Quantifying Vulnerability to Critical Infrastructure

QUANTIFYING VULNERABILITY TO CRITICAL INFRASTRUCTURE Barry Charles Ezell Old Dominion University, 2004 Director: Dr. Charles Keating Military and civilian leaders have the responsibility to protect our Nation’s critical infrastructure, communities, and symbols of American power from terrorists, home and abroad, as well as from natural disasters. To this end, assessments are conducted to reduce vulnerability. The literature offers multiple definitions of vulnerability and measurement has not been adequately addressed. Thus, the purpose of this research has been to develop and deploy a systems-based model that quantifies vulnerability to critical infrastructure. This research defines critical infrastructure vulnerability as a measure of the susceptibility of critical infrastructure to threat scenarios. Vulnerability is a function of 1) threat scenario, 2) protection and 3) importance. Critical infrastructure vulnerability is measured by a system’s 1) deterrence, 2) detection, 3) delay and 4) response capabilities. Importance implies that some subsystems are more critical to overall system performance than other subsystems. A value model was used as the logic construct for quantifying vulnerability. Subject-matter experts were queried to establish the shapes of value functions and importance (weights) in the model. Another set of subject-matter experts are queried to assess a notional clean water system with respect to each protection measure within the vulnerability value model. To accomplish this, two simulations are executed in the model. The first simulation aggregates expert assessments into one assessment. The results are then used as inputs into the vulnerability value portion of the model for use in the second simulation where vulnerability is quantified. Results of this Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. research demonstrate that vulnerability can be quantified and that quantifying vulnerability is useful to decision-makers who prefer quantification to qualitative treatment of vulnerability. This research is a novel contribution to the body of scholarly work by: 1) providing a rigorous method to quantify vulnerability to critical infrastructure, 2) introducing the theory of vulnerability, and 3) specifying the theoretical relationship between risk and vulnerability. Subject matter experts conclude that there is value in the approach put forward in this body of research as it is applied to clean water systems, so it may be useful in other critical infrastructures. The research closes with directions for further research. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission. This dissertation is dedicated to the men and women who protect our Homeland. Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

[1]  Michael L. McGinnis,et al.  Base camp facility layout , 2001, 2001 IEEE International Conference on Systems, Man and Cybernetics. e-Systems and e-Man for Cybernetics in Cyberspace (Cat.No.01CH37236).

[2]  James H. Lambert,et al.  Risks of Cyber Attack to Water Utility Supervisory Control and Data Acquisition Systems , 2001 .

[3]  James H. Lambert,et al.  Designing an OOTW decision support system for military planners , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[4]  R. Stake The art of case study research , 1995 .

[5]  Yacov Y. Haimes,et al.  Hierarchical Holographic Modeling , 1981, IEEE Transactions on Systems, Man, and Cybernetics.

[6]  Yacov Y Haimes,et al.  Risk Filtering, Ranking, and Management Framework Using Hierarchical Holographic Modeling , 2002, Risk analysis : an official publication of the Society for Risk Analysis.

[7]  B J Garrick,et al.  Fitting Hierarchical Holographic Modeling into the Theory of Scenario Structuring and a Resulting Refinement to the Quantitative Definition of Risk , 2001, Risk analysis : an official publication of the Society for Risk Analysis.

[8]  P. Buckle New Approaches to Assessing Vulnerability and Resilience , 2000 .

[9]  Trina M. Chytka,et al.  Development of an Aggregation Methodology for Risk Analysis in Aerospace Conceptual Vehicle Design , 2003 .

[10]  Yacov Y. Haimes,et al.  Risk modeling, assessment, and management , 1998 .

[11]  Michael Jackson,et al.  Systems methodology for the management sciences , 1992 .

[12]  John V. Farr,et al.  Infrastructure Risk Analysis of Municipal Water Distribution System , 2000 .

[13]  Sally Sieloff Magnan,et al.  Research Design: Qualitative and Quantitative Approaches , 1997 .

[14]  H. Raiffa,et al.  Decisions with Multiple Objectives , 1993 .

[15]  S. Kaplan,et al.  On The Quantitative Definition of Risk , 1981 .

[16]  Mark J. Davis,et al.  Base Camp Design: Site Selection and Facility Layout , 2001 .

[17]  Barry Ezell Toward a Systems-Based Vulnerability Assessment Methodology for Water Supply Systems , 2003 .

[18]  Gregory S. Parnell,et al.  Foundations 2025: a Value Model for Evaluating Future Air and Space Forces , 1998 .

[19]  Stan Kaplan,et al.  The Words of Risk Analysis , 1997 .

[20]  Willie J. Mcfadden,et al.  A Systems-Based Methodology for the Construction and Representation of Organizational Knowledge Systems , 2000 .

[21]  B. Wisner,et al.  At Risk: Natural Hazards, People's Vulnerability and Disasters , 1996 .

[22]  Jan Metzger,et al.  International CIIP Handbook , 2004 .

[23]  Wilson H. Tang,et al.  Probability concepts in engineering planning and design , 1984 .

[24]  Paul D Jeanne Ellis Ormrod Leedy,et al.  Practical Research: Planning and Design , 1974 .

[25]  Michael L. McGinnis,et al.  Designing a Decision Support System for Military Base Camp Site Selection and Facility Layout , 2001 .

[26]  Michael L. McGinnis,et al.  Joint military headquarters redesign , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.