of a security incident. Recent research on targeted to CIP risk assessment methodologies however, has indicated the need to also consider external effects. From a macroscopic view, what makes an infrastructure “critical” is the fact that it affects many others connected with it, who are mostly outsiders for the organization operating the CI. Thus, the criticality of an asset depends not only on the potential impact of a security incident on the operator of a CI, but also on the outgoing societal risk caused to other dependent organizations (Theoharidou et al., 2009).