**3. Impacts of critical infrastructure system failures on dependent subsystems and society**

Like any other complex system, a critical infrastructure system includes a multitude of elements with different levels of importance, categorized into several levels and interconnected by linkages of various types and intensity. Such a structural arrangement leads to a broad correlation between individual subsystems, which determines the manner and intensity of propagation of impacts from critical infrastructure system failures on dependent subsystems and society.

#### **3.1. Critical infrastructure system failures**

**2. Critical infrastructure system description**

76 System of System Failures

*as a result of the failure to maintain those functions*."

**Figure 1.** Hierarchic arrangement in a critical infrastructure system.

Infrastructure" and began to take actions aimed at its protection [3].

The issue of critical infrastructure protection began to be addressed in the United States in response to a terrorist bombing on a federal building in Oklahoma City in 1995 [2]. Over the following years, other countries also started tackling these problems, e.g., from 1998 in Canada and from 1999 in the United Kingdom, Germany, Sweden, and Switzerland. Following the September 11, 2001 attacks, the majority of European countries proceeded to define "Critical

The US Department of Homeland Security (DHS) currently defines a critical infrastructure as "*systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters*" [4]. A critical infrastructure at the European Union level is specified in a Council Directive [1], defining a critical infrastructure as "*an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State* 

The hierarchic arrangement of a critical infrastructure system has three levels that constitute a vertical classification [3]: system level, sector level, and element level (see **Figure 1**). The system level is the basic classification of a critical infrastructure according to its functions. This level comprises two areas, namely the technical infrastructure and the socioeconomic infrastructure. The technical infrastructure includes sectors producing and providing specific

> The functioning of a critical infrastructure system is constantly being threatened by a wide range of security threats. These threats can be generally categorized into five basic groups [7]:

> • climatological threats (including natural disasters such as floods, tornadoes, heavy snowfall, or extensive fires);


**3.2. Impacts of critical infrastructure system failures**

economy, and basic human needs [3].

subsystems) in character [3].

**Figure 2.** Disruption to an element in a critical infrastructure system.

Critical infrastructure system failures subsequently produce negative impacts. These impacts can propagate further not only within the critical infrastructure system (between dependent subsystems), but also outside the system where they can specifically affect society, including

Failures in a Critical Infrastructure System http://dx.doi.org/10.5772/intechopen.70446 79

The intensity and propagation of the impacts from critical infrastructure system failures is affected by several external and internal factors of the system concerned. While the external factors include, in particular, resilience of society and the character, and the scope and duration of an emergency; the principal internal factors include the type and scope of the failure inside the system [6], subsystem linkages, and subsystem resilience. The nature of the impacts is characterized by the scope, structure, intensity, duration, and effect of the emergency (see **Figure 3**) [3]. In the event of a disruption to a critical infrastructure system, the impacts spread into two basic areas. The first instance involves impacts within the system where the failure of one critical infrastructure subsystem causes a failure of another subsystem in what is known as a cascading effect [6]. In the second instance, the impacts exert influence outside the system, specifically, on society, producing negative effects on national interests such as security, the

In both of the above-mentioned cases, the impacts may be classified as direct or indirect from a structural point of view. The immediate effect of a disrupted subsystem on another subsystem or directly on society is considered to be a direct or primary action. In contrast, indirect effects of impacts occur vicariously through any critical infrastructure subsystem, regardless of whether or not they affect another subsystem or society as a result. Indirect effects of impacts may be secondary (through one subsystem) or multi-structural (through several

national interests such as state security, the economy, and basic human needs [1].

• criminal threats (e.g., terrorism, criminal activity, armed conflicts).

The effects produced by these threats on a critical infrastructure system or its subsystems can cause adverse events, which can in turn lead to disruptions or in extreme cases, failures of different subsystems. This involves, in particular, disruptions to functional parameters causing a decline in the performance of specific elements (see **Figure 2**) where the decline is directly proportional to the intensity of the emergency and the degree of resilience of the respective critical infrastructure element.

