A Group Model Building Approach for Identifying Simulation Scenarios ...

Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010

A Group Model Building approach for identifying Simulation Scenarios in Critical Infrastructure Finn Olav Sveen University of Agder, Gjøvik University College, Norway [email protected]

Eliot Rich University at Albany, SUNY, USA [email protected]

Josune Hernantes TECNUN (University of Navarra), Spain [email protected]

Jose J. Gonzalez University of Agder, Gjøvik University College, Norway [email protected]

Abstract Table-top and field simulation exercises are common tools for learning and practicing responses to unplanned IT security and critical infrastructure (CI) events. Preparing, executing and debriefing complex exercises are expensive and time consuming. Computer simulations can generate numerous potential scenarios and focus exercises on those that generate the most informative results. Credible scenarios must be based on a grounded causal structure that drives the dynamics of the crisis and response. As part of a project to examine a CI & IT crisis with cross-border effects we used Group Model Building (GMB) and system dynamics to develop plausible scenarios. Expert consensus was achieved about the crisis causal structure “driving” the event into a cross-border crisis. The model shows the negative effects of uncoordinated single country action on crisis perception and resource misallocation, in turn escalating crisis duration and severity. It is particularly severe if the crisis is exacerbated by ICT failures.

1. Introduction Critical Infrastructure Protection (CIP) is an extremely complex challenge involving knowns and unknowns. Particularly worrying are the “unknown unknowns” – such as particulars about threats and hazards; uncharted factors deriving from interdependencies and cross-border interactions; emergent technical, organizational, human and cultural dynamic relations in pre-crisis, crisis and post-crisis situations. The role of ICT in infrastructure crisis management is critical. In the 2003 North American blackout,

Jose Manuel Torres TECNUN (University of Navarra), Spain [email protected]

serious faults in the high voltage power transmission network were not discovered because an operations center alarm system stalled shortly before the faults occurred [1]. The failure of the alarm software and subsequent human error allowed a cascading effect that left 50 million people without power. Another example comes from the handling of hurricane Katrina. “Hurricane Katrina devastated communications infrastructure across the Gulf Coast, incapacitating telephone service, police and fire dispatch centers, and emergency radio systems.” [2] Consequently, local, State, and Federal officials were forced to depend on a variety of conflicting reports from a combination of media, government and private sources. These provided inaccurate or incomplete information which limited the understanding of the situation in New Orleans. “In fact, some uncertainty about the specific causes and times of the breaches and overtoppings persists to this day.” [2] National agencies for civil protection employ simulation exercises to improve prevention and early detection of crises, crisis management, damage mitigation and crisis recovery. Simulation exercises challenge the participants to manage a crisis scenario. The desired CIP improvement requires the recognition of security gaps, followed by an analysis and lesson learned phase, with subsequent implementation of improved crisis planning. A “good” simulation exercise reveals major security gaps and allows the participants to practice crisis management skills, increasing preparedness and ability to handle a real crisis. Although highly useful, exercises are expensive because the many participants have to take time away from their normal day-to-day duties. Participation

978-0-7695-3869-3/10 $26.00 © 2010 IEEE

1

Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010

disrupts other critical business processes in the involved organizations. Consequently, the number of scenarios practiced in such exercises is limited and the scenarios must be carefully selected to maximize their usefulness both for discovering security gaps and to prepare the participants in the best possible manner to handle a crisis. A good scenario design process is therefore important to achieve the best results in later exercises. However, regardless of the chosen scenario design method, it is important that the experts involved achieve consensus as to which scenarios are important and should be chosen for further treatment. In this paper we explore the following question: How can realistic crisis scenarios be developed and consensus built using computer simulation methodology. We use the scenario design process we employed in the SEMPOC project as a case study. This process was based on a combination of Group Model Building (GMB) and System Dynamics (SD) SEMPOC, or Simulation Exercise to Manage Power Cut Crises, is funded by the European Programme for Critical Infrastructure Protection (EPCIP). The main objective of SEMPOC is to design and test, using simulation, robust policies to improve detection of precursor events of a major power cut crisis, to act upon them in a timely manner, mitigate damage, prevent cascading effects and sub-crises and deliver critical services. An integral part is the assessment of the effect that loss of ICT capabilities has on disaster recovery and crisis management. The remainder of the paper is organized as follows. Section 2 gives an overview of the scenario design methodologies for CIP that we are aware of. Section 3 describes SD and GMB. Section 4 describes the workshop we held. Section 5 gives an overview of the causal model that came out of the workshops and its results. Section 6 presents our conclusions.

