The Protection of Critical Infrastructure: Six Questions, a Changing Threat, And an Unknown Number of Algorithms

by Dr. Bilal Ayyub

The following Special Report by Dr. Ayyub is about a project being carried out for the Maryland Emergency Management Agency that should be of vital interest to first responders and others involved – at the local, state, and/or federal levels (the international level as well) – in the protection of critical infrastructure.

The U.S. Department of Homeland Security (DHS) has identified what are called “risk methods” as the primary underlying framework for system evaluations, operational assessments, technology assessments, resource and support analyses, and field operations analyses. In that context, the protection of critical-infrastructure and key-resource (CI/KR) assets for homeland security requires both the allocation of finite available resources and the making of choices – from among a large set of protective actions that might be implemented--to reduce risk.  

Decisions on resource allocation, therefore, are among the most significant challenges facing the nation’s homeland-security community.  The principal difficulty in making such decisions stems not only from the nature of the hazards themselves, but also from the complexity of the numerous decision variables involved.  Unlike risks associated with natural disasters – or unintentional human-caused disasters – most if not all of the risks associated with security hazards result from the fact that these hazards are deliberately created by an adversary who: (a) has intent or motivation (political, economic, cultural, religious, and/or personal); (b) possesses variable and broad capabilities – e.g., weapons (perhaps even including weapons of mass destruction, or WMDs), manpower, access, intelligence; and (c) is “dynamic” in the sense of being responsive to countermeasures and therefore able to change his own tactics and capabilities, and/or the targets he has selected.  

The spectrum of security hazards is a wide one, ranging from vandalism and pilferage to sabotage and explosive attacks. However, small-scale security hazards such as vandalism and pilferage usually do not aim to disrupt vital services, and cause relatively little physical damage to property. In contrast, larger-scale sabotage and explosive attacks typically are carried out with the objective of producing numerous casualties, and/or disrupting vital services, or destroying the significant symbols of a society (the Statue of Liberty, for example, or the Washington Monument).  Indeed, the objective of those carrying out terrorist-style attacks may not be to defeat the target nation’s military forces or security capabilities per se, but to achieve their goals by significantly disrupting the economic system, governmental processes, and societal norms of the nation targeted.  

Deliberate and Unpredictable Hazards

Security hazards are similar to natural hazards in at least one respect – namely, that both use some type of “external loading” to attack their targets; disruption of the target occurs when that loading exceeds the capacity of the target to resist it.  However, natural hazards are indiscriminate about the targets they affect – and they occur, moreover, in a somewhat random yet predictable manner. In contrast, security hazards are deliberate and much less predictable, with an adversary selectively choosing one or more from a broad spectrum of possible targets – basing that selection, usually, on his own perception of the risks involved and the potential rewards likely to result from an attack.

In that context, security hazards might be more precisely defined as asymmetric threats against society in which the attackers choose high-value targets in a manner consistent with their own objectives and perceived capabilities, and leverage the force-multiplying effect of surprise to achieve success against defenders who are either unaware of the threat or unprepared to defend themselves against usually unknown tactics.  

Because the threat (or security hazard) landscape is constantly changing, it is not possible to use historical data alone to assess the probability of an attack. Instead, such an assessment requires consideration of a number of interrelated factors, including but not limited to trends in adversary ideology, technological innovations, the relative effectiveness of various possible countermeasures, and the proliferation of open-source information about potential targets of opportunity.

The difficulties involved in making such assessments is illustrated by the fact that a recent study shows that, since the 9/11 terrorist attacks against the United States, many of the countermeasures put in place to defeat terrorism actually have done little to reduce possible recurrences but, rather, have caused the perpetrators of international terrorism to shift toward less logistically complex tactics to achieve their goals. Strategic planning for reducing exposure to risks arising from security hazards therefore requires, among other things, both the extensive use of expert opinion to assess rates and probabilities of occurrence (based on whatever evidence is available) and similarly expert projections of future trends.

However, simply waiting for the emergence of a security hazard prior to a thorough assessment of risk gives an asymmetric advantage to the adversary – namely, the lack of defender knowledge about potential system weaknesses, which leads in turn to an overall lack of preparedness to respond to unknown security hazards. The end result is the creation of situations in which the adversary can use the defender’s ignorance to his advantage.

Asset-Driven vs. Hazard-Driven Analysis

Because of the constantly evolving and uncertain hazard environment, risk assessment and management related to the protection of CI/KR assets must necessarily begin with the identification of critical systems and networks the destruction or significant disruption of which could pose unacceptable consequences. After these critical elements have been identified, analyses can be carried out to identify their susceptibilities to a wide spectrum of security hazards. Considered together, the critical elements and their susceptibilities form what are called hazard scenarios.  

The next task is to analyze the consequences and vulnerabilities involved in each of the hazard scenarios that have been developed to determine the conditional risk likely when/if an attack has occurred. The use of an asset-driven approach differs significantly from use of a hazard-driven approach, which requires consideration of a sufficiently probable threat prior to a subsequent risk assessment.  One of the principal advantages of using an asset-driven approach is that all analysis is completed prior to an incident to determine a set of hazards to be concerned about, rather than waiting for the emergence of a threat before beginning a vulnerabilities-and-consequences study. Another advantage is that knowledge of the conditional risk associated with a given hazard supports security-investment decisions without knowledge of the actual hazard likelihood. Additional information about the likelihood of a hazard, combined with the conditional risk, gives the total residual risk exposure, which accounts for the net reduction in risk made possible by existing risk-reduction measures. If the potential consequences, and/or conditional risk, and/or residual risk for a given hazard scenario exceeds a previously defined threshold, that scenario may then be flagged for follow-on risk-management activities.