Depending on the category of threats, three types of emergencies, that subsequently generate individual failures, can occur in a critical infrastructure system. These include intentional anthropogenic events (i.e., terrorism and criminal activity), unintentional anthropogenic events (i.e., technological emergencies), and natural events (i.e., climatological, geological, and biological threats). Once generated, the failures can propagate further within a critical infrastructure system and produce negative impacts of different character, intensity, and effect. Rinaldi et al. [6] were the first to define the basic types of failure propagation in a critical infrastructure system:


Over the following years, numerous scholarly papers and studies attempting to elaborate on and tackle the issue of failure propagation within a critical infrastructure system from different viewpoints were published based on the work of Rinaldi et al. [6]. These include Visualization of Critical Infrastructure Failure [8], Cascading Effects of Common-Cause Failures in Critical Infrastructures [9], Analyzing Critical Infrastructure Failure with a Resilience Inoperability Input–Output Model [10], or Time-based critical infrastructure dependency analysis for large-scale and cross-sectoral failures [11] to name a few.

#### **3.2. Impacts of critical infrastructure system failures**

• geological threats (e.g., earthquakes, volcanic activity, landslides);

• criminal threats (e.g., terrorism, criminal activity, armed conflicts).

• technological threats (including technological emergencies such as radiation emergencies, hazardous chemical spills, flooding caused by damage to hydraulic structures, widespread disruptions to engineering networks, public water supply emergencies or major road, rail,

The effects produced by these threats on a critical infrastructure system or its subsystems can cause adverse events, which can in turn lead to disruptions or in extreme cases, failures of different subsystems. This involves, in particular, disruptions to functional parameters causing a decline in the performance of specific elements (see **Figure 2**) where the decline is directly proportional to the intensity of the emergency and the degree of resilience of the respective

Depending on the category of threats, three types of emergencies, that subsequently generate individual failures, can occur in a critical infrastructure system. These include intentional anthropogenic events (i.e., terrorism and criminal activity), unintentional anthropogenic events (i.e., technological emergencies), and natural events (i.e., climatological, geological, and biological threats). Once generated, the failures can propagate further within a critical infrastructure system and produce negative impacts of different character, intensity, and effect. Rinaldi et al. [6] were the first to define the basic types of failure propagation in a criti-

• A cascading failure occurs when a disruption in one infrastructure causes the failure of element in a second infrastructure, which subsequently causes a disruption in the second infrastructure (e.g., electric power failure could create disruption in other infrastructures).

• An escalating failure occurs when an existing disruption in one infrastructure exacerbates an independent disruption of a second infrastructure, generally in the form of increasing the severity or the time for recovery of the second failure (e.g., disruption in ICT network

• A common cause occurs when two or more infrastructure networks are disrupted at the same time: elements within each network fail because of some common cause (e.g., action

Over the following years, numerous scholarly papers and studies attempting to elaborate on and tackle the issue of failure propagation within a critical infrastructure system from different viewpoints were published based on the work of Rinaldi et al. [6]. These include Visualization of Critical Infrastructure Failure [8], Cascading Effects of Common-Cause Failures in Critical Infrastructures [9], Analyzing Critical Infrastructure Failure with a Resilience Inoperability Input–Output Model [10], or Time-based critical infrastructure dependency analysis for

may escalate to disruption in a road transport network).

of natural disaster to all local infrastructures).

large-scale and cross-sectoral failures [11] to name a few.

• biological threats (e.g., pandemics);

78 System of System Failures

or air traffic accidents); and

critical infrastructure element.

cal infrastructure system:

Critical infrastructure system failures subsequently produce negative impacts. These impacts can propagate further not only within the critical infrastructure system (between dependent subsystems), but also outside the system where they can specifically affect society, including national interests such as state security, the economy, and basic human needs [1].

The intensity and propagation of the impacts from critical infrastructure system failures is affected by several external and internal factors of the system concerned. While the external factors include, in particular, resilience of society and the character, and the scope and duration of an emergency; the principal internal factors include the type and scope of the failure inside the system [6], subsystem linkages, and subsystem resilience. The nature of the impacts is characterized by the scope, structure, intensity, duration, and effect of the emergency (see **Figure 3**) [3].

In the event of a disruption to a critical infrastructure system, the impacts spread into two basic areas. The first instance involves impacts within the system where the failure of one critical infrastructure subsystem causes a failure of another subsystem in what is known as a cascading effect [6]. In the second instance, the impacts exert influence outside the system, specifically, on society, producing negative effects on national interests such as security, the economy, and basic human needs [3].

