Of Critical Importance: Toward a quantitative probabilistic risk assessment framework for critical infrastructure
Abstract as pdf
Corresponding Author:
Ivo Nas
Radboud University Netherlands
ijwnas@gmail.com
Author(s):
Ira Helsloot1 and Eric Cator2
1Radboud University, I.Helsloot@Crisislab.Nl, NLD
2Radboud University, E.Cator@Science.Ru.Nl, NLD
There is no scientific evidence that a qualitative approach to risk assessment, based on e.g. ordinal risk scoring and the risk matrix, actually works. On the contrary, there is significant evidence that it does not. Researchers have claimed this qualitative approach to risk assessment to be “worse than useless” (Cox & Popken, 2007, 440; Cox, 2008, 500) and urge to avoid its usage (Thomas, Bratvold & Bickel, 2013). Even so, it is still considered ‘best practice’ by many risk managers. In cybersecurity for example, aspects of the qualitative approach, such ordinal risk scoring, are promoted in about every standards organization, consulting group, and security technology vendor (Hubbard & Seiersen, 2016, 84). It is being used to assess every kind of risk, ranging to even national and global scale. This article deconstructs and suggests an (quantitative) alternative for one particular example of the qualitative approach to risk assessment: the Dutch National Risk Assessment (DNRA) method for critical infrastructure.
When decomposing the DNRA, critical comments can be made regarding its usage of a subjective concept of risk, dependency on subjective risk experts, the use of risk matrices, and the absence of decision rules. To combat these criticisms and move towards a better form of national risk assessment, this article introduces five design principles, which a methodologically justified risk assessment method for critical infrastructure should meet. It should use a (1) objectified concept of risk, (2) scientifically-sound risk calculation method, (3) fixed risk criteria, (4) cost-benefit analysis, and (5) democratic decision making
Next, a proposal is made for an alternative risk assessment method that meets these conditions. This new quantitative method is probabilistic in nature. It uses a Bayesian approach, a standardized measure for negligible risk in the form of a yearly mortality probability of 10-6 , and Disability Adjusted Life Years (DALYs) to quantify human life years for social cost-benefit analysis. Finally, the proposed quantitative method is demonstrated in a case study: a lengthy disruption of the Dutch power supply.
Cox, K. A., & Popken, D. A. (2007). Some Limitations of Aggregate Exposure Metrics. Risk Analysis, 27(2), 439-445. https://doi.org/10.1111/j.1539-6924.2007.00896.x
Cox, T., & Lowrie, K. (2013). From the Editors. Risk Analysis, 33(2), 945-947.
Thomas, P., Bratvold, R. B. & Bickel, J. E. (2013). The Risk of Using Risk Matrices. SPE Economics and Management, 6(2). https://doi.org/10.2118/166269-MS
How to ensure our future - prevention of low-chance or far-off catastrophes by states