Chapter 8 Critical Infrastructure Protection and ...

Chapter 8 Critical Infrastructure Protection and Uncertainty Analysis Razieh Mosadeghi1, Russell Richards1,2, Rodger Tomlinson1 1

Griffith Centre for Coastal Management, Griffith University, Parklands Drive, QLD 4222, Australia, [email protected] 2 School of Agriculture and Food Sciences, The University of Queensland, St Lucia QLD 4072 Australia Natural disasters can damage or destroy critical infrastructures, which underpin the delivery of essential services such as power, water, health, communications and banking. Disruption to critical infrastructure can cause catastrophic losses and adverse economic impacts. In the past few years climate change has increased the number and severity of natural disasters. Consequently, the importance of protecting Critical infrastructure has greatly increased in national security and risk management strategies around the world. Many countries have developed a range of strategies for strengthening the resiliency of their infrastructure. These strategies, however, similar to any other decision-making strategies are subject to uncertainty and a comprehensive critical infrastructure protection strategy is to be able to reduce exposure to risk and address uncertainty. This chapter reviews the possible uncertainties associated in protection strategies and introduces some approaches to deal with these uncertainties. The chapter then focuses on the use of Bayesian networks as a framework for resilience planning of critical infrastructure through framing adaptive capacity of Emergency Management and its relationship to enhancing resilience and decreasing vulnerability.

1. Introduction Critical infrastructure (CI) is defined as those assets and systems, that are essential for the maintenance of vital social functions, health, safety, security, and economics or social well-being of people [Moteff and Parfomak, 2004; The Council of the EU, 2008; Commonwealth of Australia, 2010]. This definition covers a wide range of sectors and key government services including energy, utilities, emergency services, banking and finance, transport, health, food supply and communication systems [Brunner and Suter, 2008; Commonwealth of Australia, 2011]. They are vulnerable to a number of pressures including physical 1

2

R. Mosadeghi, R. Richards & R. Tomlinson

destruction due to natural causes, and human error such as poor design or operator error [Moteff, 2014; Canada-USA Action Plan, 2010]. During recent decades, damages to infrastructure from natural hazards have greatly increased due to urbanization and concentration of more people and assets in hazard-prone areas and also climate change [Freeman, 2003; Leaning, 2013]. Disruptions to CIs can result in catastrophic losses, including human casualties, property destruction and adverse economic effects. The risk of disruption is exacerbated by the complex system of interdependencies that typically link different critical infrastructure. This can produce cascading effects far beyond the initially impacted sector and physical location of the incident [Canada-USA Action Plan, 2010]. For example during the summer of 2010/2011 extreme weather conditions across large parts of eastern Australia, which included major flooding throughout Central and Southern Queensland and severe tropical cyclone Yasi, had major impacts on electrical infrastructure. These events resulted in around 480,000 homes and businesses losing power during this period. Cyclone Yasi alone interrupted the power system to more than 220,000 residences and businesses and 50 major substations went off supply. The damage to the network was so extensive that in the worst affected areas the network had to be rebuilt at considerable cost [Queensland Reconstruction Authority, 2011]. The ability to respond and recover from a CI disruption depends on the readiness of people and institutions. It also depends on many partnerships, especially within and across all levels of government, private sector stakeholders and international allies [Canada-USA Action Plan, 2010]. Consequently, the importance of protecting CIs has greatly increased in national security and risk management strategies around the world. Recognizing their importance, many countries have developed a range of strategies for strengthening the resilience of their CIs and enhancing the safety and economic stability of the communities [Canada-USA Action Plan, 2010]. Critical infrastructure protection (CIP) strategies are similar to any other decision-making strategies in that they are characterized by a number of uncertainties, ranging from ambiguity in defining the potential hazards, existing issues, gaps in the current systems and objectives to uncertainty in data and models and variable degrees of unpredictable randomness, and lack of sufficient data. Recognizing uncertainty as a key element in the decision-making process is not to eliminate uncertainty, but to understand its significance in embedding adaptive capacity and flexibility into decision-makers’ choices [Mosadeghi et al., 2013]. This is particularly important when dealing with CIs because of the enormous cost involved and the essentiality of public safety. A comprehensive

Critical Infrastructure Protection and Uncertainty Analysis

3

approach to critical infrastructure protection is to be able to adapt to change, and reduce exposure to risk and uncertainty. This chapter endeavors to provide a general overview of understanding potential uncertainties in the selection of CIP strategies and some insights on possible uncertainty analysis approaches during the decision-making process. Nevertheless, it is to be noted, to undertake a complete analysis of uncertainty in critical infrastructure protection strategies, a comprehensive examination of the different types of infrastructure, risks, vulnerabilities, and climate scenarios is required, which is beyond the scope of this chapter. The structure of this chapter is as follows. We begin with a review of the process of current infrastructure protection strategies and policies. Section 3 summarizes the principles and typologies that underpin the successful uncertainty analysis. We next explore the potential uncertainties considered relevant to CIP decision-making and introduce possible uncertainty analysis approaches. Section 5 then demonstrates a case study approach in south-east Queensland, Australia, to incorporate uncertainty analysis in critical infrastructure protection and, the final section concludes the chapter. 2. Critical Infrastructure Protection (CIP) strategies In the United States of America the establishment of the President’s Commission on Critical Infrastructure Protection (PCCIP) in July 1996 led to the American Presidential directive PDD-63 of May 1998, which set up a national program of "Critical Infrastructure Protection" [Mottef, 2014]. The US CI protection program initiated the awareness for other countries around the world to focus on ways to identify and protect their critical assets against potential hazards. Consequently, significant efforts are underway in other parts of the world to establish and enhance CI protection strategies [Svendsen and Wolthusen, 2012]. For example, the European Commission's directive EU COM [2006]/786, set out the principles and processes to implement a "European Programme for Critical Infrastructure Protection" (EPCIP), which aims to improve the protection of critical infrastructures in the EU [Commission of the EU Communities, 2006]. The constant advancement of existing policies shows that many countries are still in the process of defining and reviewing their CIP strategy. In Australia for instance, a series of comprehensive reviews of the Government’s Critical Infrastructure Protection Program were undertaken in 2007, 2008, and 2009. A key finding of these reviews was that the term ‘critical infrastructure protection’ did not adequately reflect the Program’s “all hazards” approach. It was

4


recommended that as resilience is an essential element of the CIP strategy and given the regularity and severity of natural disasters in Australia, Critical Infrastructure Resilience (CIR) is a more suitable approach. This resilience-based approach to disaster management recognizes that a national, coordinated and cooperative effort was required to enhance Australia’s capacity to withstand and recover from emergencies and disasters. Consequently the Program’s title was shifted to “resilience” in 2010 to more accurately reflect its objectives. Most of the CIP/CIR strategies recognize that the responsibility for the continuity of critical infrastructure is shared by all levels of government and by the CI owners and operators. Governments develop national CIP strategies, which define the protection goals in a general way. The protection requirements for a particular CI sector are then identified in the sector-specific plans. At this stage, the owners and operators of CI liaise with the public sector to articulate goals and measures to achieve protection [Svendsen and Wolthusen, 2012]. National CIP strategies usually pursue an all-hazard approach and commonly aim to reduce the vulnerabilities of critical infrastructure and increase their resilience [Commission of the EU Communities, 2006; Svendsen and Wolthusen 2012]. To achieve this, a typical CIP strategy first needs to identify targeted CI and their interdependencies, then undertake analyses of the CI vulnerabilities and associated risks. The life cycle of CIP strategy is shown in Figure 1 and the following sections outline this process in more details.

Fig. 1. Process of critical infrastructure protection.