In both of the above-mentioned cases, the impacts may be classified as direct or indirect from a structural point of view. The immediate effect of a disrupted subsystem on another subsystem or directly on society is considered to be a direct or primary action. In contrast, indirect effects of impacts occur vicariously through any critical infrastructure subsystem, regardless of whether or not they affect another subsystem or society as a result. Indirect effects of impacts may be secondary (through one subsystem) or multi-structural (through several subsystems) in character [3].

**Figure 2.** Disruption to an element in a critical infrastructure system.

**3.3. Propagation of impacts in a critical infrastructure system**

passengers and freeway network operators).

**Figure 4.** Ways of impact propagation in a critical infrastructure system.

The above-mentioned aspects, shaping the character of impacts, also significantly contribute to the propagation of these impacts in a critical infrastructure system. At the core of their propagation lie critical infrastructure system failures caused by the negative effects of security risks (i.e., causes of disruptions or failures of a critical infrastructure), which can be either external or internal in nature. Such impacts can then exert a direct influence on society (i.e., direct impacts), spread further across the critical infrastructure, and cause other failures, which lead to additional impacts (i.e., cascading impacts) or they can, due to a cascading effect, act jointly on a single target (i.e., synergistic impacts). See **Figure 4** for a graphical representation of all the potential ways in which impacts can propagate within a critical infrastructure system.

Failures in a Critical Infrastructure System http://dx.doi.org/10.5772/intechopen.70446 81

Direct impacts are impacts caused by the disruption or failure of a critical infrastructure subsystem, which act directly on society. The effects of a security threat (e.g., a terror attack) to a component of a critical road infrastructure of international importance (e.g., a major freeway bridge) can be used as an example. These negative effects result in the disruption to the functional parameters of the freeway, which has a direct impact on society (in this instance on

Cascading impacts are impacts caused by the disruption or failure of a critical infrastructure subsystem, which spread further across the critical infrastructure, resulting in failures in dependent subsystems that in turn lead to an escalation in other impacts. The effects of a security threat (e.g., a gale) to a component of a critical electric energy infrastructure of national importance (e.g., 110 kV distribution system) can be used as an example. These negative effects result in the disruption to functional parameters of the distribution system, which cascades into dependent subsystems (e.g., a railroad signaling system). The disruption to a distribution system then results in a cascading impact on society due to nonfunctioning railroad transport.

**Figure 3.** Aspects that create the character of impacts in a critical infrastructure system [3].

Other important factors determining the character of impacts are their intensity and duration. The impact intensity depends on the extent of a failure in a subsystem, that in turn affects another critical infrastructure subsystem, as well as on the level of their linkage. If the linkage is weak, the impact intensity is low and the subsequent impact on the affected subsystem is limited. However, if this linkage is strong, the impact intensity is high and the impact on the affected subsystem can be devastating or absolute. The impact duration, which may be short-term, medium-term, or long-term, represents an important variable with respect to the impact intensity. Ouyang et al. [12] present the typical time progression of a critical infrastructure disruption, dividing it into prevention, propagation, damage, assessment, and recovery periods [3].

Another key factor determining the character of impacts is the effect of their action. If the impacts of a disrupted subsystems act on another subsystem or society in one way only, the impact effect can be regarded as a single impact. However, if the impact effects are multi-way (e.g., through the combination of direct and indirect impacts) and occur concurrently in realtime, then the effects are considered to be synergistic [3].

#### **3.3. Propagation of impacts in a critical infrastructure system**

The above-mentioned aspects, shaping the character of impacts, also significantly contribute to the propagation of these impacts in a critical infrastructure system. At the core of their propagation lie critical infrastructure system failures caused by the negative effects of security risks (i.e., causes of disruptions or failures of a critical infrastructure), which can be either external or internal in nature. Such impacts can then exert a direct influence on society (i.e., direct impacts), spread further across the critical infrastructure, and cause other failures, which lead to additional impacts (i.e., cascading impacts) or they can, due to a cascading effect, act jointly on a single target (i.e., synergistic impacts). See **Figure 4** for a graphical representation of all the potential ways in which impacts can propagate within a critical infrastructure system.

Direct impacts are impacts caused by the disruption or failure of a critical infrastructure subsystem, which act directly on society. The effects of a security threat (e.g., a terror attack) to a component of a critical road infrastructure of international importance (e.g., a major freeway bridge) can be used as an example. These negative effects result in the disruption to the functional parameters of the freeway, which has a direct impact on society (in this instance on passengers and freeway network operators).

