A System Dynamics Framework for Modeling Critical Infrastructure Resilience

i

ii

Chapter 1 SIMULATION OF CRITICAL INFRASTRUCTURES FAILURES: A THEORETICAL FRAMEWORK FOR MODELING NETWORK RESILIENCE

Simona Cavallini, Cristina d’Alessandro, Margherita Volpe, Stefano Armenia, Camillo Carlini, Alessandro Saullo, Elisabeth Brein and Pierluigi Assogna Abstract

In recent years, awareness about the crucial role played by Critical Infrastructures has spread among both public and private operators: traditional and emerging challenges threaten continuity of their services and, by consequence, the normal functioning of todays society. This paper aims at presenting the CRISADMIN project (CRitical Infrastructure Simulation of ADvanced Models on Interconnected Networks resilience) approach for modeling effects of critical infrastructures failures in case of unexpected events. For this purpose interdependencies among the Critical Infrastructures investigated. Energy, Transportation and Telecommunications have been modeled based on a System Dynamic approach. The final aim pursued through the CRISADMIN project is to provide decision makers with a prototype of a Decision Support System (DSS) useful to mitigate effects in emergencies situations tailored through case studies of floods and terrorist attacks occurred in Europe. The paper will also provide insight on project added value, such as the inclusion of social aspects for both the crisis management and the impact assessments in case of critical events.

Keywords: critical infrastructures, systems interdependencies, domino effect, catastrophic events, terrorist attacks, natural disasters, system dynamics

1.

Introduction

Critical Infrastructures (CIs) are broadly perceived as the backbone of todays society, vital assets which daily support our work, economy and, broadly speaking, human interactions. In the 2008/114/EC Directive [8],

2 the European Commission defines critical infrastructures as ”an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions”. Critical events not only cause direct damages to CIs, but, due to their strategic role in the socio-economic context, produce dominos effects on the entire society. For this reason CIs represent a fundamental element for decision makers to be considered while defining first responses actions, as well as while setting societal policies and investments. Warren and Thulby [16] stated that, in order to rank these preventative measures, the economic costs and potential savings (reductions of casualties or economic losses) need to be evaluated. Thus, there is a growing need to understand costs for the entire society - beyond those of the initially impacted infrastructures - to fully comprehend the magnitude of the event and to make the appropriate allocation decisions. Up to day, many powerful simulation tools exist to understand how networks could be affected physically by major incidents, many of which help organizations to improve readiness to respond to such incidents. Nevertheless, part of the problem is less well understood and hardly grasped by these tools, namely the relationship between long-term, strategic choices and the ability of infrastructure networks to withstand disruptive events. Those choices concern investment in the assets themselves, especially in the network control systems and in the people managing the system. Whilst it is clear enough that spending less on assets, systems and people will degrade the system, it is not so obvious how much impact any particular choice will have over long periods of time, neither how choices on different issues will interact. Therefore, the issues that need to be better understood are: how long-term choices on strategic issues make the network more resilient; how these and other choices can minimize the service loss when disruptive events do occur; how strategic and operational choices can minimize the time for the network to recover, and thus the total cumulative loss of service. The CRISADMIN (CRitical Infrastructure Simulation of ADvanced Models on Interconnected Networks resilience) project aims at studying the effects produced by critical events in a context where the inter-

Cavallini, d’Alessandro, Volpe, Armenia, Carlini, Saullo, Brein & Assogna 3

dependencies among several CIs are modeled through the System Dynamics methodology, and later simulated in a synthetic environment. In the following paragraphs, the authors deal with the key features and main aspects concerned with the methodology approach of the CRISADMIN project. The intention is to release an operative insight of the activities, ratios and the expected outputs of the project, therefore providing a piece of contributions for researchers and professionals work in terms of methodological approach and crisis management investigation.

2.