5

2.1. Identification of critical infrastructure The identification of CI requires a structured approach where governments work with infrastructure owners and operators to prioritise CI in terms of criticality from a national perspective. The identification and designation is usually according to predefined national criteria taking into account qualitative and quantitative effects of the disruption or destruction of a particular infrastructure [Commission of the EU Communities, 2006; Commonwealth of Australia, 2011]. These criteria normally fall into two categories:  Scope - the disruption or destruction of a particular critical infrastructure is rated by the extent of the geographic area which could be affected by its loss or unavailability.  Severity - the consequences of the disruption or destruction of a particular infrastructure can be assessed on the basis of significance of economic loss and/or degradation of products or services; number of population affected; environmental and political effects [Commission of the EU Communities, 2006]. It is to be noted that these criteria are sometimes hard to quantify satisfactorily, so that the identification of CIs remains an inherently political decision. Consequently the CIs are often listed in strategy papers or government directives [Svendsen and Wolthusen, 2012]. Some CIP strategies also prioritize the criticality of CIs from a national perspective [see e.g. commonwealth of Australia, 2011]. 2.2. Cross-sectoral analysis of dependencies Critical infrastructures do not exist in isolation in a single sector or location and are highly interdependent, so that failure or disruption in one sector can lead to disruptions in other sectors. For instance, the respective owners and operators of water infrastructure, and the communications industry both rely on electricity to operate [Ouyang et al., 2009; Commonwealth Australia, 2010b; Solano, 2010; Wang et al., 2012], and which are often located some distance (e.g. 100s of miles) apart. The identification and analysis of interdependencies, both geographic and sectoral in nature, is an important element of improving critical infrastructure protection. This ongoing process will feed into the assessment of vulnerabilities and risks concerning critical infrastructures and helps to inform governments’ policies on CI protection [Commission of the EU Communities, 2006; Commonwealth Australia, 2010].

6


An interdependency analysis will assist governments, owners and operators of critical infrastructure to understand system-wide risks to increases the potential for a more effective sharing of risk to cope with certain incidents [Commonwealth Australia, 2010]. To have a better understanding of CI, cross-sectoral analysis and information sharing is required across governments and critical infrastructure sectors [Government of Canada, 2009, Moteff, 2014]. To improve the quality and usefulness of the information products, it is best that at a high level, CI partners identify the emerging concerns and prioritize the areas where more information is required [Government of Canada, 2009]. The output of this then can lead to more specific, large scale interdependencies analysis. To enhance the resiliency of CI and to maintain a collaborative approach, many countries have established a national cross-sector program to promote information sharing across the sector networks and cross-sectoral interdependencies. For instance, the Critical Infrastructure Program for Modelling and Analysis (CIPMA) in Australia and National Cross-Sector Forum in Canada are key initiatives in the respective Governments’ efforts to enhance the resilience of their critical infrastructure. CI interdependencies vary widely, however, they usually fall into four principle classes [Rinaldi, 2001; Giannopoulos et al., 2012]:  Physical: The operation of one infrastructure depends on the material output of the other.  Cyber: Dependency on information transmitted through the information infrastructure.  Geographic: Dependency on local environmental effects that simultaneously affects multiple infrastructures.  Logical: Any kind of dependency not characterized as Physical, Cyber or Geographic A comprehensive analysis of all types of interdependencies is challenging and requires extensive modelling efforts to provide better understanding of CI systems [Svendsen and Wolthusen, 2012]. Most of the cross-sectoral dependency analyses fall into structural analysis and functional analysis. Structural analysis uses the infrastructure topologies and the average reciprocal shortest path lengths of infrastructure networks to measure structural efficiency. Functional analysis further considers operating regimes of different infrastructures and the functionality levels of these infrastructures to determine functional efficiency [Ouyang et al, 2009]. The most implemented method for interdependency analysis is complex network theory, which is able to represent complex topology structures and


7

provide both qualitative and quantitative results [Wang et al., 2012]. However, in the past few years this approach has been criticized as it lacks the ability to capture complicated time-stepped behaviors of infrastructures and is unable to model event-driven interaction [Tolk and Uhrmacher, 2009; Wang et al., 2012]. Other modelling techniques that have also been applied for CIs interdependency analysis include quantitative Input-Output models [Haimes and Jiang, 2001], system dynamics [e,g. Gonzalez et al., 2006; Sarriegi et al., 2007], behavioural and game theoretical models [Burke, 1999; Liu et al., 2008] interdependency graph models, agent-based models [Thomas et al., 2003; Dudenhoeffer et al., 2006; De Porcellinis et al, 2008] and physical and geospatial models [Patterson and Apostolakis, 2007; Abdalla and Niall, 2010]. Svendsen and Wolthusen, [2012] explain in detail the modelling approaches used in CIs interdependency analysis. 2.3. Vulnerability and risk analysis As part of CI protection strategy, a comprehensive assessment of the vulnerabilities of key critical infrastructure, including risk assessments to determine risks posed by particular types of hazard, needs to be carried out [Moteff, 2014]. Vulnerability assessments enable identification of the extent of adverse effects caused by the occurrence of a potential hazard and seeks to identify network elements (links and/or nodes) in CI whose failure would cause the most disruption in the functioning of the CI [Johansson and Hassel, 2010; Wang et al., 2012; Turnquist and Vugrin, 2013]. A full assessment of vulnerability requires consideration of the economic and social value of the infrastructure at risk [Voice, et al., 2006]. The vulnerability assessment results are then used for risk analysis to identify the possibility or likelihood of different consequences and impacts of the identified vulnerabilities [Baker, 2005; Sayers et al., 2013]. In general, risk analysis aims to help decision-makers in understanding where the most significant risks lie, whether the consequences are acceptable and how best to manage them [Baker, 2005; Sayers et al., 2013]. The end of the risk assessment process is a decision concerning whether or not to take action based on the acceptability of risks identified [Baker, 2005]. The first requirement for vulnerability analysis at high level is to identify and map the various components considered vulnerable and assess their respective risk of being impacted by a specific hazardous event [Voice et al., 2006]. Expert assessment of the susceptibility of CI and the values at risk will assist prioritizing the criticality of CI. For instance, in coastal areas the vulnerability of existing

8


coastal CI depends upon rates of coastal erosion, sea level rise and the frequency of extreme events. The vulnerability of some infrastructure also depends on the design standards in place at the time of construction and the planning codes employed [Voice et al., 2006]. At the second level, most sector-specific vulnerability and risk analysis methods propose mathematical modelling and quantitative analysis [Ouyang et al., 2009; Wang et al., 2012]. Others, however, propose the elicitation of expert judgment [Parks & Rogers, 2009; Ezell, 2007; Egan, 2007; Cooke & Goossens, 2004] and qualitative assessments [Baker, 2008; EPA, 2002; Haimes & Longstaff, 2002] to draw upon data that exists within the “knowledge domain” [Nadkarni and Shenoy, 2004; Moser, 2005] rather than the “data domain” where many quantitative models operate. Sector-specific vulnerability analysis first lists all the CIs, performs a network analysis and enumerates all possible event combinations and computes the probability for the infrastructure to fail under each event scenario. 2.4. Resilience planning Resilience reflects the ability of a social system to cope with a potential hazard, re-organize itself, and to improve through adaptive processes and through learning from experience [Adger et al., 2005; Folke, 2006; Cutter et al., 2008]. Adaptive capacity, which is defined as the capacity of a system to adjust to change, moderate the effects, and cope with a disturbance [Burton et al., 2002; Brooks et al., 2005; Cutter et al., 2008] is therefore intrinsically linked with resilience. Hazard mitigation is another concept that is nested within resilience planning. Hazard mitigation is any action taken to reduce or avoid risk or damage from hazard events [Mileti, 1999; Godschalk, 2003]. Similar to adaptive capacity, the use of mitigation techniques and planning can increase a system’s or society’s resilience to hazards [Bruneau et al., 2003; Burby et al., 2000]. In the context of CI, resilience can be defined as the ability of CI and the associated social system to survive and cope with a disaster with minimum disruption and damage [Berke and Campanella, 2006; National Research Council, 2006]. More specific definitions, define CI resilience as the ability of CI systems, to continue to provide essential services when interrupted by hazardous events as well as its speed of recovery and ability to return to normal operation after the threat has receded [Queensland Reconstruction Authority, 2011]. In other words, disaster resilience plans should be able to prevent, mitigate, prepare for response to, and recover from the impacts of, disaster [Commonwealth of Australia, 2010].


