Risk Management with Multi-categorical Risk Assessment Sandra König and Stefan Schauer, AIT Austrian Institute of Technology, sandra.koenig@ait.ac.at, stefan.schauer@ait.ac.at Mona Soroudi, Ili Ko, Meisam Gordan, Paraic Carroll and Daniel McCrum, University College Dublin, mona.soroudi@ucd.ie, ili.ko@ucd.ie, meisam.gordan@ucd.ie, paraic.caroll@ucd.ie, daniel.mccrum@ucd.ie Abstract Risk assessment and risk management often has to deal with uncertainty, especially in the context of critical infrastructure networks with manifold interdependencies and cascading effects. This uncertainty is not only due to the unpredictability of incidents, e.g., due to zero-day exploits or stealthy attacks such as Advanced Persistent Threats, but also consequences of an incident are challenging to predict. The traditional one-dimensional risk assessment is therefore not always sufficient and should be extended, e.g., to multiple impact categories (such as effects on humans, economic impact, etc.) Uncertainty should be explicitly considered during the entire risk management process. This paper illustrates how to adapt the classical risk management process to such generalized risk assessments, i.e., how to deal with risks that are assessed in multiple categories, within the context of a Serious Game approach to critical infrastructure protection. Introduction Risk management often needs to deal with complex risks that can hardly be measured with a single number. The classical approach of understanding risk as the product of likelihood and (one-dimensional) impact seems to be insufficient in situations where risks have indirect consequences. This is particularly the case in the context of critical infrastructures (CIs) which are highly interconnected and influence one another. Here, one of the main challenges lies in understanding the risk, including identification of potential cascading effects. Another core issue is understanding the manifold impacts an incident has. Due to the vital role CIs play in society, the consequences of an incident cannot be measured in financial loss only but may also affect people’s health (mental or and/or physical) or even influence the environment, for example in terms of resilience. In the context of an Austrian project focusing on critical infrastructure protection (Odysseus), we proposed to use multiple risk categories to increase the quality of risk assessment and subsequently the risk management. In many discussions, experts confirmed the need of such an extension showed interest in the proposed approach. However, they also asked how this generalization should actually be put in practice, i.e., how to integrate it in a classical risk management process. This paper answers this question by describing the generalized framework step by step and illustrating it with an example from the H2020 funded PRECINCT project (www.precinct.info). This paper is organized as follows. Section 2 describes a risk assessment that considers multiple categories. Section 3 shows how to incorporate this generalized assessment in the classical risk management process and how serious games may support the assessment. Section 4 illustrates the idea with an approach from the PRECINCT project and Section 5 provides concluding remarks. Multi-categorical risk assessment Incidents that affect one or more CIs have far-reaching consequences and impact society in many ways. It is therefore hardly adequate to measure the impact in a single (one-dimensional) quantity. Rather, we recommend considering multiple impact categories and measure the impact in each of these to get a richer picture of the consequences of an incident. Multi-categorical impact Existing guidelines in the context of critical infrastructure protection [BMI] and discussion with experts showed that 5 categories capture the most relevant effects [1]: Humans affected Property damage Economic damage Environmental damage Political-social effects A multi-dimensional impact assessment now estimates the impact of the considered incident in each category. This estimate should use the same scale to assure comparability. Qualitative estimates are recommended [2] e.g., ranging from 1 (minimal impact) to 5 (massive impact). The interpretation of these categories is CI-specific, see Table 1. Table 1. Qualitative impact scale with different interpretations (cf. [1]). Score Interpretation General description City traffic Hospital 1 Minimal Insignificant impact Normal operation Normal operation 2 Minor Reversible impact Minor congestion Special treatment may not be possible 3 Moderate Slight effects Delays possible in some areas Treatment assured, but maybe delayed 4 Major Irreversible effects Some roads blocked, significant delays Reduced resources, less