2. Scenario Design Methodologies An example of a crisis management exercise is IKT’08 which was organized by the Norwegian Directorate for Civil Protection and Emergency Planning (DSB) and the Norwegian National Security Authority (NSM) in 2008. It was a distributed, multilocation table-top exercise with the intention to gain experience relevant to the development of the ability and capacity of society to manage the phases before, during, and after massive attacks on digital infrastructures. The exercise had four major targets: 1) To establish an understanding of responsibilities and roles before, during, and after the CI crisis; 2) to explore the suitability of existing emergency planning; 3) to test vertical and horizontal information sharing between decision-making levels before, during, and

after the CI crisis; and 4) to test media management and crisis communications before, during, and after the event. The exercise involved thirty participants consisting of stakeholders from private and public sectors. They included planning groups from banking and finance, electric power supply, oil and gas, telecommunication, Justice & Police as well as the relevant government agency for each such group. Participants were confronted with a scenario depicting a major attack against CI, e.g. a successful attempt to disrupt power supply. No lead ministry was available and participants were forced to coordinate horizontally. Among the previous “unknown unknowns” revealed by the IKT’08 exercise were significant interdependencies and vulnerabilities, poor situational awareness, deficiencies in cross-sector communication and coordination, need for the national computer emergency response team (CERT) to access powers invested in other agencies and conflicts of interest [3]. The discovery of major security gaps made the detailed results of the IKT’08 simulation exercise top secret. Also, the details of the scenario planning procedure are kept secret. Scenario design procedures for simulation exercises by other national civil protection agencies in Europe are not available either. It seems though that there are two broad classes of scenario design methods: BOGSAT (Bunch of Guys Sitting Around a Table) and Morphological Analysis. BOGSAT, a colloquality in use for decades (see Coffey, “A Death at the White House: The Death of the New Patronage, Public Administration, Review, Sept-October 1974, p. 440-444), refers to involving subject matter specialists but employing a rather unstructured approach for developing the scenarios. Morphological Analysis (MA), also known as Field Anomaly Relaxation, is a method pioneered by Zwicky [4]. MA starts by describing a sociopolitical context as a field with sectors (such as terrorism, etc), each sector defined by human judgment in terms of soft variables (such as, for terrorism, from non-existent to extremely disruptive). Some combinations of variables in different fields yield anomalies, which are discarded. The remaining combinations are potentially consistent descriptions of the sociopolitical context. For a good overview of MA’s strengths and weakness see [5]. A recent overview with emphasis on computeraided MA has been given by Ritchey [6]. MA is described in opposition to simulations based on causal relations in that, so is it argued, one deals with multidimensional, typically non-quantifiable problem complexes. Ritchey [6, p. 792] states (without further justification) that simulation “simply will not suffice” for such problems. We take the opposite stance, since our computer simulation modeling methodology,

2

Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010

System Dynamics (SD) [7-9], has proven its ability to deal with problems rich in so called “non quantifiable” variables, or soft variables as they are also known. The advantage of simulation is the ability to check the internal consistency of key behavioral assumptions in crisis scenarios, especially with respect to the causal structure of the problem under study. In our opinion, MA and SD are not mutually exclusive, but may be used in conjunction. The methodology called Group Model Building (GMB) has been developed to build System Dynamics models in small groups. GMB, among other issues, emphasizes consensus building and has been successfully applied to many different complex, interdisciplinary problems [7, 8, 10-18]. We used SD in combination with GMB to develop consensus among the participants in a scenario development and design workshop.

3. System Dynamics and Group Model Building 3.1. System Dynamics SD is an analytical technique that focuses on how problematic situations emerge over time. While a crisis may be caused by a singular and specific act of man or nature, our ability to react to them comes from the preparation for such crises and our ability to learn from past outcomes. These abilities develop and decay over time, and lead us to a time-driven paradigm for developing scenarios and responses. The initial stages in developing a system dynamics simulation model are largely qualitative and conceptual. When considering systems of great complexity, modelers are encouraged to begin their analysis by defining a particular problem manifested by the system, rather than the system itself. A well grounded problem definition is then mapped to a causal structure to capture the influences among components that create its complexity. This conceptual structure is the basis for a formal simulation model, one that attempts to replicate the qualitative structure into a quantitative form that supports simulation and experimentation. Through this experimentation modelers and stakeholders hope to learn more about the fundamental aspects of the system that generates the problem under consideration. Through iterative consideration of additional problems the scope of the model increases and becomes more robust [19].