9

CIs Resilience plans usually include pre-event measures and post-event strategies. Pre-event measures are preparedness actions to prevent hazard-related damage and losses, while post-event strategies aim to help cope with, and minimize, disaster impacts [Bruneau et al., 2003; Tierney and Bruneau, 2007]. Pre-event measures are often comprised of two sets of activities including prevention and preparedness actions. Prevention actions are planning, development, mitigation and adaptation strategies used to facilitate resilience. These strategies include mechanisms designed to integrate the resources in the key areas of built infrastructure and land use planning strategies. As shown in Figure 2, these mechanisms fall into three broad categories; land use planning, adaptive design, and mitigation plans. From a CI protection perspective, it is critical to ensure that planning, from the strategic planning framework and local governments’ planning schemes down to the development assessment level, considers better protection of CI systems. This mechanism suggests consideration of long term resilience of the CI system and land use patterns in the course of preparing strategic planning frameworks and local planning schemes to ensure the sustained availability of CI systems and their services [Paton and Johnston, 2006, Queensland Reconstruction Authority, 2011]. This is consistent with a sustainable development strategy to separate hazardous areas and development and ensuring that future development does not increase the vulnerability of CI systems [Godschalk, 2003]. Adaptive design of CI system is another step towards damage prevention in resilience planning. Adaptive design of CI assets can reduce permanent damages and help to maintain structural integrity of a CI system during disaster occurrence. It also assists in the rapid resumption of normal operation after the threat has receded [Queensland Reconstruction Authority, 2011]. To achieve this, owners and operators of CIs should initially make informed decisions about the placement of major CIs and where possible, locate major CI (e.g. electricity substations) outside hazard prone areas. However, where potential risks to substations cannot be avoided by locating infrastructure outside hazard areas, adaptation should be considered when designing CI network. For instance, after the major 2011 flood in South-east Queensland, Australia, the electricity distributor (ENERGEX) identified vulnerability in the western suburbs of Queensland’s capital city (Brisbane), where many customers were disconnected from electricity supply despite not being directly affected by the flood itself. Therefore, to ensure that the majority of unaffected customers could be supplied with stand-by generation, the electricity supply network was reconfigured. In addition to network design, resilience materials, wet and dry proofing methods

10


can also be implemented during the construction phase to protect the vital components of CIs from damage [Queensland Reconstruction Authority, 2011]. Despite the fact that the most effective strategy for CI protection is planning to avoid development in areas vulnerable to hazard impacts, much CI development has already occurred in areas susceptible to disruption [Paton and Johnston, 2006]. Consequently, mitigation activities are required to prevent or eliminate losses from plausible hazards. Mitigation activities should be able to reduce the need for an emergency response and greatly reduce the recovery period. Disaster-Hazard mitigation includes strengthening CI, flood-proofing and wind-proofing existing structures through building codes and engineering design, and maintaining the functions of natural systems like wetlands, dunes, and forests that reduce hazard impacts [Godschalk, 2003; Paton and Johnston, 2006]. Using structural approaches such as flood control works, slope stabilization, and shoreline hardening is another mitigation technique that aims to reduce risks from a hazardous event [Godschalk, 2003].

Fig. 2. Disaster resilience mechanisms

As shown in Figure 2, social components are embedded in resilience planning as preparedness activities, which facilitate community commitment to reduction


11

and readiness activities [Paton and Johnston, 2006]. In this context, communities, their members, business and societal institutions are required to ensure their safety and the continuity of core functions during disaster occurrence. To confront the problems encountered and adapt to the damages created by hazardous events, a disaster emergency management plan, a business continuity plan, and community education programs need to be prepared, not during the ‘disaster’, but rather during the period of hazard quiescence [Paton and Johnston, 2006]. Preparing plans for specific events can lead to better responses that emphasize centralized decision making, which will enhance the ability to deal with hazardous events [Commonwealth Australia, 2010]. For example, in Queensland, when a La Niña weather system was identified and a high likelihood of an increased rainfall was forecast for the summer of 2011, the electricity distributor in Queensland (ENERGEX) implemented a Summer Preparedness Plan, Business Continuity Plan and a Corporate Emergency Management Plan, which incorporated the Flood Risk Management Plan 2010/2011 [Queensland Reconstruction Authority, 2011]. Pre-event measures in resilience mechanisms feed into post event steps of CIP strategies (i.e. response and recovery) to not only effectively respond to a disaster, but also to be able to learn and adapt from an event. Conversely, resilience represents not only a return to the state that existed before the disturbance, but also to advance the state through learning and adaptation. Continual learning and taking responsibility for making better decisions will consequently improve the capacity to handle hazards [Adger et al., 2005; Cutter et al., 2006; Folke, 2006]. 2.5. Response and recovery Response and recovery in the CIP context relates to actions taken during, and immediately after, a disaster [Commonwealth of Australia, 2011]. Response actions are effective measures to ensure the CI sustained the least damage and are able to be restored rapidly after the hazardous event has occurred [Government of South Australia, 2008; Queensland Reconstruction Authority, 2011]. That is, these actions are designed to prevent or minimize disruption to CI and to ensure that the effected community are given immediate relief and support [Commonwealth of Australia, 2011]. Recovery activities support the affected communities in reconstruction of the infrastructure [Government of South Australia, 2008; Commonwealth of Australia, 2011]. This requires the collaboration of governments, the community, along with the owners and operators of the CI. However, owners and operators of

12


CI are primarily responsible for the recovery of their assets and the reestablishment of their essential services [Commonwealth of Australia, 2011]. For instance, in the case of electricity blackout, the priority should be on returning the supply to the transmission network, and the high voltage backbone of the network to enable restoration to the largest number of customers as quickly as possible [Queensland Reconstruction Authority, 2011]. 3. Uncertainty: Principles and Typology All decision-making approaches involving natural systems and human behavior face a number of uncertainties, ranging from ambiguity in defining problems and goals to uncertainty in data and models [Refsgaard et al. 2007, Mosadeghi et al., 2013]. Uncertainty is commonly considered as any departure from the unachievable ideal of complete determinism [Walker et al., 2003; Warmink et al., 2010] or the degree of confidence a person has about the specific outcome of an event or action [Klauer and Brown 2004, Refsgaard et al. 2007; Mosadeghi et al., 2013]. Uncertainty is usually due to the imperfect knowledge of decision makers about the natural system itself, which may be reduced by empirical efforts [Walker et al. 2003, Refsgaard et al. 2007]. During recent decades, there has been considerable effort towards improving the accuracy of numerical models so that they are capable of providing improved simulations and projections of hydrological, atmospheric and ecological processes [e.g. Webster et al. 2003, Refsgaard et al. 2007, Teegavarapu 2010]. Improving the accuracy of the physical models being used by decision makers can consequently reduce model-inherent uncertainties [Refsgaard et al. 2007; Mosadeghi et al., 2013]. On the other hand, application of quantitative approaches in strategic decision-making procedures has increased. These quantitative approaches now include more sophisticated techniques allowing sensitivity and uncertainty analyses to improve knowledge integration across environmental, physical and social sciences [Hyde et al. 2005, Herath and Prato 2006, Bryan and Crossman 2008, Hajkowicz 2009; Mosadeghi et al., 2013]. The most commonly used typology and terminology distinguishes three dimensions of uncertainty [Walker et al., 2003; Refsgaard et al., 2007; Warmink et al., 2010; Mosadeghi et al., 2013]: (1) The location of uncertainty – where the uncertainty manifests itself within the model complex; (2) The level of uncertainty – where the uncertainty manifests itself along the spectrum between deterministic knowledge and total ignorance;