urgent treatment postponed 5 Massive Extensive irreversible effects Impossible to transfer inner city Intensive care limited or unavailable This multi-categorical impact assessment is then a vector of assessments, denoted by , where is the impact in category . It is best illustrated through a histogram. Multi-categorical risk As often in risk management, a risk level is determined based on likelihood and impact. Even though it is possible to also have multi-dimensional likelihood assessments [1], we recommend to use a one-dimensional qualitative measure. For example, the likelihood of occurrence can be measured on a 5-tier scale ranging from 1 (very unlikely) to 5 (very likely) with intermediate values representing unlikely, possible, and likely events. An established way to do this is to work with a risk matrix that assigns to each combination of likelihood (column) and impact (row) category a risk value, usually represented through colours ranging from green (lowest risk) to red (highest risk). An example of a risk matrix is shown below in Figure 1 (taken form [1]). Figure SEQ Figure \* ARABIC 1. Risk matrix Experts should here choose their own risk matrix corresponding to their understanding of their specific risks. The colour of the cell is mapped to a risk score, e.g., ranging from 1 (green cell) to 4 (red cell). Applying this to all impact categories yields a vector of risks scores that can again be illustrated through a histogram. Risk management under uncertainty Risk management has to deal with uncertainty in many regards. Consequences of a threat are uncertain due to cascading effects, but also due to external influencing factors (e.g., extreme weather, changes in legal restrictions, etc.). Further, new threats may occur (e.g., zero-day attacks) or multiple incidents may happen at the same time and influence one another (either by chance or intentionally as in the case of an APT). This intrinsic uncertainty should be explicitly considered during risk management. Adapted risk Management process An adapted risk management process that can capture uncertainty to some degree has been developed in course of the HyRiM project (‘Hybrid Risk Management for Utility Networks’) [3] and is therefore called HyRiM-RM process [4]. It is based on the ISO 31000 risk management process [5] and consists of the following steps: Establishing the context: collection of information on internal and external relevant factors, understand relevant components and dependencies Risk Identification: relevant threats and vulnerabilities are identified Risk Analysis: the identified risks are analysed to better understand the consequences (and ideally also likelihood of occurrence) Risk Evaluation: based on the analysis, risks are compared, and priority is assigned according to criteria defined in the first step Risk Treatment: identification of an optimal set of controls such that the chance for the worst-case damage is minimized, based on a game-theoretic model A case study following these steps has been conducted in course of the HyRiM project to investigate advanced persistent threats on a water utility network [6]. Uncertainty is captured through: a probabilistic or multidimensional risk analysis, i.e., the consequences are described either through a (discrete) probability distribution over all possible consequences or through multiple consequences (as in the case of multiple impact categories, see Section 2.1) a generalized risk evaluation: two risks are compared based on the probability of the worst-case damage (the one with lower probability for maximal damage is preferred) or with a lexicographic ordering where the most important category has most influence a game-theoretic risk treatment: different strategies to reduce the risk are compared and a recommendation of which to choose is returned The game-theoretic model used in the risk treatment considers an attacker who tries to cause as much harm as possible, i.e., the operator of the CI and this (abstract) attacker play a zero-sum game. The identified optimal choice of controls is such that the players have no incentives to deviate. If the considered risk is not due to an intentional attacker but rather due to natural disaster, the chosen framework provides an upper bound to the expected damage because the attacker deviates from his optimal strategy (that causes most harm due to the zero-sum assumption). The approach can therefore be considered as conservative but can also be used in situations where we do not have any knowledge about the attacker. A crucial difference to traditional game-theoretic models is that the games considered here, sometimes called security games, are able to handle vector-valued payoffs, e.g., payoffs that represent