3.2. Group Model Building

to develop consensus and support for organizational interventions [7, 20, 21]. It employs knowledge of personal and interpersonal psychology to elicit information and construct a shared perception of complex problems. This approach meshes nicely with SD modeling, as a shared consensus from GMB becomes the problem definition needed to create the SD simulation. When communicated back to the stakeholders, the SD models become the source for proactive review of possible intervention strategies [7]. GMB usually takes the form of a series of facilitated workshops with problem stakeholders participating. The groups consist of participants with diverse backgrounds and perspectives. The workshops are facilitated by a modelling team. Their job is to guide workshop participants in model construction, while the client provides the necessary subject matter knowledge. The modelling team fills several different roles [7, 20, 21]. One person usually acts as facilitator of group discussion when necessary, asking clarifying questions, as well as doing on-stage modelling work directly with the group. The process consultant’s job is to observe the interaction in the group and the group’s interaction with the facilitator and advise the facilitator on these issues. The job of the process consultant is usually invisible to the workshop participants, but is important. The facilitator is always at pressure up on the stage and is not always able to think about or notice process issues. The modeller usually sits at the back of the room and has a laptop with SD software installed. His/her job is to turn the group’s thinking into a rough conceptual simulation model. Finally, the recorder’s job is to act as secretary, writing down the group’s thoughts and any observations. There are also additional roles defined in the literature, but they are not always necessary. GMB workshops are executed as a series of exercises, called scripts [20]. These scripts are thoroughly prepared in advance, but provide sufficient wriggling room for on-the-fly adaptations should the need arise. Examples of scripts are stakeholder elicitation and analysis, dynamic indicator elicitation, reference mode elicitation and various model structure development exercises.

4. The Workshop We employed GMB in a two-day workshop format. Eleven domain experts from several European countries attended, all of whom had direct knowledge of power distribution or crisis management planning at the national level. The experts had little or no previous contact with each other prior to the workshop.

Group model building (GMB) is a process designed

3

Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010

SHORT TERM SCENARIO

LONG TERM SCENARIO ENRON Scenario: deregulation & business oportunistic Tolerance for political system/decisions

Opportunistic attack: coordinated attackers & opportunistics

WeatHer stresses water supply

Second power outage in another cross border situation. Unclear cause and secretive attitude

Back up generator and capacity

TRIGGERS Combination of steam demand and failure in a nuclear power plant with radioactive leakage

Normal accidents System stress: hot summer + economic crisis Cuts almost simultaneuos Powercut due to simple attacks

Several powercuts in different countries

MANAGEMENT ACTIONS EU level information and analysis Apply local/ national response first

Vertical decision problems Allocation schemes to meet shortage

Crisis management at European/Regional level (cross-border)

Changes in decision makers

Deploy army civil defense

Figure 1: Hypothesized range of events surrounding a prolonged multi-national power crisis. The top left gives an overview of possible long term latent issues that may cause a crisis. The causes of a crisis that is closer in time is given on the top right. Triggers refer to immediate causes of a crisis, and is given on the middle left. The middle right holds potential actions that crisis managers can undertake. The bottom of the figure represent crisis consequences. Our goal for this workshop was to create a shared problem conceptualization about large-scale, international power grid failures and the identification of scenarios that might create such an event. This shared problem understanding resulted in a “concept simulation model”. Further GMB workshops will elaborate the simulation model and use it to generate simulation exercises for crisis managers at national and supranational level. In between GMB workshops the project team will elaborate and calibrate the simulation model. Also, the domain experts contribute between workshops with detailed validation according to standard procedures in SD [8].

The workshop activities started with a simplified “straw-man” case. A one page description of a multievent scenario was presented to the assembled experts. The scenario described the emergence of a pan-EU power crisis over a period of days. The causes behind the initial scenario were intentionally vague; each expert used their own knowledge to identify what might create or exacerbate the problem. Small groups were formed among the experts to discuss and share their perspectives. Each group reported out their ideas in turn, with the facilitator encouraging the experts to group similar concepts and clarify each contribution. After each small group completed its report, the experts were asked to identify particularly salient

4

Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010

events that could produce the skeleton crisis, as presented in Figure 1. In subsequent exercises the experts identified the key metrics they would use to evaluate the state of the crisis. The contributors were then asked to create a “dynamic story,” an explanation of how they expect a multi-national crisis might unfold. Multiple stories were identified, depicting possible best- and worst-case scenarios that combine the events identified earlier.