13

(3) The nature of uncertainty – whether the uncertainty is due to the imperfection of our knowledge or is due to the inherent variability of the phenomena being described. The four main locations of uncertainty are identified as:  Context uncertainty – includes uncertainty about the external economic, environmental, political, social, and technological situation that forms the context for the problem being examined [Walker et al., 2003; Refsgaard et al., 2007; Warmink et al., 2010; Mosadeghi et al., 2013]. Considering this uncertainty can help to avoid problems arising from incorrect problem framing [Dunn, 2001];  Model structure uncertainty – arises from a lack of sufficient understanding of the system (past, present, or future) that is the subject of the policy analysis, including the behaviour of the system and the interrelationships among its elements;  Model technical uncertainty – is the uncertainty generated by software, errors in algorithms or hardware errors [Walker et al., 2003];  Input uncertainty – is related to data that describe the reference system (i.e. land use maps, data on infrastructure and climate data, and the external driving forces that have an influence on the system and its performance). The various levels of uncertainty are distinguished as statistical, scenario, qualitative and recognized uncertainties. According to Refsgaard et al. [2007], statistical uncertainty is uncertainty which can be expressed as probabilities or alternative numerical variables. This is addressed in most traditional uncertainty models or risk assessments [Refsgaard et al., 2007; Warmink et al., 2010]. Scenario uncertainty implies that there is a range of possible outcomes, but the mechanisms do not define the probability of any particular outcome. Qualitative uncertainty addresses the uncertainty that cannot be expressed in terms of nominally measurable values. In the case of recognized ignorance, uncertainty exists about the relations and mechanisms being studied, and it is therefore not possible to outline different possibilities or to give any qualification of the value of the uncertainty [Warmink et al., 2010; Mosadeghi et al., 2013]. The third dimension of the concept of uncertainty is known as the nature of uncertainty. Here, Walker et al. [2003] and Refsgaard et al. [2007] are in agreement by categorizing the nature of uncertainty into:  epistemic uncertainty, i.e., the uncertainty due to imperfect knowledge, which may be reduced by more research and empirical efforts; and

14


 stochastic uncertainty, i.e., the inherent uncertainty or randomness of nature, human behavior and social, economic, and cultural dynamics, which cannot be eliminated. 4. Uncertainty in Critical Infrastructure Protection (CIP) 4.1. Input uncertainty Similar to any other strategic decisions, the process of CIP is subject to uncertainty. Public and private officials responsible for CI rely on expert elicitation to estimate the likelihood of certain events occurring, their consequences, possible damages, and appropriate protective measures [Grossi and Kunreuther, 2001; Barker and Haimes, 2009; Giannopoulos et al., 2012; Lickley et al., 2013]. This Model Uncertainty causes difficulties in interpreting the data and reduces the confidence in decision-making [Barker and Haimes, 2009; Chen et al., 2011]. Furthermore, most of the existing CI have been designed based on current climatology or analyses of historical climate data on the assumption that past extremes will represent future conditions [Auld and MacIver, 2007; Lickley et al., 2013]. The Input Uncertainty in the projection models, which provide estimations on the magnitudes and directions of future natural hazardous events, limit abilities to design infrastructure for future conditions [Auld and MacIver, 2007]. A typical example of this sort of uncertainty can be seen in the use of flood risk and projections maps to set up building regulations, construction codes, and land use zoning, which are estimated based on historical flood data. Considering the input uncertainty is particularly important in CIP strategies as many existing CI are located in vulnerable locations, including coastal zones and river flood plains. In recent years, lack of local information on how CI may cope and adapt to climate change has also increased the level of uncertainty in appropriately planning response and recovery actions [Voice et al., 2006]. This means small increases in extreme weather events can potentially increase damages to the CI and, more resources will be required to restore the infrastructures and recover from the hazardous event [Auld and MacIver, 2007]. The above-mentioned uncertainties can manifest themselves within all phases of the CIP process including cross-sectoral analysis of interdependencies, vulnerability and risk analysis, resilience planning, as well as response and recovery actions. In this situation, the selection of different mitigation measures and operational tactics, and prioritizing the resources for protecting critical infrastructures would be uncertain and are expected to generate different


15

importance rankings from different stakeholders [Giannopoulos et al., 2012; Akhtar, 2014]. Analyzing these uncertainties can assist stakeholders to understand the role of uncertainty in the estimates of losses from natural disasters and in evaluating alternative disaster management [Grossi and Kunreuther, 2001]. The next section reviews uncertainty analysis approaches that can be used in the process of CIP. 4.2. Uncertainty analysis approaches Careful consideration of uncertainty in the CIP process provides an estimation of the robustness of disaster management decisions as well as analysis of the gaps in data collection and actions [Hall and Solomatine, 2008]. The problem of uncertainty in the CIP process can be addressed in three principally different ways:  Improving the accuracy of data;  Quantitative uncertainty analysis; and  Improving planning policies As highlighted at the start of Section 3 (Uncertainty: Principles and Typology), effort has been applied in improving the accuracy of physical models so that they achieve more realistic projections. In constructing new infrastructure, it is important that the climatic values used for CI design be regularly updated and approaches such as the use of a Climate Change Adaptation Factor should also be considered on a regional basis [Auld and MacIver, 2007]. To incorporate uncertainties inherent in the decision models, uncertainty and sensitivity analysis techniques have also continued to expand. These techniques are used to understand the degree of uncertainty in using different strategies and to identify contribution that each variable makes to total uncertainty [Hall and Solomatine, 2008]. Chen et al., (2011) categorizes uncertainty analysis techniques in probabilistic methods, indicator-based methods, and Fuzzy logic. Probabilistic methods compute how input uncertainties influence the selection of management strategies. To incorporate probability distribution information into decision-making, numerical and analytical methods can be used [Tung, 2009; Chen et al., 2011]. For example, Monte Carlo simulation allows exploration of the full range of variation in the input factors and does not require assumption about the model structure [Madani and Lund, 2011]. Alternatively, Bayesian network modelling is a good example of analytical methods, which can be used to deal with uncertainties both in the decision-making process and in input data [Chen et al., 2011].

16


In addition to probabilistic methods, indicator-based uncertainty analyses methods have recently been introduced to address uncertainty. These methods use a specific indicator to describe how close the second best management strategy is to the selected approach [Chen et al., 2011]. Fuzzy logic can also be used to quantify uncertainty, where the input uncertainties can be represented by a degree of membership in the fuzzy set (see Chen et al., 2011 for more detail information on uncertainty analysis techniques). It is to be noted that the data necessary for quantified uncertainty analysis are not always available and new data collection including expert elicitation exercises may be required. This means project funders and the key stakeholders need to be convinced and educated of the merits of uncertainty analysis before setting up a project timeline [Hall and Solomatine, 2008]. Although quantitative uncertainty analysis techniques have been widely used and the accuracy of the input data has been improved, methods for addressing the problem of uncertainty are not only limited to the technical evaluations. Even if data and technical information were perfect, there would still be uncertainty in the protection and management of CI due to governance and planning issues [Voice et al., 2006]. At the national level, a government’s approaches to CIR should go beyond conventional CIP strategies, which to a large extent only address foreseeable risks, to also address hazards and risks that are unforeseen or unexpected [Commonwealth of Australia, 2011]. At regional and local levels land use and development planning are sometimes dominated by short-term commercial interests, which constrain decision makers from viewing issues in the long term horizons [Voice et al., 2006; Auld and MacIver, 2007]. Consequently, more resources are required for local governments to plan for long term horizons and address the uncertainties within their decision model. This can be achieved through planning scheme amendments and measures such as increasing safety factors, forensic analyses of extreme events and incorporating climate change projections into engineering codes, standards and practices [Voice et al., 2006; Auld and MacIver, 2007]. To provide a better understanding of quantitative uncertainty analysis in CIP the next section focuses on the use of Bayesian networks (BNs) as a framework for resilience planning of critical infrastructure through framing adaptive capacity of Emergency Management and its relationship to enhancing resilience and decreasing vulnerability in the context of uncertainty.