Cascading impacts are impacts caused by the disruption or failure of a critical infrastructure subsystem, which spread further across the critical infrastructure, resulting in failures in dependent subsystems that in turn lead to an escalation in other impacts. The effects of a security threat (e.g., a gale) to a component of a critical electric energy infrastructure of national importance (e.g., 110 kV distribution system) can be used as an example. These negative effects result in the disruption to functional parameters of the distribution system, which cascades into dependent subsystems (e.g., a railroad signaling system). The disruption to a distribution system then results in a cascading impact on society due to nonfunctioning railroad transport.

**Figure 4.** Ways of impact propagation in a critical infrastructure system.

Other important factors determining the character of impacts are their intensity and duration. The impact intensity depends on the extent of a failure in a subsystem, that in turn affects another critical infrastructure subsystem, as well as on the level of their linkage. If the linkage is weak, the impact intensity is low and the subsequent impact on the affected subsystem is limited. However, if this linkage is strong, the impact intensity is high and the impact on the affected subsystem can be devastating or absolute. The impact duration, which may be short-term, medium-term, or long-term, represents an important variable with respect to the impact intensity. Ouyang et al. [12] present the typical time progression of a critical infrastructure disruption, dividing it into prevention, propagation, damage, assessment, and recovery

**Figure 3.** Aspects that create the character of impacts in a critical infrastructure system [3].

Another key factor determining the character of impacts is the effect of their action. If the impacts of a disrupted subsystems act on another subsystem or society in one way only, the impact effect can be regarded as a single impact. However, if the impact effects are multi-way (e.g., through the combination of direct and indirect impacts) and occur concurrently in real-

time, then the effects are considered to be synergistic [3].

periods [3].

80 System of System Failures

Synergistic impacts are impacts caused by the disruption or failure of two or more critical infrastructure subsystems which occur concurrently, thereby exacerbating their impacts on society [3, 9]. The effects of a security threat (e.g., a technological accident) to element of a critical electric energy infrastructure of international importance (e.g., a nuclear power plant) can be used as an example. These negative effects result not only in direct impacts on society (i.e., large-scale power outages), but also in the impacts cascading to dependent subsystems (e.g., heat production and distribution), the disruption of which produces additional impacts on society. This situation brings about a synergistic effect, consisting of the added effect of joint impacts on society, and increasing their mere sum [3].

#### **3.4. Modeling of impacts of critical infrastructure system failures**

Modeling the anticipated propagation of impacts constitutes an important approach contributing to their minimization in a critical infrastructure system. However, it involves a complex process which should be based on mathematical modeling as well as on the integration of innovative approaches to analyze the critical infrastructure system. The basis for this process should include, in particular [13]:

> challenging. For this purpose, it is possible to use the results of the international RAIN project [15] undertaken as part of the EU's 7th Framework Programme. Based on recommendations arising from a European Union directive [1] and a regulation on the criteria for determining critical infrastructure elements adopted by the government of the Czech Republic [16], the following cross-cutting criteria were defined for a wider international debate within the RAIN

Failures in a Critical Infrastructure System http://dx.doi.org/10.5772/intechopen.70446 83

• health impacts—the number of victims with a threshold value of more than 25 fatalities or more than 250 individuals hospitalized for a period exceeding 24 hours per 1 million

• economic impacts with an economic loss threshold value of over 0.5% of gross domestic

• impacts on the public with a threshold value of more than 12,500 individuals per 1 million inhabitants within the region under review affected by extensive restrictions in the provi-

A provisional transformation of national criteria could form the basis for the setting of crosscutting criteria values at the regional level (note: however, this method of setting regional values is not ideal in terms of applying the bottom-up approach as it is more akin to the topdown approach due to the transformation of national criteria). The transformation involves the dynamic conversion of threshold values for national cross-cutting criteria to regional criteria. This ratio is mainly applied as a proportion of the population of a given state to the population of the region concerned, and of the threshold values of national cross-cutting criteria to those of regional cross-cutting criteria. In principal, static threshold values are converted to dynamic values not only due to the varying population sizes in different regions, but also due

sion of essential services or by other major disruptions to everyday life.

to the different levels of gross domestic product generated in these regions [17].

project [15]:

product; and

inhabitants within the region under review;