discrete probability distributions [7]. Insights from serious games Infrastructure systems are known as the foundation of cities nowadays. They are considered as complex socio-technical systems that assist in transporting, supplying and distributing people, services and materials to individuals, businesses, and organizations. If infrastructure failure has the potential to cause dramatic consequences in terms of a disruption of vital services, the term Critical Infrastructure (CI) is often used [8]. CIs symbolize system-of-systems, which are large-scale concurrent and distributed systems whose components are complex systems themselves [9]. In other words, the components of CIs are networked, where the connectivity as well as the topology of these networks have enormous impact on their functionalities [10]. Therefore, the protection of CIs is considered as the main concern for decision makers and urban planners around the world. In order to resolve this challenging issue, Serious Games are a promising approach that have been receiving much attention in recent decades [11]. Serious Games are a simplified version of reality that enable players to experience decision-making and evaluate the results. Serious Games are primarily used for training purposes as a form of experiential learning that employ simulation techniques as a cost-effective alternative to often high risk and costly real-life activities. In Serious Games, players interact to gain understanding of how complex social–technological systems are and learn from their decision-making experience [12]. Moreover, the interaction of players who play certain stakeholder roles may lead to a better understanding of the system, including the real-world consequences of the players' decisions [13]. Serious Games are capable of combining game technology with science in real-world applications, with the explicit aim of a serious game being, for instance, the analysis of human behaviour/decisions, a training effect in the players' skills, or the development of a better understanding and increased awareness of challenging problems and interdependencies in complex systems such as CIs [14]. Game theory provides a framework to model the confrontations in CIs between the strategic attackers and defenders [15]. Ultimately, Serious Games create targeted learning objectives and encourage the player to make strategic decisions, define priorities and solve a given problem interactively. Within this paper, a multiplayer turn-based attacker-defender game dynamic is presented. The Serious Game concept is presented in Figure 2. This game dynamic will achieve the goal of the Serious Game to provide an environment whereby CI operators and cybersecurity specialists can engage their area-specific skills and knowledge to ultimately discover the unknown threats that exist in cyber-physical infrastructure, to aid vulnerability assessments. Examples of the summary statistics collected from attacking gamers’ actions include; percentages of budget spent on bribery, explosives, gun/knife attacks, hacking, etc., and percentages of budget spent by the emergency response sector. In the scenario of a cyber-attack (e.g., distributed denial-of-service (DDoS)), a Game Director will be assigned a role to specify the attackers’ budgets and other attack and controlling parameters – the scenarios that will emerge will come from the attackers and the defenders’ responses to them. Whereas, for natural disaster scenarios (which could be caused by an attack), the Game Director will define the natural event parameters and monitor the interaction with the attackers and defenders. Figure SEQ Figure \* ARABIC 2. Serious Game design concept While the game-theoretic framework assures optimal selection of countermeasures to protect a system against a threat, assumptions about players preferences and behaviours may be incorrect. A good way to validate or improve the chosen model is to collect data on how people react in the considered scenario by evaluating their decision-making. A data mining algorithm will be deployed on the server of the Serious Game, tracking defined interactions of the user and the system (see Figure 3). These trends will highlight potentially unidentified interdependencies, vulnerabilities and cascading effects as well as measures taken by the players to mitigate them and facilitate the updating of conditional probabilities. Vulnerabilities to previously unanticipated combinations of threats or cascading effects will be identified through the novel Serious Games approach. The ingenuity of the game players (CI operators, emergency responders, etc) will be exploited by data mining (involving machine learning techniques) the Serious Games’ gameplay records to pre-empt