17

5. Application of Bayesian Network (BN) in resilience planning of CI In this section, the reader is first presented with pertinent background information on Bayesian theory, which is facilitated by simple definitions of the key terms associated with Bayesian statistics (e.g. a prior, likelihood, posterior, conditional probability) and BNs (e.g. nodes, variables, arcs). This background material also provides important context for the second part of this section, where a case-study example of using BN models to explore the resilience (and vulnerability) of critical infrastructure is presented. This is presented within the capacity of emergency management to effectively ‘cope’ with disasters in securing CI before, during and after the event. An important feature of this approach is that the data used to construct the model of resilience (including parameterization) is drawn from the knowledge domain of the decision-makers themselves. The final part of the section concentrates on coalescing the lessons learnt from this BN modelling exercise and highlighting implications for research and management. 5.1. Core attributes of Bayesian Networks (BN) for uncertainty analysis of CI BN modelling is suited to uncertainty analysis of CIP because it provides insight into the causal interdependencies that exist between system variablesa in the context of uncertainty and subjectivity. BN modelling has a strong background in handling uncertain events in a consistent way through the use of personal beliefs and being able to update beliefs when new evidence arises [Cain, 2001; Fenton and Neil, 2013]. It provides a robust framework through Bayes theory (explained further in section 5.2) for dealing competently with ‘novel’ events (i.e. events not explained by historical data trends) and utilizing evidence or data in updating the probability of an event occurring (e.g. the probability of a bridge collapsing given that it is windy). By comparison, standard statistical approaches are unable to incorporate subjectivity with the same robustness [Fenton and Neil, 2013]. Furthermore, they provide information on the likelihood of observing the data (e.g. high winds) given that the event of interest (e.g. the bridge will collapse) is true or has already occurred [McCarthy, 2007]. Another important attribute of BN modelling is that it provides a mechanism, via the underlying probabilistic framework of Bayes theory, to directly integrate a

Variables are objects, elements or attributes that can change e.g. water temperature is a variable

because it has different values; the color of a car (red, green, white etc.) is another example.

18


social, economic and environmental variables within a single model [Kjærulff and Madsen, 2008]. This further enhances the capacity of undertaking meaningful assessments of CI resilience when there are multiple drivers of change that encompass multi- and trans-disciplinary areas of a system. The ability to formally include ‘expert opinion’ as a data source in BNs is a very attractive attribute when evaluating the resilience of CI. This is because it allows the expertise of key stakeholders to be used as a valid data source [Kjærulff and Madsen, 2008]. This is an important advantage where data is normally incomplete or not readily available. For example, while the impacts of climate change and extreme events on CI are clearly framed as a threat to built infrastructure [Di Giorgio and Liberati, 2012], historical data is unlikely to exist to quantify this threat and the experiences of decision makers and other key stakeholders are likely to provide the key source of data. 5.2. Background information on Bayesian Networks (BN) As highlighted already, BN modelling is based squarely on the statistical framework provided of Bayes theory (equation 1) and enables inference to be made about the probability of an event (A) occurring based on the available evidence (e). It also provides a framework for incorporating subjectivity into this inference via the use of ‘priors’ (a priori information). In this equation:

   

P(A|e) is the posterior probability of observing an event A conditioned upon the evidence or data that has already been observed; P(e|A) is the likelihood of observing the evidence or data given the hypothesis for the event is true; P(A) is the a priori probability of observing the event in the absence of data; and P(e) is the probability of observing the data independent of whether the event has occurred or not.

P ( A e) 

P(e A)  P( A) P ( e)

(1)

BNs represent causality through directed acyclic graphs (DAGs), where the direction of causality is in one direction and therefore precludes feedback loopsb. b

Feedback loops can be modelled within BNs, however these models are complex in their structure

and thus an assumption of acyclic representation is normally applied.


19

Importantly, DAGs provide a user-friendly interface that enables relatively easy construction of a BN model, even for ‘non-modellers’, which encourages the inclusion of experts as participatory modellers. The DAG, composed of a set of variables (also known as nodes) and directional arrows between them (arcs) resembles a ‘network tree’ as shown in Figure 3. The direction of the arrows or arcs between nodes indicates the direction of causality, also known as the direction of conditional dependence. This is an important pillar of BNs, in particular for making them mathematically tractable and, where expert opinions are used, greatly simplifying the process of populating the underlying conditional probability tables (CPTs). For example, node C is conditionally dependent on the values of nodes A and B (but A and B are conditionally independent of C) but is conditionally independent of all the other nodes in the network. Similarly node E is conditionally dependent on nodes C and D but (conditionally) independent of nodes A and B. Thus, when determining how node E responds to changes in the other nodes, the only consideration (for node E) for parameterising the probabilistic relationships are the values of nodes C and D. The nodes, as variables, have different states. It is standard practice to use variables with discrete states (e.g. 20m; high/medium/low) rather than continuous states (e.g. water temperature on a continuous scale). The rules of assigning these states to a variable are:  Mutually exclusivity (i.e. a variable cannot simultaneously exist as more than one state);  Consistency (the states all describe the variable consistently); and  Comprehensive (i.e. the states cover all possibilities for the variable). CPTs are then specified to quantify the strength of causality between parent and child nodes, taking into account all possible combinations of the parent nodes and the associated probability of observing a particular state for the child node.

A

B C

D E

Fig 3. Five-node example of a Bayesian belief network.

20


5.3. Southeast Queensland climate adaptation research initiative (SEQ-CARI) This part presents a case study of BN modelling for emergency management. The model is framed around reducing vulnerability and enhancing the resilience of CI management for South East Queensland (SEQ), Australia, in the context of coping with regional-level climate change. SEQ is one of the fastest growing areas in Australia, encompassing 22,420 square kilometers and eleven local authorities. It is an area of strong population growth, increasing from 1.4 million in the early 1980s to a current population of approximately three million, and is projected to rise to 4.2 million over the next 20 years [Queensland Department of Infrastructure and Planning, 2008]. Most of the current population is concentrated in the state capital of Brisbane, and spreads along the coast northward, ca 80 km, to the Sunshine Coast area, and southward, ca 70 km, to the Gold Coast area. This growing population within a coastal area has made the SEQ region particularly vulnerable to climate change and therefore, human settlements and critical infrastructure are facing threats from more extreme events, increased temperatures and altered rainfall patterns [Low Choy et al., 2011] A core aim of the SEQ-CARI project was to inform decision-makers at different levels (local, state, federal) of government about South East Queensland’s adaptive capacity and adaptation options to climate change for a range of sectors including planning, health and emergency management. Adaptation and adaptive capacity have been identified as central themes for increasing resilience and reducing vulnerability of infrastructure towards the impacts of climate change and extreme events [IPCC, 2014]. This, in turn, often requires the use of techniques that can elicit direct stakeholder engagement to provide the ‘domain knowledge’ critical to a better understanding of the human dimension of management [Nadkarni and Shenoy, 2004; Moser, 2005]. In this section, we first present methodological information about the stakeholder-driven BN models that were developed for the SEQ-CARI project. We then highlight a BN model that was developed for emergency management, including key points about its development and findings. 5.3.1. Stakeholder workshops Six stakeholder workshops were carried out in the latter part of 2010 encompassing 66 managers/decision makers from four different regional councils


21

and seven sectorsc across the study area. The BN development process is described in detail elsewhere [Richards et al., 2013]. Briefly, each workshop started with an overview of the SEQ-CARI project and provision of climate projections such as sea level rise and temperature projections. Then starting with a pre-selected suite of climatic (e.g. temperature, sea-level) and non-climatic (e.g. population) determinants, the stakeholders constructed a conceptualization of their system within which they operated. This process helps to construct a grouplevel understanding of the ‘system’ being investigated [Voinov and Bousquet, 2010]. It also provided the mechanism for identifying the priority stakeholderspecific management issues (the ‘priority issue’) to frame the development of sector-specific BNs. For example, the emergency management sector (four workshops) elected to focus on general themes of resilience and vulnerability of the community whilst the electricity sector (one workshop) focused on maintaining electricity supplies to their customers. 5.3.2. Bayesian Networks (BN) structure In developing the sector-specific BNs, each sector group was asked to identify the variables that directly influenced their capacity to manage their selected priority issue. After this first hierarchical level of the network containing the primary variables, the stakeholders were then asked to identify those variables that they believed directly influence these primary-level variables. Note that the emphasis on causality in the two questions changed from ‘implement’ to ‘directly influenced’. That is, the stakeholders were now being asked to select secondarylevel variables that influenced other variables rather influencing their ability to implement the adaptation option. This process resulted in the development of unparameterised BN diagrams that were relatively simple structures and that were predominantly symmetrical or near-symmetrical, limited to three parent nodes per child node (some had four) and contained no more than four layers (three hierarchical levels). 5.3.3. Conditional probability tables The stakeholders, through a combination of one-on-one interviews and email communication, parameterised the BNs post-workshop. Note that in contrast to the development of the BN structures, which was based on the collective belief of the workshop participants (group-model building), populating the CPTs was c

