A Measure for Resilience of Critical Infrastructures

  • Sandra KönigEmail author
  • Thomas Schaberreiter
  • Stefan Rass
  • Stefan Schauer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11260)


While risk in many areas of science and security is quantitatively understood as expected loss, resilience is a frequently used but much less formalized term. Defining the term plainly as the probability of outage appears as an oversimplification of practical matters, since precautions towards resilience typically target at impacts and may be without influence on any likelihoods of outage at all. We thus propose a quantitative definition of resilience inspired by and in alignment with the understanding of risk as the product of likelihood and impact. Our measure is based on the same ingredients as risk measures, but takes the level of preparedness as an additional variable into account. We discuss the embedding of this measure in the landscape of security risk management, as well as we point out issues and possibilities to the finding of the inputs from which resilience can be computed. A worked example illustrates and corroborates our proposed method.


Critical infrastructure protection Resilience Interdependent critical infrastructures 



This work was done in the context of the project “Cross Sectoral Risk Management for Object Protection of Critical Infrastructures (CERBERUS)”, supported by the Austrian Research Promotion Agency under grant no. 854766.


  1. 1.
    Alberts, C., Dorofee, A.: Managing Information Security Risks: The OCTAVE Approach. Addison-Wesley Professional, Boston (2002)Google Scholar
  2. 2.
    Brown, J.A., Darby, W.P.: Predicting the probability of contamination at groundwater based public drinking supplies. Math. Comput. Model. 11, 1077–1082 (1988). Scholar
  3. 3.
    Chaudhary, M., Mishra, S., Kumar, A.: Estimation of water pollution and probability of health risk due to imbalanced nutrients in river Ganga, India. Int. J. River Basin Manage. 15(1), 53–60 (2016). Scholar
  4. 4.
    Creese, S., Goldsmith, M.H., Adetoye, A.O.: A logical high-level framework for critical infrastructure resilience and risk assessment. In: 2011 Third International Workshop on Cyberspace Safety and Security (CSS), pp. 7–14, September 2011.
  5. 5.
    Cuisong, Y., Hao, Z.: Resilience classification research of water resources system in a changing environment. In: 2008 2nd International Conference on Bioinformatics and Biomedical Engineering, pp. 3741–3744, May 2008.
  6. 6.
    D’Agostino, G., Cannata, R., Rosato, V.: On modelling of inter-dependent network infrastructures by extended Leontief models. In: Rome, E., Bloomfield, R. (eds.) CRITIS 2009. LNCS, vol. 6027, pp. 1–13. Springer, Heidelberg (2010). Scholar
  7. 7.
    Field, E.H.: Members of the 2014 WGCEP: UCERF3: a new earthquake forecast for California’s complex fault system (2015).
  8. 8.
    Gou, B., Zheng, H., Wu, W., Yu, X.: Probability distribution of power system blackouts. In: IEEE Power Engineering Society general meeting, vol. gou, pp. 1–8. IEEE Service Center, Piscataway (2007).
  9. 9.
    Gouglidis, A., Green, B., Busby, J., Rouncefield, M., Hutchison, D., Schauer, S.: Threat awareness for critical infrastructures resilience. In: 2016 8th International Workshop on Resilient Networks Design and Modeling (RNDM), pp. 196–202, September 2016.
  10. 10.
    Gouglidis, A., Shirazi, S.N., Simpson, S., Smith, P., Hutchison, D.: A multi-level approach to resilience of critical infrastructures and services. In: 2016 23rd International Conference on Telecommunications (ICT), pp. 1–5, May 2016.
  11. 11.
    ISO/IEC 31000:2018: Risk management – Guidelines. Standard, ISO/IEC (2018).
  12. 12.
    Kamalahmadi, M., Parast, M.M.: A review of the literature on the principles of enterprise and supply chain resilience: major findings and directions for future research. Int. J. Prod. Econ. 171, 116–133 (2016).
  13. 13.
    Karabacak, B., Sogukpinar, I.: Isram: information security risk analysis method. Comput. Secur. 24(2), 147–159 (2005).,
  14. 14.
    König, S., Rass, S.: Stochastic dependencies between critical infrastructures. In: IARIA, SECURWARE 2017: The Eleventh International Conference on Emerging Security Information, Systems and Technologies, pp. 93–98 (2017)Google Scholar
  15. 15.