Description of the CRISADMIN project approach

As previously mentioned, the CRISADMIN project is aimed at developing a tool to be used for the evaluation of the impacts of critical events on CIs. Such a tool will be designed as a Decision Support System (DSS), able to test and analyze the inter-dependencies among CIs, the modalities through which they get affected by predictable and unpredictable critical events (terrorist attacks, natural disasters, etc.), as well as to investigate impacts of possible countermeasures or prevention policies. To achieve this challenging objective, a three step approach had been structured. Taking the moves from the definition of a theoretical framework of reference, the project staff will design a System Dynamic (SD) based model of which will constitute the logical base for the development of the Decision Support System (DSS). In this framework, case studies will be used for testing and validating the model elaborated. These structured approach can thus be broken down according to the following activities: 1 Definition of a Theoretical model: the first step was the definition of the system characteristics in order to define investigation boundaries and key point of references; this sub-objective was achieved through the formulation of a Theoretical model that identifies those variables and parameters that best represent or approximate - the investigated frameworks; within this framework, special attention had been paid to the identification of social system variables, in other words those ”soft” parameters that are particularly difficult to quantify: through a careful analysis of the available literature, these variables were represented in a System Dynamics compatible way; 2 System Dynamics model development: taking the moves from the output of the previous activities, the simulation model is currently

4 under development; to achieve these task, first of all causal relations between the parameters defined in the theoretical model will be identified, constructing an appropriate number of causal maps; these maps will lay the foundation for the simulation model structure, which will be then validated with real case studies data; 3 Data collection and harvesting through case studies: in parallel with the first activity, and beyond it, quantitative data concerning CIs functioning have been collected; in addition data on socioeconomic framework were gathered according to their availability and reliability with reference to some critical events that happened in Europe over the last years; 4 Prototype design and development: by the end of the project, the model will be integrated in the DSS structure in order to produce an easily accessible and usable tool for decision makers. Each of the above mentioned steps of the CRISADMIN structured approach presents elements, which deserve dedicated attention: in the following paragraphs, each part of the structured approach will be described in depth.

3.

The theoretical model

The Theoretical model defines the main factors that should be considered in an emergency situation with the perspective of enhancing the preparedness and the response capability of all the involved actors, in order to mitigate and recover from the negative effects of a catastrophic event. Main factors are investigated in terms of mutual influences, both reinforcing or dampening the effects of the event in object. Special attention have been paid on involved actors considered as the people that are victims, spectators or eventually perpetrators of the event and as operators responsible to manage emergencies [6]. As in all complex environments, factors in emergency situations are strictly interconnected each others. The main objective of the theoretical model is to identify the main dependencies impacting on the evolution of the event. Features of the territory and of the socio-economic environment where the critical event occurs, timing of the event (including when it occurs and its duration), preparedness of the actors (both as population with experience in similar events and as trained first respondents) were included in this analysis. Within the CRISADMIN project, effects of a critical event are studied on three Critical Infrastructural Services namely Transportation (both private and public), Energy (in-

Cavallini, d’Alessandro, Volpe, Armenia, Carlini, Saullo, Brein & Assogna 5

cluding both electricity distribution and consumption of the end-users) and Telecommunications (both mobile and fixed). To this purpose, as already approached in similar studies, data domains have been used to group the outstanding parameters to be included in the model. In particular the following four data domains have been considered: Territory: this domain includes the set of variables and parameters describing the geographic features of the territory; territorial characteristics are particularly relevant for natural disasters, but they may also affect the efficiency of reaction in other critical situation (e.g. a high territorial diversity exerts a negative influence on promptness of emergency transports); for this data domain, main elements to be considered are concerned with the description of territory factors and of its geographical nature (like extension or locality) able to impact vital services or of social aspects. Environment: this domain refers to the set of variables and parameters related to the presence and the activities of human beings in the territory, such as energy related supply chain capacity, public transports endowment, population density, socio-economic pattern of the affected area, etc.; in particular for human-made critical events, parameters of the Environment together with those of the Apparatus are essential for the successful response to crises; Apparatus: this domain includes the set of variables and parameters related to the professionals and operators dedicated to the management of catastrophic events and to the recovery of the normal functioning after a disaster; typically, the Apparatus is composed by multiple agencies and organizations, each of which have a specific role in the management of both daily minor emergencies and unexpected critical events; in some countries civil protection takes over the coordination of the activities of all the different apparatus organizations that intervene to mitigate effects of a critical situation; Events: this domain refers to the set of variables and parameters defining ”normal life” conditions with different time frequencies: data here included describe the evolution of the normal situations overtime; while the geographical features (of the Territory domain) are independent from time, data related to the Environment and Apparatus depend on the normal life-cycles and are particularly tied to the hour of the day (e.g. work hours, commuting hours),

6

Figure 1.