Planners; Infrastructure; Coastal Managers; Health; Emergency Management; Biodiversity

management; Electricity

22


conducted at an individual stakeholder level, which allowed individual probabilities to be compared. Further detail on this process is described in Richards et al., [2013]. 5.3.4. Model testing The data elicited from the stakeholders were used to construct and compile functioning BNs using the dedicated Bayesian software package Netica (www.norsys.com). Auxiliary expert variables were introduced to each of the BNs [Kjærulff and Madsen, 2007] to account for the effect of eliciting the conditional probabilities (for a given BN) from multiple stakeholders. The utility of using these auxiliary variables is that the conditional probabilities specified by the different stakeholders can be used to specify that the probabilities of one stakeholder have greater influence on the BN than another stakeholder. In the SEQ-CARI project, the conditional probabilities obtained from the different stakeholders were weighted equally. Sensitivity analyses were carried out on the BNs to identify the variables (and pathways of variables) that had the greatest influence on the priority node. 5.3.5. The emergency management Bayesian Network (BN) As emergency management is a key component of resilience planning to protect critical infrastructure we present the BN model (Figure 4) developed for emergency management from one of the sectorial workshops. The four stakeholders who developed this BN were involved in emergency management in Queensland, representing local and state Queensland Government agencies. The stakeholders selected the uncertainty and causality surrounding the Capacity of emergency management to be the focal point of their BN and nominated the framework tenets of Preparation, Planning, Response and Recovery as their primary-level nodes. From this they developed a BN structure that encompassed a wide range of variables, representing social (e.g. Level of community engagement), political (e.g. Political awareness of liability), economic (e.g. Funding for preparation) and technological (e.g. Capacity of communication networks) aspects. At a group level, the results of a sensitivity analysis carried out on this BN indicated that the Capacity of emergency management (the priority issue) was most sensitive to Capacity to respond and Level of preparation at the first hierarchical level. At this level, follow up conversations noted that a catastrophic event (whether directly on a critical infrastructure or not) would overwhelm level


23

of preparation. Furthermore, the stakeholders felt that ‘preparation’ was where they were held accountable. At the second hierarchical level, the priority issue was sensitive to the Level of skill in response workforce, while at the third hierarchical level, Trainer competence was the most influential variable. Both of these are ancestor nodes for Capacity to respond. While it is important to elicit the general consensus of emergency (and infrastructure) management using BNs, it became clear during the SEQ-CARI project that is was just as important to use this technique to uncover areas where there was divergence in individual stakeholder beliefs (across the same sector). Given the complexity of this BN, the individual CPTs were broadly similar across the four stakeholder representatives, reflecting that the actors operating within Emergency Management were ‘operating from the same page’. However, there were some notable exceptions - there was clear divergence regarding the level of influence that Capacity to respond, Funding (for preparation), Degree of success and ‘Recency’ of disasters had on their respective child nodes. A specific example of divergence was the role of failure of emergency management on the variable ‘funding for preparation’. One stakeholder believed that failure to cope with previous emergency situations was linked to subsequent increased funding and subsequently improved preparation. However, this was at odds with the perceptions of the other stakeholders, who believed that increased funding was linked to success rather than failure.

Fig 4. BN structure developed for emergency management


25

5.4. Overview of the performance of Bayesian Network (BN) model The use of the BN methodology in the field of emergency managment as used in the SEQ-CARI case study example indicates that it is a technique that importantly draws upon the knowledge base of experts. The priority issue chosen by the emergency management stakeholders (Capacity of emergency management) readily enabled the identification of clear states at the first level (effective/ineffective). There was also rapid consensus that the most important variables influencing this priority issues could be captured under the variables of Level of preparation, Degree of preparation, Capacity to respond, and Recovery capacity. These four variables conform with well-established foundations for strategic planning for, and responding to, disasters. The narratives of individual members of the group clarify the rationale for the variable ‘Capacity to respond’ and the context influencing its attributed significance, often through comparisons. The utility of developing a BN for emergency management based on preparation, prevention, response and recovery was that it strongly matched the components of the resilience planning step for CI management (Figure 2). Furthermore, because BN models are probabilistic-based, they ‘naturally’ recognize and deal explicitly with statistical uncertainty. They also facilitate the integration of key interdependencies because BN models are (1) integrative, being able to combine qualitative and quantitative data and (2) are built on ‘cause’ and ‘effect’ relationships as described in section 5. In the emergency management model that we presented, these are shown in Fig 4 and included explicit (e.g. the nodes ‘Level of private NGO engagement’ and ‘Level Inter Agency Coordination’) and implicit (e.g. ‘Funding for infrastructure’) sectoral interdependencies. 6. Implications and conclusions It can be concluded that there are potential implications of using the BN methodology for research and management of CIs ranging from CI protection strategies (Section 2), where uncertainty and interdependency identification is important, to dealing competently with uncertainty (Sections 3-4). This is most clear when discussing the uncertainty in CI protection (section 4) and the reliance on expert elicitation to provide data about the likelihood of events occurring, their consequences and appropriate protection measures (interventions). This statement reflects many of the core attributes and capabilities of BN models in

26


being able to draw upon this expert knowledge and integrate it in a cause-andeffect model. Furthermore, the subjective element of BN models (and Bayes theorem), which can be a point of criticism for this method (particular by supporters of frequentist statistical approaches), actually provides the mechanism for undertaking risk assessments for novel events (e.g. CI failure due to future climate change) [Fenton and McNeil, 2013]. Finally, it should be highlighted that BN models do not provide all the solutions to CI management and rather should be viewed as a complimentary tool that can be used alongside others. It is important to note the limitations of the Bayesian approach – for example BN models do not account for feedback pathways, which might be critical components in understanding the interdependencies and vulnerabilities of CI. The application of the developed BN model(s) should also match the objectives for its development. In the emergency management example, the model structure and parameterisation were determined solely from expert elicitation based on the four stakeholders involved. This level of model development suited objectives of engaging with key stakeholders to help identify how different sectors (such as emergency management) are perceived to operate within the context of climate change in southeast Queensland (i.e. a belief system). However, what if the needs of the BN model included making specific assessments of current emergency management operations? What happens if a BN has not been developed beyond a base belief system and therefore incomplete? Furthermore, what is the impact of diverging beliefs regarding how the various nodes relate to one another (as observed in part of the example BN) and how should this be addressed in the model? In other words, the process of developing a BN should be matched to clear objectives and it needs to be determined whether the model is to be an exploratory tool whereby stakeholder engagement and the development of a base model is the main aim or it is to be a refined risk assessment tool for CI management.

References 1.

2. 3.

Abdalla, R.M., Niall, K.M.: Location-Based Critical Infrastructure Interdependency (LBCII). Tech. Rep. TR 2009-130, Defence Research and Development Canada, Toronto, Ontario, Canada (2010). Adger, W.N., (2006). Vulnerability, Global Environ. Change 16, pp. 268-281. Adger, W. N., Hughes, T. P., Folke, C., Carpenter, S. R., and Rockström, J. (2005). Socialecological resilience to coastal disasters. Science, 309(5737), pp.1036-1039.

Critical Infrastructure Protection and Uncertainty Analysis 4.

5. 6.

7.

8.

9. 10. 11. 12. 13.

14.

15.

16. 17.

18.

19. 20.