the potential for successful attacks and inform defence strategies. The Serious Game environment will provide a powerful experiential learning and training tool for staff involved in the defence of CIs. The game simulation will set out desired learning objectives via prompting the player to make various decisions to cyber-physical treat scenarios. The backend simulation of the game will then model the consequential effects of the cyber and physical attacks on the performance of transport/ energy/ communications networks. Records from playing the Serious Game will contain valuable data on how people behave and which actions they take. Comparing this with the hypothetical behaviour of players will allow the refinement of the game theoretic model and therefore adjust the optimal choices, where necessary. Illustrative example One of the threats considered in the ongoing PRECICNT project [reference] is a flash flood due to heavy rainfall affecting a city of approx. 500,000 inhabitants. Historical data and discussions with experts showed that such an event first and foremost affects city traffic. Strong limitations of city traffic affect other CIs, in particular it is difficult for emergency services to reach the city centre to help people or to take people to the hospital. In case of strong and long-lasting disruptions, electricity and gas supply may be affected, which in turn affects other CIs, e.g., the sewer system or a hospital. The consequences depend on many external factors that are unknown or can’t be controlled, e.g., the traffic situation in the city or availability of emergency stuff and equipment. The adapted risk management process from Section 3.1 is applied step by step. Establishing the context Relevant components and dependencies are identified in discussion with experts. This can be represented in a diagram as shown in Figure 3 Figure SEQ Figure \* ARABIC 3. Dependency graph for flooding scenario Risk Identification Information on the relevant threats is collected (e.g., from historical data) and vulnerabilities are identified. Vulnerabilities can be technical (e.g., supported by tools such as OpenVAS or Nessus), organisational (e.g., lack of awareness of social engineering attacks that may be reduced through trainings). In the considered example the focus is on the flooding threat as such events have been observed with increased frequency in recent years. Risk Analysis The identified risks are analysed to get a better understanding. For the considered flooding scenario, the likelihood of occurrence may be estimated from recent data (due to ongoing climate changes it is recommended to refrain from old data as it may be biased). We assume that a flooding is possible, i.e., the level is 3. The impact is estimated based on experience where the assessments in different categories can come from different experts. For the flooding example we expect minimal damage for humans, environment, and minimal political-social effects, minor damage for the environment and moderate economic damage, so the impact assessment is as shown in Figure 4. Figure SEQ Figure \* ARABIC 4. Illustrative multi-categorical impact assessment for CI transportation in case of a flooding Assuming a likelihood of occurrence of 3 (i.e., assumed that a flood is possible) and a risk matrix as shown in Section 2.2 yields risk levels as shown in Figure 5. Figure SEQ Figure \* ARABIC 5. Multi-categorical risk assessment for CI transportation in case of a flooding Risk Evaluation In this general framework, risks are compared through lexicographic ordering. For that sake, the different categories may be rearranged such that the assessments of the most important category are compared first. For example, if A (humans) is the most important category, then a risk with assessment is ‘better’ than since the level in category A (first entry) is smaller. Risk Treatment Finally, the question is how to deal with the analysed risks. The answer can be found in two steps. First, a set of possible counteractions is identified. Such a set contains options to protect critical points or reduce the impact. For the flooding example, this could include improved protection of strongly affected points (e.g., narrow roads or tunnels) or building of an additional protection wall. Second, the question is which of these should be chosen to provide maximal protection with limited resources. Even for a small set of counteractions it is recommended to approach this problem systematically, e.g., by applying game theory. To do so, the payoffs for each combination of threat and counteraction need to be estimated – in our setting, this results in a histogram of expected damage for each scenario. The best combination of counteractions can then be