5. Concept model Using the events and stories shared by the experts, we built a simulation model of cross-border responses to a multi-national power crisis. It depicts a fictional situation where two countries, A and B, have interconnected power production and distribution networks. Adverse weather conditions, e.g. prolonged and extreme hot weather, have caused a situation of ongoing failures in both countries’ parts of the infrastructure. Additionally, at time zero an attack occurs on country A’s power infrastructure. This is followed by a second attack on day 4. A third attack occurs on day 12 and targets B’s infrastructure rather than A’s. Attacks need not be physical, rather they could be cyber attacks.

5.1. Structural Overview Figure 2 shows an overview of the simulation model, which is almost symmetrical for country A and B. For simplicity we limit the text description of the model to country A and the differences with country B. The simulation model consists of a number of sectors, represented as squares in Figure 2. The sectors contain stocks of information and resources. These stocks may be limited and it normally takes time to change them. For example, Failure Backlog in the sector Repairs is the remaining failures that have yet to be repaired. As failures in the infrastructure are repaired, the stock is emptied according to the speed of repairs. The attacks on the power infrastructure cause failures in it – depicted by the variables Failures in A from First Event, Failures in A from Second Event and Failures in B from Third Event. There are of course many different of components that can fail. To keep the simulation model simple we aggregated them into one category failures, which represent the number of actually occurring failures in the power generation and transmission infrastructure. These failures activate latent flaws in other parts of the interdependent infrastructure, represented by Effect of Failures Owing to Interdependencies. Ongoing bad weather conditions cause more failures – depicted by Failures from Adverse Weather. The failures from bad weather and interdependencies combine in Failures from Adverse Weather and Interdependencies, which affects

Repairs. The || marks crossing the influence arrows to Repairs denote time delays. While failures propagating through interdependencies occur quickly after the root failure, sometimes within seconds or minutes, those caused by bad weather conditions happen over time, continuously creating root failures. Resources are needed to repair the failures. Deployment of resources takes time: The failures must be identified, replacement equipment and personnel brought to the site or sites of the attack. How fast resources are brought to bear on the problems is also influenced by the degree to which information is available and accurate. In this scenario, the failures disrupt communication networks and the adverse weather conditions make it difficult to perform damage assessments. Hence, immediately after the attacks, information accuracy and availability is poor. This is represented in the model by Quality of Information, which is influenced by the failure backlog in the sector Repairs. The influence arrows with || marks from Quality of Information to Repairs and Crisis Perception respectively indicate the time delays in accurately assessing the damage and the size of the crisis. System components can be represented explicitly or implicitly in a system dynamics model. “Implicitly” means by way of aggregation or interpretation [19, p. 51]. We use this method to represent the ICT aspect implicitly through communication and perception delays. If the ICT infrastructure is intact the delay is negligible. If the ICT infrastructure has been damaged, either directly through attack or indirectly by way of cascading effects arising in power grid damages, the delay becomes significant. See scenario Aid Slow Perception in section 5.2. The sector Crisis Perception calculates the decision makers’ perception of the magnitude of the crisis. In terms of the simulation model Crisis Perception is the current opinion of the decision makers of how long it will take to resolve the crisis. Resources are not brought into action unless the decision makers’ believe they are necessary. There may be significant delays in deploying resources if the crisis is perceived to have small magnitude – shown by the delayed influence arrow to Resources. If the crisis is large, aid can be requested from country B – shown by the arrow from Crisis Perception to Country B Resources Requested by A. Whether country B aids A depends on available resources. It also depends on B’s perception of the crisis in A – represented by the arrow from Country A’s Crisis Perception to Country B’s Crisis Perception. B does not have direct access to information concerning A’s situation, instead they must rely on A’s information. This increases the time delay for B’s perception of A’s crisis magnitude. If B assists A, it also takes time to deploy resources from B to A. Likewise, when the deployed resources are needed in country B, it takes time to get

5

Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010

them back again. The delayed influence arrows between B’s Resources to Resources for Country A represent these relations. Once resources are deployed, the longer the workforce, are engaged in the field, the more fatigued

they will become, which in turn reduces the efficiency of the repairs. This is represented by the causal arrows between the sectors Resources and Fatigue.