The Management and Mitigation of Risk

Risk management entails the identification of corrective actions, including countermeasures and mitigation strategies (collectively called investment alternatives), for high-risk hazard scenarios that – in an efficient and cost-effective manner, and with limited impact on future options – will reduce or minimize the risks considered likely. In this context, a countermeasure is defined as an action taken, or a physical capability provided, the principal purpose of which is to reduce or eliminate one or more vulnerabilities and/or to reduce the rate of occurrence of security-hazard events.

For clarification: Consequence mitigation is the term used to describe preplanned and coordinated actions or system features that are designed to: reduce or minimize the damage caused by attacks (consequences of an attack); support and complement emergency forces (first responders); facilitate field-investigation and crisis-management response; and facilitate recovery and reconstitution for enhancing system resiliency.  Consequence mitigation also may include steps taken to reduce short- and long-term impacts, such as providing alternative sources of supply for critical goods and services.

Mitigation actions and strategies are intended to reduce the consequences (impacts) of an attack and make a system resilient, whereas countermeasures are intended to reduce the probability that an attack will succeed in causing a failure or significant damage. For each set of strategies, tradeoffs are made between their benefits and respective costs to maximize return on investment; strategies with a high benefit-to-cost ratio are preferable to those with a smaller potential return on investment.

A Rational Case for the Probabilistic Approach

The computation of defensible benefit-to-cost ratios requires that all potential initiating events, in this case security hazards, be considered within a unified probabilistic framework.  In addition, all aspects of risk, including consequence (economic, public health and safety, etc.), vulnerability (security and physical), and hazard likelihood should be considered probabilistically. Although a qualitative approach that assesses risks as high, medium, or low appears simple to use and has appealing consensus-building properties, the assessments produced by this approach often lead to erroneous or uninformative results, especially when trying to discriminate among quantitatively small and quantitatively large risks.  

In contrast, a more robust probabilistic approach permits a rational and coherent comparison among decision alternatives to determine the most cost-effective risk-reduction strategies.  Moreover, knowledge of the most likely quantitative risks resulting from various investment alternatives facilitates a rational comparison with other societal risks – e.g., fires, earthquakes, diseases, floods, and other natural hazards – that can be used both to determine relative risks and to assist in establishing acceptable risk levels and achieve all-hazard objectives.  

Risk analyses that are carried out for the protection of CI/KR assets, and that include appropriate risk-assessment and management factors, should be conducted at two levels: the asset level, and the portfolio level. At the asset level, a survey of critical elements, their functions, and the likely consequences of disruption – as well as their physical and security vulnerabilities – provides insight into the range of actions that can be taken by the asset owner to reduce his overall exposure to the risks likely from the full spectrum of potential security hazards.

At the portfolio level, total risk exposure can be assessed by hazard, region, jurisdiction, or infrastructure sector, and investment decisions can be made to reduce the overall portfolio risk to an acceptable level. Ideally, both levels of analysis should share a common analytical framework that supports the decisions made by all stakeholders, thus enabling the information collected at the asset level to support decisions made at the portfolio level, and vice versa.

National Benefits From a Common Framework

The objective of the project being carried out for the Maryland Emergency Management Agency is to develop a practical methodology for analyzing, assessing, and reporting risks associated with critical infrastructure and key resources within the State of Maryland. The information developed will be used both for the purpose of screening and preliminary ranking, and for the prioritization of portfolio risk management and resource allocation. The proposed risk assessment and management framework for security hazards seeks answers to the following six questions:

  1. What could happen?
  2. How can it happen?
  3. How likely is it to happen?
  4. What are the consequences if it happens?
  5. What can be done to reduce the risks in a cost-effective manner?
  6. What effect will these risk-management decisions have on subsequent risks and options?


Upon completion, this project will provide the procedures needed to carry out a screening-level risk analysis of a county, sector, or region – or, in fact, the entire inventory of assets within any specific jurisdiction. Among the more important “deliverables” expected from the project is a State of Maryland Guide – which can be used not only by other states but also by first responders throughout the country – on The Protection of Critical Infrastructure and Key Resources for Homeland Security.

Separate sections of the Guide will describe and illustrate, among other things: the practical methodology followed in carrying out the project; the database architecture and computational algorithms used to implement the methodology; a user interface for data entry and reporting that includes risk summaries by hazard type, asset and resource types, geographic location, the benefit-cost ratios of various countermeasures and mitigation strategies, and the conditional and residual risks factored into the equation.

Most important of all, perhaps, is that the methodology developed for the project will provide a common framework that can be used to support the resource-allocation decisions made by all stakeholders ranging from asset owners to the State of Maryland’s homeland-security officials.

Professor Bilal M. Ayyub, PhD, is director of the Center for Technology and Systems Management in the Department of Civil and Environmental Engineering at the University of Maryland in College Park, Md., and a fellow of ASCE, ASME and SNAME, with more than 400 publications including Risk Analysis in Engineering and Economics, CRC Press, and the ASME Risk Assessment and Management for Critical Asset Protection (RAMCAP). Several other personnel from the center also are serving on his project team. Guidance on the project is being provided by the Maryland Emergency Management Agency; guidance on information security and on various legal issues relevant to the project is being provided by personnel from the University of Maryland’s Center for Health and Homeland Security.