27

Auld, H., and MacIver, D. (2007). Changing weather patterns, uncertainty and infrastructure risks: emerging adaptation requirements. Environment Canada, Occasional paper 9. Ontario, Canada. Baker, G. H. (2005). A vulnerability assessment methodology for critical infrastructure sites. http://works.bepress.com/george_h_baker/2/. Barker, K., and Haimes, Y. Y. (2009). Assessing uncertainty in extreme events: Applications to risk-based decision making in interdependent infrastructure sectors. Rellab. Eng. Syst. Safe., 94(4), pp. 819-829. Brooks, N., Adger, N.W., Kelly, M.P. (2005). The determinants of vulnerability and adaptive capacity at the national level and the implications for adaptation. Global Enviro. Change. Part A 15 (2), pp. 151–163. Bruneau, M., Chang, S.E., Eguchi, R.T., Lee, G.C., O’Rourke, T.D., Reinhorn, A.M., Shinozuka, M., Tierney, K.T., Wallace, W.A., and von Winterfeldt, D. (2003). A framework to quantitatively assess and enhance the seismic resilience of communities. Earthq. Spectra 19 (4), pp. 733–752. Brunner, E.M. and Suter, M. Australia. In eds. A. Wenger, V. Mauer and M. D. Cavelty. International CIIP Handbook. Pp….Center for Security Studies, ETH Zurich (2008). Bryan, B.A. and Crossman, N.D. (2008). Systematic regional planning for multiple objective natural resource management. J. Env. Manage., 88 (4), pp. 1175–1189. Burby, R.J., Deyle, R.E., Godschalk, D.R., Olshansky, R.B. (2000). Creating hazard resilient communities through land-use planning. Nat. Hazards. Rev. 2 (1), pp. 99–106. Burke, D.A. Towards a Game Theory Model of Information Warfare. Ph.D. thesis, Air Force Institute of Technology, Wright-Patterson Air Force Base, OH, USA (1999). Burton, I., Saleemul, H., Pilifosova, L.B., Schipper, O., Lisa, M. ( 2002). From impacts assessment to adaptation priorities: the shaping of adaptation policy. Climate Poli. 2 (2–3), pp. 145–159. Bussey, M., Carter, R.W., Keys, N., Carter, J., Mangoyana, R., Matthews, J., Nash, D., Oliver, J., Richards, R., Roiko, A., Sano, M., Thomsen, D., Weber, E., Smith, T.F., (2011). Framing Adaptive Capacity through a History-Futures Lens: Lessons from the South East Queensland Climate Adaptation Research Initiative. Futures 44(4), pp. 385–397. Cain, J. (2001). Planning improvements in natural resources management. Guidelines for using Bayesian networks to support the planning and management of development programmes in the water sector and beyond. Centre for Ecology and Hydrology Wallingford, UK. Charniak, E., (1991). Bayesian networks without tears. AI Magazine, 12, pp. 50–63. Chen, H., Wood, M. D., Linstead, C., & Maltby, E. (2011). Uncertainty analysis in a GISbased multi-criteria analysis tool for river catchment management. Env. Modell. Softw., 26(4), pp. 395-405. Commission of the European communities, (2006). Communication from the commission on a European Programme for Critical Infrastructure Protection. http://europa.eu/legislation_summaries/justice_freedom_security/fight_against_terrorism/l 33260_en.htm. Commonwealth of Australia, (2010). Critical infrastructure resilience strategy. http://www.tisn.gov.au/ Commonwealth of Australia, (2011). National guidelines for protecting critical infrastructure from terrorism.

28 21. 22.

23.

24. 25.

26.

27.

28. 29. 30. 31. 32.

33.

34.

35. 36.

37.

R. Mosadeghi, R. Richards & R. Tomlinson Cooke, R. M., & Goossens, L. H. J. (2004). Expert judgment elicitation for risk assessments of critical infrastructures. J. Risk Resea., 7(6), pp. 643–656 Cutter, S. L., Barnes, L., Berry, M., Burton, C., Evans, E., Tate, E., and Webb, J. (2008). A place-based model for understanding community resilience to natural disasters. Global Environ. Change, 18(4), pp. 598-606. De Porcellinis, S., Oliva, G., Panzieri, S., Setola, R.: A Holistic-Reductionistic Approach for Modeling Interdependencies. In eds. C. Palmer, S. Shenoi. Critical Infrastructure Protection III: Proceedings of the Third Annual IFIPWorking Group 11.10 International Conference on Critical Infrastructure Protection. IFIP AICT, vol. 311, pp. 215–227. Springer, Hanover (2009), Di Giorgio, A., Liberati, F., (2012). A Bayesian Network-Based Approach to the Critical Infrastructure Interdependencies Analysis. IEEE Sys. J., 6, pp. 510–519. Dunn, W.N. (2001). Using the method of context validation to mitigate type III Errors in environmental policy analysis, eds. Hisschemoller, M., Hoppe, R., Dunn, W.N. and Ravetz, J. “Knowledge, power and participation in environmental policy”. (New Brunswick and London: Transaction Publishers) pp 417–436. Dudenhoeffer, D.D., Permann, M.R.,Manic, M. (2006) CIMS: A Framework for Infrastructure Interdependency Modelling and Analysis, Proc. the 38th Winter Simulation conference, pp. 478-485. Egan, M. J. (2007). Anticipating future vulnerability: Defining characteristics of increasingly critical infrastructure-like systems. J. Conting. Crisis Manage., 15(1), pp. 4– 17. Ezell, B. C. (2007). Infrastructure Vulnerability Assessment Model (I-VAM). Risk Analy., 27(3), pp. 571–83. Fenton, N., Neil, M. (2013). Risk Assessment and Decision Analysis with Bayesian Networks. CRC Press, London. Folke, C. (2006). Resilience: the emergence of a perspective for social-ecological systems analyses. Global Enviro. Change 16 (3), pp. 253–267. Ford, J.D., Smit, B., Wandel, J., (2006). Vulnerability to climate change in the Arctic: A case study from Arctic Bay, Canada. Global Environ. Change. 16, pp.145–160. Freeman, P.K. (2003). Natural Hazard Risk and Privatization, eds., Kreimer, A. Arnold, M. and Carlin, A., “Building Safer Cities: The Future of Disaster Risk”, (The World Bank Disaster Management Facility, Washington, D.C.) pp. 33-44. Friedlingstein, P. and Solomon, S. (2005) Contributions of past and present human generations to committed warming caused by carbon dioxide, Proc. the National Academy of Sciences of the United States of America 102, pp. 10832–10836. Giannopoulos, G., Filippini, R., & Schimmer, M. (2012) Risk assessment methodologies for Critical Infrastructure Protection. Part I: State of the art, (Publications Office of the European Union, Luxembourg). Godschalk, D. R. (2003) Urban hazard mitigation: creating resilient cities. Nat. Hazards Rev., 4(3), pp. 136-143. Gonzalez, J.J., Sarriegi, J.M., Gurrutxaga, A. (2006) A Framework for Conceptualizing Social Engineering Attacks, eds. J. López, “CRITIS 2006. LNCS, 4347”, (Springer, Heidelberg) pp. 79–90. Government of Canada, (2009). National strategy for critical infrastructure.


39. 40.

41.

42. 43. 44.

45.

46. 47. 48.

49. 50. 51. 52.

53. 54.