Framework of the CRISADMIN theoretical model

the day of the week (e.g. workday, week end, bank holiday and special days), the month of the year (e.g., season festivities, summer break); these dependencies, which can be more or less substantial for the different variables, are mainly considered for modeling the evolution of the situation in the very first moments after the critical events. After this first parameters adjustment at t0 , the subsequent evolution is considered generally independent (apart other possible specific events) from hour, day and month because of the emergency effect. Figure 1 depicts the framework of the CRISADMIN theoretical model with the four Data Domains with examples of the kind of parameters and with the three critical infrastructures services whose effects are investigated in case of critical events.

4.

Identification of social system variables

As previously mentioned, the main objective of data domains is to represent with specific parameters, the stage where the critical event happens and where counter-measures should be taken as well as damages assessed. For this reason, social aspects, involved both in the preparedness and in the reaction to critical situations, are included in the Environment and Apparatus Data Domains. In particular, special attention should be focused on the actors that participate in the activities

Cavallini, d’Alessandro, Volpe, Armenia, Carlini, Saullo, Brein & Assogna 7

being modeled and on the ordinary events that represent the contexts normal life. Frequently, the discussion on the effectiveness of crisis management had tended to be focus on the ”material” side in other words on engineering and structural solutions: more effective IT and transportation networks, the safeguarding of power nets against overload, or increasing the number of first responders on the ground. Neglected in this discussion is often the view on the thoughts, attitudes, expectations, and behaviors of individuals and groups either affected by the crisis or involved in their management (in short the ’social side’ of crisis management). The disregard of the social and psychological aspects is problematic, as each infrastructure, despite its material nature, is always embedded in the social environment. As Orlikowski [12] argues, technology is always technology in practice, highlighting the fact that the same technology will be used in very different ways depending on the social context in which it is used: this fact is also true in crises. An important premise of the CRISADMIN project is therefore that, for an effective crisis management, it is of vital importance not only to understand how infrastructures and technologies work, but also to understand ”how relations and boundaries between humans and technologies are not given or fixed, but enacted in practice” [12] The realistic modeling of crises thus requires the inclusion of ”social variables”. Among the social variables to be considered, an important distinction should be done in the involved people: on the one side there are persons part of the system being in crisis and on the other side there are persons trying to manage the crisis (being in addition also part of the crisis). A critical event induces behavioral changes in both the two categories of people. To this purpose, literature review for the CRISADMIN project was focused on the human behavior in social systems in the response phase and, in detail, on the impacts on individuals affected by the crisis as well as individuals involved in its management taking also into account possible interactions including inter-organizational coordination in emergency response, leadership in crisis situations, approaches for communication and information spreading. In order to achieve these objectives, literature analysis was not limited to a specific type of critical event following the assumption that social system variables in crisis responses are generic in their nature, and thus applicable for disparate types of crises although to a different extent. For the purpose of literature review of the CRISADMIN project, papers related to crisis management from the theoretic and empirical point of view, papers related to psychological and organizational knowledge

8 based on empirical analysis and papers related to non crisis management psychological and organizational knowledge based on empirical research were considered. A total of 34 social system variables were identified as of interest. The literature review also yielded more general observations relevant to the weighing of social system variables in modeling critical events such as the following: For effective crisis management, material and social needs should be considered simultaneously. Adequate communication is essential immediately after a crisis occurrence. Communication flows are core part of strategies for a systematic crisis management. The necessity for a communication strategy has to be embraced by first responders to improve crisis management. For the success of inter-organizational cooperation, information sharing has key influence. A longitudinal perspective should be considered: experience from past critical situations affects current crisis response and reactions. In addition, cultural and societal settings (e.g., values, attitudes, demographics), that strongly influence the preparation for and the reactions to critical events both in victims and in first responders in a specific environment, have been taken into account.

5.