identified through an optimization algorithm [16]. The implemented algorithm prefers situations where the worst-case damage (i.e., the risk level of the most relevant category) is lower. Optimization of multiple quantities is possible (e.g., minimize damage and maximize availability), but in this case it is necessary to measure all quantities on the same scale. Conclusions In situations where risk assessment and risk management face uncertainty, as in the case of networks of CIs, it is recommended to use multi-dimensional risk assessments. This general form can be incorporated in a classical risk management process and can be supported from both game theory and serious games. However, there are also several challenges, including the individual risk assessments and the identification of countermeasures. These issues will be discussed in more detail in the course of the PRECINCT project. Acknowledgements The PRECINCT project has received funding from the European Union’s HORIZON 2020 research and innovation program under Grant Agreement No 101021668. References 1. König S, Schauer S, Rass S. Multi-categorical Risk Assessment for Urban Critical Infrastructures. In: Percia David D, Mermoud A, Maillart T, editors. Critical Information Infrastructures Security [Internet]. Cham: Springer International Publishing; 2021 [cited 2022 Apr 7]. p. 152–67. (Lecture Notes in Computer Science; vol. 13139). Available from: https://link.springer.com/10.1007/978-3-030-93200-8_9 2. BSI. IT-Grundschutz-catalogues 13th version 2013 [Internet]. Bonn, Germany: Bundesamt für Sicherheit in der Informationstechnik - Federal Office for Information Security; 2013. Available from: https://www.bsi.bund.de/EN/Topics/ITGrundschutz/ITGrundschutzCatalogues/itgrundschutzcatalogues_node.html 3. HyRiM Consortium. Hybrid Risk Management for Utility Providers [Internet]. 2015. Available from: https://hyrim.net/ 4. Schauer S. A Risk Management Approach for Highly Interconnected Networks. In: Rass S, Schauer S, editors. Game Theory for Security and Risk Management [Internet]. Cham: Springer International Publishing; 2018 [cited 2018 Sep 19]. p. 285–311. Available from: http://link.springer.com/10.1007/978-3-319-75268-6_12 5. ISO, editor. ISO 31000:2009 Risk management - Principles and guidelines. Geneva: ISO; 2009. (ISO). 6. Gouglidis A, König S, Green B, Rossegger K, Hutchison D. Protecting Water Utility Networks from Advanced Persistent Threats: A Case Study. In: Rass S, Schauer S, editors. Game Theory for Security and Risk Management: From Theory to Practice. Cham: Springer International Publishing; 2018. p. 313–33. 7. Rass S, König S, Schauer S. Uncertainty in Games: Using Probability Distributions as Payoffs: 346–357. In: Khouzani M, Panaousis E, Theodorakopoulos G, editors. Decision and Game Theory for Security, 6th International Conference, GameSec 2015. Springer; 2015. (LNCS 9406). 8. Chowdhury N, Gkioulos V. Cyber security training for critical infrastructure protection: A literature review. Computer Science Review. 2021 May;40:100361. 9. Bocchini P, Frangopol DM, Ummenhofer T, Zinke T. Resilience and Sustainability of Civil Infrastructure: Toward a Unified Approach. Journal of Infrastructure Systems. 2014;20(2):04014004. 10. Li Y, Qiao S, Deng Y, Wu J. Stackelberg game in critical infrastructures from a network science perspective. Physica A: Statistical Mechanics and its Applications. 2019 May;521:705–14. 11. Yamin MM, Katt B, Nowostawski M. Serious games as a tool to model attack and defense scenarios for cyber-security exercises. Computers & Security. 2021 Nov;110:102450. 12. van Riel W, Post J, Langeveld J, Herder P, Clemens F. A gaming approach to networked infrastructure management. Structure and Infrastructure Engineering. 2017 Jul 3;13(7):855–68. 13. Wehrle R, Wiens M, Schultmann F. Application of collaborative serious gaming for the elicitation of expert knowledge and towards creating Situation Awareness in the field of infrastructure resilience. International Journal of Disaster Risk Reduction. 2022 Jan;67:102665. 14. Lukosch HK, Bekebrede G, Kurapati S, Lukosch SG. A Scientific Foundation of Simulation Games for the Analysis and Design of Complex Systems. Simulation & Gaming. 2018 Jun;49(3):279–314. 15. Xu H, Windsor M, Muste M, Demir I. A web-based decision support system for collaborative mitigation of multiple water-related hazards using serious gaming. Journal of Environmental Management. 2020 Feb;255:109887. 16. Rass S, König Sandra, Alshawish A. HyRiM: Multicriteria Risk Management using Zero-Sum Games with vector-valued payoffs that are probability distributions [Internet]. 2020. Available from: https://cran.r-project.org/package=HyRiM List of abbreviations and definitions CI Critical Infrastructure