29

Government of South Australia (2008). Regional natural disaster and risk mitigation strategy. Natural Disaster Planning & Risk Mitigation Steering Committee. http://lga.sa.gov.au/webdata/resources/files/Regional_Natural_Disaster_and_Risk_Mitigati on_Strategy.pdf. Grossi, P., & Kunreuther, H. (2001). The role of uncertainty on alternative disaster management strategies. Int. Geol. Rev., 43(5), pp. 391-400. Haimes, Y.Y., Horowitz, B.M., Lambert, J.H., Santos, J.R., Crowther, K.G., Lian, C. (2005). Inoperability input-output model for interdependent infrastructure sectors II: Case Studies. J. Infra. Sys. 11(2), pp. 80–92. Hajkowicz, S. (2009). The evolution of Australia’s natural resource management programs: towards improved targeting and evaluation of investments. Land U. Poli., 26 (2), pp. 471–478. Herath, G. and Prato, T. (2006) Using multi-criteria decision analysis in natural resource management. (Burlington: Ashgate). Howes, A.L., Maron, M., McAlpine, C.A., (2010) Bayesian Networks and Adaptive Management of Wildlife Habitat. Conserv. Bio. 24(4), pp. 974-983. Hyde, K.M., Maier, H.R., and Colby, C.B. (2005). A distance-based uncertainty analysis approach to multi-criteria decision analysis for water resource decision making. J. Env. Manage., 77 (4), pp. 278–290. IPCC (2014) Summary for policymakers, eds. Fields, C.B., V.R. Barros, D.J. Dokken, K.J. Mach, M.D. Mastrandrea, T.E. Bilir, M. Chatterjee, K.L. Ebi, Y.O. Estrada, R.C. Genova, B. Girma, E.S. Kissel, A.N. Levy, S. MacCracken, P.R. Mastrandrea, and L.L.White, “Climate Change 2014: Impacts, Adaptation, and Vulnerability. Part A: Global and Sectoral Aspects. Contribution of Working Group II to the Fifth Assessment Report of the Intergovernmental Panel on Climate Change”. (Cambridge University Press, Cambridge, United Kingdom and New York, NY, USA) pp. 1-32. Hall, J. and Solomatine, D. (2008) A framework for uncertainty analysis in flood risk management decisions, Int. J. Riv. Bas. Manage., 6(2), pp. 85-98. Kjærulff, U., Madsen, A. (2008). Bayesian Networks and Influence Diagrams: a Guide to Construction and Analysis. (Springer, New York). Klauer, B., and Brown, J. D. (2004). Conceptualising imperfect knowledge in public decision-making: ignorance, uncertainty, error and risk situations. Environ. Res., Eng. Manage, 1(27), pp. 124-128. Leaning, J., & Guha-Sapir, D. (2013). Natural disasters, armed conflict, and public health. New Eng. J. Med., 369(19), pp. 1836-1842. Lickley, M. J., Lin, N. and Jacoby, H. D. (2013). Protection of Coastal Infrastructure under Rising Flood Risk. MIT Joint Program on the Science and Policy of Global Change. Liu, D., Wang, X.F., Camp, J. (2008). Game-Theoretic Modelling and Analysis of Insider Threats. Int. J. Crit. Infra. Protec. 1(1), pp. 75–80. Low Choy, D., Baum, S., Serrao-Neuman, S., Crick, F., Sano, M., and Harman, B. (2010). Climate change vulnerability in South East Queensland: a spatial and sectoral assessment. National Climate Change Adaptation Research Initiative, Griffith University. Madani, K. and Lund, J.R. (2011). A Monte-Carlo game theoretic approach for multicriteria decision making under uncertainty. Adv. Water Reso., 34 (5), pp. 607–616. McCarthy, M.A. (2007). Bayesian Methods for Ecology. Cambridge University Press, Cambridge.

30 55. 56.

57. 58.

59.

60. 61. 62.

63. 64.

65.

66.

67.

68. 69. 70.

71. 72.

R. Mosadeghi, R. Richards & R. Tomlinson Mileti, D. (1999) Disasters by design: A reassessment of natural hazards in the United States, (Joseph Henry Press, Washington, D.C.). Mosadeghi, R., Warnken, J., Tomlinson, R., & Mirfenderesk, H. (2013). Uncertainty analysis in the application of multi-criteria decision-making methods in Australian strategic environmental decisions. J. Env. Plan. Manage., 56(8), pp. 1097-1124. Moteff, J., & Parfomak, P. (2004). Critical infrastructure and key assets: definition and identification. Library of congress. (Washington, DC: Congressional Research Service). Moteff, J.D. (2014). Critical infrastructures: Background, policy, and implementation. Congressional research report for congress, RL30153. (Washington, DC: Congressional Research Service). Ouyang, M., Hong, L., Mao, Z.J., Yu, M.H., Qi, F. (2009). A methodological approach to analyze vulnerability of interdependent infrastructures. J. Simul. Model. Pract. Th. 17(5), pp. 817-828. Parks, R. C., and Rogers, E. (2008). Vulnerability assessment for critical infrastructure control systems. IEEE Secur. Priv., 6(6), pp. 37–43. Paton, D., and Johnston, D. M. (2006). Disaster resilience: an integrated approach. (Charles C Thomas Publisher). Patterson, S.A., Apostolakis, G.E. (2007) Identification of Critical Locations Across Multiple Infrastructures for Terrorist Actions. Relia. Eng. Syst. Safe., 92(9), pp. 1183– 1203. Queensland Reconstruction Authority. (2011), Planning a stronger, more resilient electrical infrastructure, Queensland Government, Brisbane. Refsgaard, J. C., van der Sluijs, J. P., Højberg, A. L., & Vanrolleghem, P. A. (2007). Uncertainty in the environmental modelling process–a framework and guidance. Env. Modell. Softw., 22(11), pp. 1543-1556. Richards R., Sano, M., Roiko, A., Carter, R.W., Bussey, M., Matthews, J., Smith, T.F. (2013) Bayesian belief modeling of climate change impacts for informing regional adaptation options. Env. Modell. Softw. 44, pp. 113–121. Rinaldi, S.M., Peerenboom, J.P., and Kelly, T.K. (2001). Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Systems Magazine, pp. 11-25. Sarriegi, J.M., Santos, J., Torres, J.M., Imizcoz, D., Egozcue, E., Liberal, D. (2007) Modeling and Simulating Information Security Management. eds. J. López, B.M. Hämmerli, “CRITIS LNCS” (Springer, Heidelberg) pp. 327–336. Sayers, P., YLi, G. G., Penning-Rowsell, E., Shen, F., Wen, K., Chen, Y., and Le Quesne, T. (2013). Flood Risks Management: A Strategic Approach (Asian Development Bank). Solano, E. (2010). Methods for Assessing Vulnerability of Critical Infrastructure. (Research Triangle Park, NC). Svendsen, N.K., and Wolthusen, S.D. (2012) Modelling approaches. eds. J. Lopez, R. Setola, and S.D. Wolthusen, “Critical infrastructure protection, information infrastructure models, analysis, and defense” (Springer, Berlin) pp. 68-97. Teegavarapu, R. S. (2010). Modeling climate change uncertainties in water resources management models. Env. Modell. Softw., 25(10), pp. 1261-1265. The Council of the EU. (2008). Council directive 2008/114/EC on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. Offici. J. EU., L 345, pp. 75-82.


74. 75. 76. 77. 78.

79.

80. 81.

82.

31

Thomas, W.H., North, M.J., Macal, C.M., Peerenboom, J.P. (2003) From Physics to Finances: Complex Adaptive Systems Representation of Infrastructure Interdependencies (United States Naval Surface Warfare Center, Dahlgren, VA, USA). Tierney, K., Bruneau, M. (2007). Conceptualizing and measuring resilience: a key to disaster loss reduction. TR News May–June, pp. 14–17. Tolk, A. and Uhrmacher, A.M. (2009). Agents: agenthood, agent architecture, and agent taxonomies. Agent-directed simulation and systems engineering, WILEYVCH. Tung, Y.K., 2009. Uncertainty and Reliability analysis in Water resources Engineering. http://www.ucowr.siu.edu/updates/pdf/V103_A3. Turnquist, M., & Vugrin, E. (2013). Design for resilience in infrastructure distribution networks. Environ. Syst. Decis. 33(1), pp. 104-120. Voice, M., Harvey, N., & Walsh, K. (2006). Vulnerability to Climate Change of Australia’s Coastal Zone: Analysis of gaps in methods, data and system thresholds. Report to the Australian Greenhouse Office, Canberra, Australia. Walker, W. E., Harremoës, P., Rotmans, J., van der Sluijs, J. P., van Asselt, M. B., Janssen, P., & Krayer von Krauss, M. P. (2003). Defining uncertainty: a conceptual basis for uncertainty management in model-based decision support. Integr. Assess., 4(1), pp. 517. Wang, S., Hong, L., & Chen, X. (2012). Vulnerability analysis of interdependent infrastructure systems: A methodological framework. Physica A, 391(11), pp. 3323-3335. Warmink, J. J., Janssen, J. A. E. B., Booij, M. J., and Krol, M. S. (2010). Identification and classification of uncertainties in the application of environmental models. Enviro. Modell. Softw., 25(12), pp. 1518-1527. Webster, M., Forest, C., Reilly, J., Babiker, M., Kicklighter, D., Mayer, M., and Wang, C. (2003). Uncertainty analysis of climate change and policy response. Climat. Change, 61(3), pp. 295-320.