The System Dynamics methodology

The System Dynamics methodology, adopted for the CRISADMIN project, is a computer simulation modeling methodology usually applied to study and manage complex issues and problems through feedback systems. These feedback systems, such as the social ones, are defined as a collection of interacting elements working together for a certain purpose. Key element of this methodology is feedback, i.e. the concatenation of causal relations through which any component of the system can influence the behavior of other components, that can be either close or distant in terms of apparent connection [9]. Originally developed in the 1950s to help corporate managers improve their understanding of industrial processes, system dynamics is a method currently also used for understanding the dynamic behavior of

Cavallini, d’Alessandro, Volpe, Armenia, Carlini, Saullo, Brein & Assogna 9

complex systems [9]. The application of this methodology is based on the fact that the structure of any system relies on circular, interlocking, sometimes time-delayed relationships among its components. System dynamics aims at understanding system behavior modeling relationships among its individual components. Sterman [14] stated that the main properties of a system that can be successfully represented with the System Dynamics approach are: 1. Presence of quantities that vary over time; 2. Variability based on causally dependencies; 3. Feedback loops containing the main causal influences of a closed system. Additionally, he argued that SD, as a decision-making modeling approach, is easily used in contexts where standard analysis is made difficult by the wide range of available data, especially in those systems highly influenced by the so called soft variables that are not directly measurable (e.g. trust in first respondents, attitude of the public panic diffusion). In the last few years the SD approach has also been used to prevent and manage security/defense issues, as it does take into account randomness and interdependency, which characterize the behavior of real-life environments. This is made possible by including the ”soft” variables typical of the interrelated social systems. The idea behind the SD approach is that, if ”a system structure defines its behavior” [14] then by being accurate in analyzing and determining the interrelationships among various part of the system would then be possible accurately understanding of the dynamics of the system. Within the CRISADMIN project SD modeling is used to forecast the evolution of all the components of the model (territory features, timing of the critical event, environmental factors, types of actors involved, social behaviors) from the occurrence of a critical event till the realization of the consequent impacts. The holistic approach of SD requires, on the one side, that the entire context is considered and, on the other side, that factors that are perceived as weakly or not strictly related are not included, in order to avoid the risk to define a model difficult to manage or interpret. The identification of relevant influences within the system dynamics framework make it possible to understand connections among CIs and model impacts in case of critical events taking into account dynamics of an infrastructure as a function of the operations in the other ones. SD simulations have to represent the main mutual influences of the various parameters identified in the theoretical model, defining for each influence, if it is positive (reinforcing) or negative (dampening), and related value and timing. An example of the proposed influences is shown in Table 1.

10 Table 1.

Some proposed Influences among identified variables

Influencing Parameter

Influenced Parameter

Crest (Flood) Total inundation area Energy production damage Electricity Station damage

(+) Total inundation area (+) Number involved structures (-) Electricity Disruption (-) Electricity Disruption

Notes Calculated using an elevation map Ascertained by first responders Adjustment of normal rate on lost power Adjustment of normal rate on lost power

The overall model will use these interactions among influences and additional information to estimate total direct and indirect impacts deriving from critical events. Such approach, in turn, allows for comparing impacts to the socio-economic context represented as a dynamic system. Once consolidated, the proposed influences will be tested thanks to the selected case studies data gathered along with project development.

6.

The case studies for the testing and validation

As mentioned, in order to apply the CRISADMIN project approach and validate it, four critical events related to previous terrorist attacks and flooding, have been identified and analyzed as case studies. The following criteria drove the selection of the events: Likelihood of the threat: terrorist attack frequency has had an escalation from the events of 9/11, that make it worth to be considered as a real possibility [7]; floods are also becoming more frequents, thanks to extreme events generated by climate change; Historical frequency of the event: special attention for terrorist attacks was dedicated to both The United Kingdom and Spain that have suffered from ethnic terrorism for decades, respectively due to the IRA (Irish Republican Army, the Irelands separatist movement fighting for the creation of a unified Ireland) and the ETA (the Euskadi Ta Askatasuna, the Basques separatist movement); furthermore, Europe has an historical background of flooding case (e.g. the 2002 Glasgow flood in the United Kingdom, the 2001 Po river floods in Italy, the 2011 Genoa flood in Italy), that make it worth to enhance preparedness against this kind of events; Impact on CIs: both floods, through the power of water flows, and bombing events, destroying essential assets, impact directly and indirectly CIs affecting in particular transport, energy and telecommunications sectors.