**Figure 5.** Development of the approach to a critical infrastructure research [14].


An early indication of impacts through the application of a bottom-up approach should be based on the determination of resilience disruption indicators in interconnected critical infrastructure subsystems. It is a holistic approach to assess the resilience of a critical infrastructure based on a comprehensive perception of specific political, economic, social, technological, legislative, and ecological environments. The essence of this approach is a systematic approach consisting of a cross-sectoral evaluation based on a research into the mutual linkages between individual critical infrastructure subsystems. It factors in the propagation of cascading impacts and synergistic effects in a critical infrastructure system. The referenced system solution should be applied using a progressive bottom-up approach, which is based on a critical infrastructure evaluation from the lowest level (city, region) upwards and has already been implemented in a number of developed countries (e.g., Switzerland and the Netherlands). This approach can be viewed as the logical continuation of the ongoing research into critical infrastructure security in terms of integrating the research results, via identifiers describing the critical infrastructure status, into a composite resilience indicator (see **Figure 5**) [13].

The application of the bottom-up approach is closely related to the need to harmonize and transform cross-cutting criteria at the regional level. Individual Member States of the European Union have already set the cross-cutting criteria values for national critical infrastructure elements. However, the vast majority of states have failed to disclose these values, making the follow-up research into the modeling of the impacts on society particularly

**Figure 5.** Development of the approach to a critical infrastructure research [14].

Synergistic impacts are impacts caused by the disruption or failure of two or more critical infrastructure subsystems which occur concurrently, thereby exacerbating their impacts on society [3, 9]. The effects of a security threat (e.g., a technological accident) to element of a critical electric energy infrastructure of international importance (e.g., a nuclear power plant) can be used as an example. These negative effects result not only in direct impacts on society (i.e., large-scale power outages), but also in the impacts cascading to dependent subsystems (e.g., heat production and distribution), the disruption of which produces additional impacts on society. This situation brings about a synergistic effect, consisting of the added effect of

Modeling the anticipated propagation of impacts constitutes an important approach contributing to their minimization in a critical infrastructure system. However, it involves a complex process which should be based on mathematical modeling as well as on the integration of innovative approaches to analyze the critical infrastructure system. The basis for this process

An early indication of impacts through the application of a bottom-up approach should be based on the determination of resilience disruption indicators in interconnected critical infrastructure subsystems. It is a holistic approach to assess the resilience of a critical infrastructure based on a comprehensive perception of specific political, economic, social, technological, legislative, and ecological environments. The essence of this approach is a systematic approach consisting of a cross-sectoral evaluation based on a research into the mutual linkages between individual critical infrastructure subsystems. It factors in the propagation of cascading impacts and synergistic effects in a critical infrastructure system. The referenced system solution should be applied using a progressive bottom-up approach, which is based on a critical infrastructure evaluation from the lowest level (city, region) upwards and has already been implemented in a number of developed countries (e.g., Switzerland and the Netherlands). This approach can be viewed as the logical continuation of the ongoing research into critical infrastructure security in terms of integrating the research results, via identifiers describing the critical infrastructure status, into a composite resilience indicator

The application of the bottom-up approach is closely related to the need to harmonize and transform cross-cutting criteria at the regional level. Individual Member States of the European Union have already set the cross-cutting criteria values for national critical infrastructure elements. However, the vast majority of states have failed to disclose these values, making the follow-up research into the modeling of the impacts on society particularly

• harmonization and transformation of cross-cutting criteria at the regional level;

• European critical infrastructure risk and safety/security management; and

• implementation of a preferential critical infrastructure risk assessment.

joint impacts on society, and increasing their mere sum [3].

• early indication of impacts using a bottom-up approach;

should include, in particular [13]:

82 System of System Failures

(see **Figure 5**) [13].

**3.4. Modeling of impacts of critical infrastructure system failures**

challenging. For this purpose, it is possible to use the results of the international RAIN project [15] undertaken as part of the EU's 7th Framework Programme. Based on recommendations arising from a European Union directive [1] and a regulation on the criteria for determining critical infrastructure elements adopted by the government of the Czech Republic [16], the following cross-cutting criteria were defined for a wider international debate within the RAIN project [15]:


A provisional transformation of national criteria could form the basis for the setting of crosscutting criteria values at the regional level (note: however, this method of setting regional values is not ideal in terms of applying the bottom-up approach as it is more akin to the topdown approach due to the transformation of national criteria). The transformation involves the dynamic conversion of threshold values for national cross-cutting criteria to regional criteria. This ratio is mainly applied as a proportion of the population of a given state to the population of the region concerned, and of the threshold values of national cross-cutting criteria to those of regional cross-cutting criteria. In principal, static threshold values are converted to dynamic values not only due to the varying population sizes in different regions, but also due to the different levels of gross domestic product generated in these regions [17].

