A risk management approach for highly interconnected networks

Abstract

Critical infrastructures together with their utility networks play a crucial role in the societal and individual day-to-day life. Thus, the estimation of potential threats and security issues as well as a proper assessment of the respective risks is a core duty of utility providers. Despite the fact that utility providers operate several networks (e.g., communication, control, and utility networks), most of today’s risk management tools only focus on one of these networks. In this chpater, we will give an overview of a novel risk management process specifically designed for estimating threats and assessing risks in highly interconnected networks. Based on the internationally accepted standard for risk management, ISO 31000, our risk management process integrates various methodologies and tools supporting the different steps of the process from risk identification up to risk treatment. At the heart of this process, a novel game-theoretic approach for risk minimization and risk treatment is applied. This approach is specifically designed to take the information coming from the various tools into account and model the complex interplay between the heterogeneous networks, systems, and operators within a utility provider. It operates on qualitative and semiquantitative information as well as empirical data and uses distribution-valued payoffs to account for the unpredictable effects occurring in this highly uncertain environment.