Cavallini, d’Alessandro, Volpe, Armenia, Carlini, Saullo, Brein & Assogna 11

The selected events for applying and validating the CRISADMIN approach were: the bombing attacks of Madrid 2004; the bombing attacks of and London 2005; the flooding events of 2002 affecting CentralEastern Europe, Austria, Czech Republic and Germany; and the flooding events of 2007 in the United Kingdom. The following sections briefly describes the selected case studies, outlining emerged impacts and related essential elements.

6.1

Madrid Bombing Attack (2004)

On the morning of Thursday, 11 March 2004, ten explosions blast aboard four commuter trains in Madrid. All the affected trains were traveling on the same line and in the same direction between Alcal de Henares and the Atocha station. Thirteen improvised explosive devices were placed on the trains: only ten exploded, but two of the remaining three were detonated in controlled explosion by bomb-disposal experts of the Spanish Police (TEDAX Tcnico Especialista en Desactivacin de Artefactos Explosivos), one in Atocha and the other one in El Pozo stations. The thirteenth bomb was not found until later evening, having been stored inadvertently with luggage taken from one of the trains. In the next days, official investigations made by the Spanish Judiciary determined that the attacks were directed by Muslim al-Qaeda-inspired terrorist cell, although no direct al-Qaeda participation has been established. The terrorists boarded four commuter trains, with the capacity to hold 6,000 people in total, distributing 13 bomb bags throughout several carriages, each loaded with approximately 10 kilograms of dynamite and shrapnel, before disembarking. Set to explode at various commuting stations to achieve maximum damage, the bombs were activated by mobile phone alarm systems. The bombs were put into backpacks and hidden among the other passengers luggage. Besides the explosive mixture, some of the bags were filled with nails and shrapnel, causing very serious wounds to the commuters hit by the explosions. The terrorist attacks of 2004 killed 177 people instantly and approximately 1,858 wounded. There were 14 subsequent in-hospital deaths, bringing the ultimate death toll to 191. More than 550 staff of SAMUR Proteccin Civil and 100 vehicles were involved in the rescue and management activities: in 90 minutes SAMUR was able to mobilize more than 300 people, passing from an operative of 75 people up to 400, and to call back on the emergency almost 70 additional vehicles. Health care-related activities in the emergency areas were developed by SAMUR, and other institution [13]. Transport infrastructure was the sole directly affected by the events of March 2004 in particular on the four trains and related

12 stations hit by the explosions. The four trains were on the same track, heading towards Atocha Station, the main commuting point in Madrid, the El Pozo del To Raimundo Station, the Santa Eugenia Station and the Calle Tellez Station. Energy and telecommunication infrastructures were not directly targeted by the bombing attacks, although for instance telecommunications infrastructures experienced overloads due to general panic and crisis-related emerging needs.

6.2

London Bombing attack (2005)

On Thursday, July 7 of 2005, three different parts of the London subway system (Aldgate, Edgware Road and Russel Square) were attacked by suicide bombers, within few minutes around 8.50 A.M., and a bomb on a double-decker bus was detonated (Travistock Square), at 9.47 A.M. [10]. The attacks were carried out by four Islamic extremists and motivated by Britains involvement in the Iraq War. At about 8.50 A.M., three almost simultaneous explosions hit the tunnel between Liverpool Street and Aldgate stations, the line at Edgware Road and a Piccadilly Line tunnel between Kings Cross and Russell Square. For what concerned the Travistock Squares blast the location of the bomb inside the bus meant that the front of the vehicle remained mostly intact. Most of the passengers at the front of the top deck survived, as did those near the front of the lower deck, including the driver, but those at the top and lower rear of the bus suffered more serious injuries. Several passers-by were also injured by the explosion and surrounding buildings were damaged by debris. In order to ensure the maintenance of normal security and civil protection services in the city, the choice was to send on the attacked sites the least possible number of staff, leaving not essential personnel, equipment and materials at the headquarters, in stand-by configuration. Only Transport infrastructure was directly affected.

