A Process for the Identification of Security Risks from Critical Infrastructure Interdependencies

Traditional security risk assessment takes a broad asset-based view of organizations. The risk identification process therefore focuses on well-known threats and vulnerabilities to static and discrete assets that fall within the scope of organizational boundaries under investigation. It does not offer a methodology or framework that systematically deals with risks that arise from the complex interdependencies between the critical infrastructures. To support this proposition, this paper conducts a systematic analysis of the security risks resulting from logical, cyber, geographical and physical interdependencies between telecommunications and power infrastructures. The analysis demonstrates that certain security risks arising from interdependencies cannot be identified using the traditional risk identification approach. A process model is then proposed to extend existing risk methodologies to include a systematic identification of the security risks that arise from the interdependencies of infrastructures.