Figure 2. Sector diagram of the simulation model. Boxes represent model sectors, ovals are variables and diamonds are constants. The black arrows denote causal influences. || marks crossing the influence arrows represent time delays. Each sector contains contains variables which influence other variables inside and outside the sector. The diagram shows the causal structure of the simulation model at a very high level.

5.2. Simulation Runs We discuss three simulation scenarios. In the Base Run scenario, country B is willing to help A as long as they do not perceive the crisis in A to be too large. If the crisis in A passes a size threshold, B start to become afraid that they might also be the target for attacks, and will keep resources in reserve instead of helping A. In the second scenario, Aid, B is not worried that the same may happen to them, and aids A instead of keeping resources in reserve. In the Aid Slow Perception scenario, Country A also suffers damage to ICT

infrastructure, resulting in an exacerbated delay to assess the crisis. Crisis Perception takes two days to adjust compared to one day in Base Run. The two first scenarios were chosen as it is likely that a decision to aid or not may play a role in the context of a pan-European event. The European Union is a supranational body with very restricted executive authority over its member states. Hence, the states must cooperate and come to agreements among themselves rather than rely on a higher power to tell them what to do. The proposed scenarios represent two arguably realistic situations depending on whether altruistic motives weigh more

6

Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010

than fear to become exposed or not. There is a tradition in Europe for nation states to put their own interest before that of others, hence, such a scenario, although hypothetical, is plausible. The third scenario was chosen based on the experiences gained during the management of the aftermath of hurricane Katrina, and show potential effects of a degraded ICT structure.

scenario, the majority of the resources are engaged until day 22, and then the resources are gradually pulled back to the reserve. By day 28, most of them are back in the reserve. Aid Slow Perception yields a behavior which is between the other scenarios.

Figure 4. Country A's Deployed Resources. Figure 3. Country A's Failure Backlog. Recall that in addition to ongoing bad weather conditions, country A experiences the first attack at time zero. This causes a near instantaneous increase in the failure backlog (Figure 3). Failures from interdependencies increase the number of failures through cascading effects. This causes the total number of failures to increase during the first day. As resources to repair the failures are brought into action the failure backlog is reduced. On day four, a second attack on A occurs, creating a new influx of failures. In the Base Run scenario, the crisis is resolved in 25 days. In the Aid scenario, the majority of the crisis is resolved in 17 days. After this time, the remaining failures in the backlog are caused by the adverse weather conditions that continue throughout the scenario. In the Aid Slow Perception scenario, the resolution time is shorter than in Base Run, but longer than in Aid. Additionally, the number of failures is significantly higher from day 6 to day 13, compared to both the other scenarios. Each country has 200 “Resources” available. The simulation model has intentionally been kept simple. Hence, we do not distinguish between different types of resources. This is likely to change in the future when the project advances and the simulation model becomes more realistic. The time involved for A in assessing the crisis and deploying resources means that full resource deployment is only achieved four days after crisis onset, at the approximate same time as attack number two occurs (Figure 4). In Base Run, all of A’s resources stay in the field until day 26 of the simulation. In the Aid

In all three scenarios, increasing fatigue contributes significantly to reducing the pace at which failures are repaired. In the worst case, the resources are employed continuously for almost a full month without a chance to rest and recover.

Figure 5. Country A's Crisis Perception. Simulation time on the x axis. Perceived time to resolve crisis on the y axis. Crisis Perception measures the perception of the magnitude of the crisis as the decision makers’ estimated time until the crisis is resolved. Country A’s crisis perception steadily increases, but it takes four days before the full extent of the consequences of the first attack is perceived (Figure 5). The second attack occurs on day four. Just as for the first attack, the damage from the second attack needs to be assessed and estimates of time to repair made before an accurate perception of the crisis is arrived at. In Base Run and Aid, the

7

Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010

consequences of the second attack are known after a little more than seven days. In contrast, in Aid Slow Perception the full extent of the first attack is never known before the second attack occurs. The full extent of the crisis is not known until day 10 in that scenario.

pulled back on day 6, owing to fears that attacks may also be targeted at B. As can be seen in Figure 8, B’s Failure Backlog initially increases due to bad weather and failures caused by interdependencies with A’s infrastructure. In the Aid scenario, when B’s Failure Backlog is reduced, more resources are made available for helping A. Deployment continues to increase until day 12, when B is hit by an attack and the resources have to be recalled. In the Aid Slow Perception scenario, resources from B only start to arrive on day six. The delay causes an increased Failure Backlog compared to the Aid scenario.