European critical infrastructure risk and safety/security management comprises an important aspect of modeling the impacts of critical infrastructure failures. In adopting this approach, risks are recognized at an early stage, allowing for a timely indication of impacts on independent critical infrastructure subsystems. The following methodologies should be employed with a view to optimize the risk and safety/security management system and comply with the requirements for crisis preparedness plans applicable to critical infrastructures entities, as an equivalent to the Operator Security Plan:

the achieved results, the research into resilience gradually spread to other disciplines such as

Failures in a Critical Infrastructure System http://dx.doi.org/10.5772/intechopen.70446 85

In 2001, Holling shed light on understanding the complexity of economic, ecological, and social systems with the publication of a definition based on two fundamental components of each system, namely hierarchy and adaptive cycles [22]. Together they form panarchy according to Holling. Panarchy can be defined as a structure in which systems of nature and humans are interlinked in never-ending adaptive cycles of growth, accumulation, restructuring, and

The research into the resilience of socio-ecological systems also sparked an interest in research focused on resilience in society. The resilience of a society is dependent on its ability to respond to a stress factor and can be defined as "*The ability of a system, community or society exposed to hazards to resist, absorb, accommodate, adapt to, transform and recover from the effects of a hazard in a timely and efficient manner, including through the preservation and restoration of its essential basic* 

Resilience gradually began to be defined in general terms for any system, including engineering. Resilience was first described in connection with a critical infrastructure in a document entitled Critical Infrastructure Resilience Final Report and Recommendations [24], where it is defined as the ability to absorb, adapt to, and/or rapidly recover from a potentially disruptive event. By contrast, the critical infrastructure resilience strategy [25] defines critical infrastructure resilience as the ability to reduce the magnitude and/or duration of a disruptive event. These definitions clearly show what constitutes resilience, or rather what characteristics enhance the resilience of a system. For example, Chandra [26], based on his study of socio-ecological systems, includes the following attributes in engineering systems resilience:

As research into the resilience of critical infrastructures has since been pursued by numerous leading research workers and institutions, the definition of resilience has been repeated over and over again without any added value. However, the different approaches to determining their attributes/aspects/components/properties/characteristics/capacities/abilities/assets/ parameters may be worth mentioning. Below are some examples of the different approaches:

• Keeping the country running [28]—the ability to anticipate, absorb, adapt, and/or rapidly recover. For the system to function as a whole, it must incorporate four assets or elements:

• Carlson et al. [29]—the form of linkages between six aspects (anticipation, resistance, absorption, ability to respond, adaptability, and recovery), which according to the author define resilience, and four parameters (preparedness, mitigation, response, and recovery),

• Béné et al. [30]—three basic aspects: absorptive capacity (the ability to cope with the impacts of adverse changes and shocks), adaptive capacity (the ability of a system to adapt to changes), and transformative capacity (the ability to create a fundamentally new system).

which characterize the process of enhancing the resilience capacity of a system.

psychology, economy, and engineering.

*structures and functions through risk management"* [23].

redundancy, adaptability, flexibility, interoperability, and diversity.

• Ehlen et al. [27]—absorption, adaptation, and recovery.

resistance, reliability, redundancy, response, and recovery.

renewal.


Implementation of a preferential critical infrastructure risk assessment provides another important basis for the modeling of impacts produced by critical infrastructure failures [20]. This allows the assessor to introduce subjective conditions into an otherwise objective process of risk assessment, providing the assessor with an option to partially influence the assessment process by preferring certain factors over others. The significance of this phase of the assessment process lies in the fact that different entities perceive certain risks from different points of view, which creates a conducive environment for discussion of all stakeholders, ensuring the most appropriate safety/security actions are taken. Moreover, a preferential critical infrastructure risk assessment also provides an important basis for the modeling of impacts of critical infrastructure failures as its results determine vulnerabilities enabling the propagation of impacts throughout the critical infrastructure system [13].