    König, S., Rass, S., Schauer, S., Beck, A.: Risk propagation analysis and visualization using percolation theory. Int. J. Adv. Comput. Sci. Appl. 7(1) (2016).
  16. 16.
    Leveson, N., Woods, D.D., Hollnagel, E.: Resilience Engineering: Concepts and Precepts. CRC Press, Boca Raton (2006)Google Scholar
  17. 17.
    Liu, M., Hutchison, D.: Towards resilient networks using situation awareness. In: 12th Annual Postgraduate Symposium on Convergence of Telecommunications, Networking and Broadcasting (2011)Google Scholar
  18. 18.
    Boumphrey, R., Bruno, M.: Foresight review of resilience engineering - designing for the expected and unexpected. Technical report, Lloyd’s Register Foundation (2015).
  19. 19.
    Martin, H., Ludek, L.: The status and importance of robustness in the process of critical infrastructure resilience evaluation. In: 2013 IEEE International Conference on Technologies for Homeland Security (HST), pp. 589–594 (2013).
  20. 20.
    Naderpajouh, N., Yu, D., Aldrich, D., Linkov, I.: Towards an operational paradigm for engineering resilience of interdependent infrastructure systems (2017)Google Scholar
  21. 21.
    National Institute of Standards and Technology: Framework for improving critical infrastructure cybersecurity - version 1.1. Accessed June 2018
  22. 22.
    Nepomnyashchiy, V.A.: Electrical network reliability and system blackout development simulations. Thermal Eng. 62(14), 993–1007 (2015).
  23. 23.
    Panteli, M., Mancarella, P., Trakas, D.N., Kyriakides, E., Hatziargyriou, N.D.: Metrics and quantification of operational and infrastructure resilience in power systems. IEEE Trans. Power Syst. 32(6), 4732–4742 (2017).
  24. 24.
    Rinaldi, S.M., Peerenboom, J.P., Kelly, T.K.: Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Syst. 21(6), 11–25 (2001).
  25. 25.
    Royal Academy of Engineering: Cyber safety and resilience - strengthening the digital systems that support the modern economy (2018). ISBN 978-1-909327-38-2Google Scholar
  26. 26.
    Schaberreiter, T., Bouvry, P., Röning, J., Khadraoui, D.: Support tool for a Bayesian network based critical infrastructure risk model. In: Schuetze, O., et al. (eds.) EVOLVE - A Bridge between Probability, Set Oriented Numerics, and Evolutionary Computation III. Studies in Computational Intelligence, vol. 500. Springer, Heidelberg (2014).
  27. 27.
    Setola, R., De Porcellinis, S., Sforna, M.: Critical infrastructure dependency assessment using the input-output inoperability model. Int. J. Crit. Infrastruct. Protection (IJCIP) 2, 170–178 (2009)CrossRefGoogle Scholar
  28. 28.
    Shen, L., Tang, L.: A resilience assessment framework for critical infrastructure systems. In: 2015 First International Conference on Reliability Systems Engineering (ICRSE), pp. 1–5 (2015).
  29. 29.
    Svendsen, N.K., Wolthusen, S.D.: Graph models of critical infrastructure interdependencies. In: Bandara, A.K., Burgess, M. (eds.) AIMS 2007. LNCS, vol. 4543, pp. 208–211. Springer, Heidelberg (2007). Scholar
  30. 30.
    The European Parliament and the Council of the European Union: Directive (eu) 2016/1148 of the European Parliament and of the council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the union. Official Journal of the European Union L 194/1 (2016)Google Scholar
  31. 31.
    Theocharidou, M., Kotzanikolaou, P., Gritzalis, D.: Risk assessment methodology for interdependent critical infrastructures. Int. J. Risk Assess. Manage. 15(2–3), 128–148 (2011). Accessed 20 Apr 2018
  32. 32.
    Tokgoz, B.E., Gheorghe, A.V.: Resilience quantification and its application to a residential building subject to hurricane winds. Int. J. Disaster Risk Sci. 4(3), 105–114 (2013).
  33. 33.
    Trivedi, K.S., Kim, D.S., Ghosh, R.: Resilience in computer systems and networks. In: Proceedings of the 2009 International Conference on Computer-Aided Design. ACM Press (2009).
  34. 34.
  35. 35.
    UCTE: Final report of the investigation committee on the 28 September 2003 blackout in Italy, April 2004Google Scholar
  36. 36.
    Yazar, Z.: A qualitative risk analysis and management tool-CRAMM (2003)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Center for Digital Safety & SecurityAustrian Institute of Technology GmbHViennaAustria
  2. 2.Faculty of Computer ScienceUniversity of ViennaViennaAustria
  3. 3.Institute of Applied Informatics, System Security GroupUniversität KlagenfurtKlagenfurtAustria

Personalised recommendations