Figure 6. Aid requested by country A. In Base Run and Aid, two days from the first attack, the crisis is perceived to have grown to such a magnitude that A decides they need help from B. Requests for resources are made. In the Aid Slow Perception scenario, the information delays owing to degraded ICT infrastructure means that the need for help is recognized much later. Hence, resources are only requested starting on day five, a significant delay (Figure 6).

Figure 7. Country B Resources Deployed to Country A. In all three scenarios, Country B sends resources to aid A. B only sends spare resources that are not needed to fix B’s own problems. The first resources start to arrive on day 2 of the crisis, the same day as the request is made, but full deployment is not achieved until well into day 4 in the Base Run scenario. The resources are

Figure 8. Country B Failure Backlog. Holding resources in reserve is a completely legitimate act when there is a risk for an attack on your own infrastructure. B suffers such an attack on day twelve. Before that, the only failures they had were from adverse weather conditions and spillover effects from the attack on A. In the Base Run scenario, reserves are available when the attack hits (Figure 9). Surprisingly though, it only takes about a day longer to resolve the crisis in the Aid and Aid Slow Perception scenarios. This is despite the fact that it takes more than twice the time to redeploy resources that have been deployed to country A from B. Furthermore, almost half of B’s resources are in A at the occurrence of the attack in the Aid and Aid Slow Perception scenario. This is in stark contrast to the nine day difference in resolution time for the crisis in Country A. There are two main reasons for this. First, A’s crisis is bigger, as they suffer two attacks. Second, in Base Run, B pulls out their resources precisely when they are most urgently needed by A and before B is hit. The result is that much of B’s resources sit idle from day 6 to day 13, even though A itself has insufficient resources and have requested aid as early as the second day of the crisis. Furthermore, as can be seen in Figure 10, the total number of failures is lower in the Aid

8

Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010

scenario. As the infrastructure is interdependent between the two countries, it is in B’s interest to help A.

Figure 9. Country B Resource Reserve. In the case where resources are held in reserve, the very fact that the third attack happened is sufficient to justify holding resources in reserve and may very well be used as evidence to prove that the right decision was made. However, when comparing simulation scenarios, it is the altruistic scenario which gives the shortest crisis resolution time and the fewest total failures. The total failures in the Aid Slow Perception scenario are higher than in the Base Run scenario. A serious disruption of ICT networks, which causes significant information delays, may be sufficient to cancel out beneficial effects from assistance from abroad. It is not just a matter of sending in personnel and equipment, one must also know what kind of personnel and equipment is needed.

Figure 10. Total Failures.

6. Conclusions The simulation model presented in this paper is the outcome a SD/GMB process. Based on our initial experiences with this process in CIP, we believe that it is a useful method for scenario development and design. The advantage of causal modeling and simulation is that it makes explicit tacit assumptions about the causal structure of the system. Those assumptions can then be tested through simulation. Through this process it is possible to resolve disagreements. Thus consensus is achieved on the most interesting and relevant scenarios, but not at the cost of disregarding information from individual participants. Normally, everyone holds a piece of the puzzle, but since they only see part of the problem, the behaviors of dynamically complex non-linear systems are often misjudged. Causal modeling allows for the integration of each piece into a holistic model that allows for a more complete view of the problem at hand. The current simulation model is at an early stage; hence it is generalized to a very high level. In further GMB workshops we will elaborate the simulation model and use it to generate simulation exercises for crisis managers at the national and supranational level. In between GMB workshops the project team will elaborate and calibrate the simulation model. Also, the domain experts contribute between workshops with detailed validation according to standard procedures in system dynamics [8]. The following three points summarizes our experience so far with GMB and SD for scenario design and development: 1) Methodology for scenario design and testing: We have learned that it is possible to use Group Model Building to design and elaborate on scenarios of crises in CI. Furthermore, that the temporal aspect offered by SD modeling seems to be useful. An example of this is the surprising difference in crisis resolution time identified in the previous section. 2) The use of the simulation model: It is purposely simple. But the model is already useful to generate and test basic scenarios. The model output gives indications as to the weaknesses in CI crisis management. The created scenarios can later be validated using various methods ranging from tabletop simulation exercises to full blown field exercises. The simulation models gives important indications as to which aspects should be paid explicit attention to and tested in such exercises. 3) The lessons learned from the particular model presented in this paper: The model, which is derived from the experts’ input, indicates that a prolonged crisis is possible and that poorly coordinated single country actions can increase the severity of the crisis owing to

9

Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010

perception delays and waste of resources. Furthermore, that information and communication delays may have significant impact on the crisis resolution time.