6.3

Central-Eastern Europe Flooding (2002)

During August 2002 severe flood affected parts of Austria, the Czech Republic and Germany. Heavy rainfall from storms that crossed central Europe during early August triggered sequential flood waves along two major river systems. The flood waves moved down the River Danube through Austria and down the Vltava, Labe-Elbe rivers in the Czech Republic and Germany. All the flooding event cover a period of about 14 days that goes from the 6th of August 2002 until the 20th of August 2002 including both precipitations and flash floods along the involved rivers of the Eastern/Central Europe.

Cavallini, d’Alessandro, Volpe, Armenia, Carlini, Saullo, Brein & Assogna 13

The events of summer 2002 were due to three major factors, namely particular meteorological conditions, over exploitation of rivers as sealing waterways and human intervention (housing constructions, land drainage and deforestation). First of all, the flood event was triggered by unusual meteorological conditions which bore to two periods of intense rainfall during the first half of August: two specific features of the August Cyclone led to an extraordinary amount of rain. Second, water temperature in the Adriatic and Mediterranean Seas are significantly warmer in August than in spring season. These factors caused substantial amounts of atmospheric moisture, fueling the extreme rains. The first period of rain on August 6 and 7 fell on south-western Czech Republic and north-eastern Austria, immediately north of a weak area of low pressure. Rainfall accumulations across this region were generally less than 125 mm over this two day period, but values of up to 255 mm were observed in some locations. The rainfall triggered flood waves in the upper portions of the Danube and Vltava catchments. One flood wave progressed down the Danube through Austria, Slovakia and Hungary, causing minor damages in the region. A more critical flood wave progressed down the Vltava through Prague and down the Elbe through north Bohemia and Germany. On reaching Germany, the flood water on the Elbe inundated the city of Dresden, causing inundation of residential and commercial properties and damaging many historical buildings in the city center. The increase in river height in Dresden was more gradual and of greater magnitude that the flood peak in Prague, even though Prague itself was hardly hit by the flash flood and inundated as well as in the historical and residential parts of the city centre. The greatest number of fatalities (58) was caused by floods, resulting from the first depression on the eastern coast of the Black Sea. In the Czech Republic, 17 people died, in Dresden there were 21 casualties and over 100 fatalities have been reported across Europe. In the large affected area minor and important failures to energy and transport infrastructures were registered.

6.4

United Kingdom Flooding (2007)

On summer 2007, during the months of June and July, the United Kingdom was stricken by a series of severe floods, due to heavy rain falls in an unseasonably wet weather pattern, occurring in various areas across the Country. The two severe flood events of June and July can be attributed to two major causes: the position of the Polar Front Jet Stream and high North Atlantic sea surface temperatures.

14 Heavy rainfalls are not unusual in the UK during the summer, but in 2007 the frequency and spatial extent was unprecedented. During this period, there were two exceptional rainfall events on June the 25th and July the 20th that caused widespread floods across England. The floods ranged from small, localized flash flood to widespread events affecting major river basins. First, the North-East of England was badly affected following severe rainfalls on June, which caused floods in cities and towns such as Sheffield, Doncaster, Rotherham, Louth and Kingston-uponHull. Some areas were hit again by further flood after more severe rains on July, which affected a much larger area of central England, including Oxford, Gloucester, Tewkesbury, Evesham and Abingdon [5]. The intense rainfall events caused the catchments saturation and swollen rivers over-topped their banks in several major river basins; disruption to power and water supplies during the July floods was caused by flood at the Castlemeads power sub-station near Gloucester and at the Mythe water treatment plant in Tewkesbury. During the flood events 13 people lost their lives and approximately 48,000 households were flooded: the scale and speed of the flood came as a shock, and even if people were aware that heavy rain was forecast, they did not expect it to affect them and certainly not so seriously. Most people had never experienced flood like this before and did not know how to react and what preventative steps to take or who to call for help. Some took steps to protect their properties, others people were forced to evacuate their homes, being transferred to rest centers or temporary accommodation. At the peak of flood, around 350,000 households across Gloucestershire were left without main water supply and 50,000 without power. Several other power sub-station were at risk during the peak of the July in Oxfordshire and Gloucester, but were narrowly saved.

7.

