It is impossible to achieve a critical infrastructure that is secured for one hundred percent. One of the main conclusions of the KWINT study on the vulnerabilities of the (Netherlands section of the) Internet is that the aim of the Dutch Government should be to prevent incidents, to reduce critical infrastructure vulnerabilities to an acceptable level for society, and to ensure that control of the critical infrastructure is restored as quickly as possible after a high-impact disturbance affects the (Netherlands) information infrastructure. And as the Netherlands Internet infrastructure is a vital node in the European information infrastructure, disturbances in the Netherlands Internet might have a large impact on other Europeancountries as well. The work towards this aim is a central co-ordination of the quality improvement effort that must involve all segments of the community participating in the Internet. This paper describes the processes, models and analysis techniques that were used in the KWINT-project. The development of a set of related models was required to clarify the roles, diversity and inter-dependencies between the government, users, and market actors. A highlevel vulnerability analysis was executed based upon an actor-based layered model and reliability indicators were investigated. A weighted list of vulnerabilities was amended and validated in a workshop with the market actors, users, and representatives from government ministries. Infrastructure protection initiatives and activities in other countries were investigated in order to understand the lessons learned and to avoid pitfalls. Classifying these international initiatives resulted in a number of interesting observations. Further workshops with representatives from market actors, users, and government departments ensured a broad public and private support for the final study recommendations to the government.