Morecroft and J. D. Sterman, Eds. Portland, OR: Productivity Press, 1994, pp. 29-49. [12]

G. P. Richardson and D. F. Andersen, "Teamwork in group model building," System Dynamics Review, vol. 11, pp. 113–137, 1995.

7. References [1]

US-Canada Power System Outage Task Force, "Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations," US Department of Energy & Canada Ministry of Natural Resources 2004.

[13]

J. A. M. Vennix, H. A. Akkermans, and E. A. J. A. Rouwette, "Group model-building to facilitate organizational change: an exploratory study," System Dynamics Review, vol. 12, pp. 39-58, 1996.

[2]

The White House, "The federal response to hurricane Katrina: Lessons learned," 2006.

[14]

[3]

S. Henriksen, "Norwegian Exercise IKT’08," Societal Security in the Nordic Region, Sigtuna (Sweden), 2009. Available at . F. Zwicky, Discovery, Invention, Research Through the Morphological Approach. Toronto: The Macmillan Company, 1969.

J. A. M. Vennix, "Group model-building: tackling messy problems," System Dynamics Review, vol. 15, pp. 379–401, 1999.

[15]

E. A. J. A. Rouwette, J. A. M. Vennix, and T. Van Mullekom, "Group model building effectiveness: a review of assessment studies," System Dynamics Review, vol. 18, pp. 5-45, 2002.

[16]

L. F. Luna-Reyes, I. J. Martinez-Moyano, T. A. Pardo, A. M. Cresswell, D. F. Andersen, and G. P. Richardson, "Anatomy of a group modelbuilding intervention: building dynamic theory from case study research," System Dynamics Review, vol. 22, pp. 291-320, 2006.

[17]

S. Howick, F. Ackermann, and D. F. Andersen, "Linking Event Thinking with Structural Thinking: Methods to Improve Client Value in Projects," System Dynamics Review vol. 22, pp. 113-140, 2006.

[4]

[5]

R. G. Coyle, R. Crawshay, and L. Sutton, "Futures assessment by field anomaly relaxation," Futures, vol. 26, pp. 25-43, 1994.

[6]

T. Ritchey, "Problem structuring using computeraided morphological analysis," Journal of the Operational Research Society, vol. 57, pp. 792801, 2006.

[7]

J. A. M. Vennix, Group Model Building: Facilitating team learning using System Dynamics. Chichester, England: John Wiley and Sons, 1996.

[18]

C. Eden and F. Ackermann, "Where Next for Problem Structuring Methods," Journal of the Operational Research Society, vol. 55, pp. 766768, 2006.

[8]

J. D. Sterman, Business Dynamics : Systems Thinking and Modeling for a Complex World. Boston: Irwin/McGraw-Hill, 2000.

[19]

G. P. Richardson and A. J. Pugh III, Introduction to system dynamics modeling with DYNAMO. Cambridge, MA: MIT Press, 1981.

[9]

K. Maani and R. Y. Cavana, Systems Thinking, System Dynamics : Managing Change and Complexity, Softcover ed. Auckland, New Zealand: Pearson Education, 2007.

[20]

D. F. Andersen and G. P. Richardson, "Scripts for Group Model Building," System Dynamics Review, vol. 13, pp. 107-129, 1997.

[10]

P. Reagan-Cirincione, S. Schuman, G. P. Richardson, and S. A. Dorf, "Decision modeling: tools for strategic thinking," Interfaces, vol. 21, pp. 52-65, 1991.

[21]

G. P. Richardson and D. F. Andersen, "Teamwork in Group Model Building," System Dynamics Review, vol. 11, pp. 113-137, 1995.

[11]

J. A. M. Vennix, D. F. Andersen, G. P. Richardson, and J. Rohrbaugh, "Model building for group decision support: issues and alternatives in knowledge elicitation," in Modeling for Learning Organizations, J. D. W.

10