The CRISADMIN Prototype

The entire CRISADMIN Project is based on demonstrating, by means of a prototype, that a flexible Systems Dynamics modeling engine, embedded in a DSS utilized by first respondents and decision makers, can help in managing critical events. In ”real life” the specific knowledge of the past and current aspects of a given context are the basis for the selection of the modeling parameters, the definition of the influences, the tuning of the model following its use in the course of the events. The CRISADMIN prototypical DSS is designed by taking into account both the general user requirements, on the base of which the project objectives have been defined, and the experience gathered by the par-

Cavallini, d’Alessandro, Volpe, Armenia, Carlini, Saullo, Brein & Assogna 15

ticipation to projects dealing with the design of modeling methods and tools for monitoring and contrasting emergencies on the territory [3]. The structure of the CRISADMIN prototypical DSS is a three-tier architecture: a back-end layer where are stored variables and parameters of the four domains that are used by the DSS functions; a core, where the SD modeling engine operates based on the identified influences (first proposed and then validated though the four case studies) of the parameters; and a front-end where parameters are maintained, functions are activated, and results are shown. The simulation model will be made available as a prototype decision tool for institutions and organizations, both public - civil protection, fire brigades, etc. - and private - individual CIs - throughout EU Member States End-users. As crises management is mainly performed by inter-connected Operations Control Rooms (OCR), where the situation is continuously monitored, decision support tools are used, directives and orders are issued. The CRISADMIN prototypical DSS is aimed at being used by Analysts acting in an OCR, coordinating the activities in case of critical events. The tool will be used to support operative decisions benefiting from the continuous monitoring functionalities generally present is OCRs. Furthermore, this system will provide decision makers with a starting point, expandable and customizable according to their specific needs, on which they can test, evaluate and update already implemented processes and procedures for crisis management. In fact, the DSS environment, unlike the model, will be based on a series of fixed and non customizable scenarios and situations, chosen in a way as to encompass several different crisis situations; this DSS will be useful to the Decision Makers in order to understand the dynamics among the identified CIs. The prototype will constitute a relevant support for decision makers as it offers a point of reference for the selection among different policy alternatives in crisis management field.

8.

Conclusions

Decision makers need to understand the consequences of policy and investment options before they enact solutions, particularly due to the highly complex alternatives available for protecting the nations CIs in todays threat environment. An effective way to examine tradeoffs between the benefits of risk reduction and the costs of protective action is to utilize a decision support system that incorporates threat information and disruption consequences in quantitative analyzes through advanced modeling and simulation. System dynamics modeling, simulation, and

16 analysis can be used to conduct impact assessments and risk analysis based on realistic scenarios. The proposed System Dynamic approach can provide decision makers with a methodology useful to understand and evaluate some of the potential risks triggering CIs. The CRISADMIN approach can be easily applied in contexts where standard analysis is made difficult by the wide range of available data and/or relationships in place. In particular, it would be specifically helpful in those systems highly influenced by the soft variables connected to human behavior. The CRISADMIN project activities performed up today outlined the main parameters that can represent a context from the CI point of view, and have begun to determine the causal relations between such parameters. The systemic approach, which closely follows the System Dynamics Methodology prescriptions, has allowed for a simple yet very effective representation of such context, with the identification of those parameters that, in a ”domino effect”, influence the behavior of the whole interconnected system. As new threats from terrorism as well as from the environment are emerging, a tool anticipating possible impacts of critical events may offer to decision makers precious insights for defining protection strategies and response actions.

9.

Acknowledgments

This paper relies mainly on the research activities of the Department of Computer, Control, and Management Engineering (DIAG) of Sapienza University, FORMIT Foundation, Erasmus Universiteit Rotterdam, Theorematica, Euro Works Consulting within the Project CRISADMIN CRitical Infrastructure Simulation of ADvanced Models on Interconnected Networks resilience. The project, lasting until August 2014, is realized thanks to the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security Related Risks Programme launched by Directorate-General Home Affairs of the European Commission.

References [1] S. Armenia, C. Carlini, R. Onori, A. P. Saullo, Policy Modeling as a new area for research: perspectives for a Systems Thinking and System Dynamics approach?, Proceedings of the 13th European Academy of Management (EURAM) Conference, Istanbul, 2013. [2] S. Armenia, G. C. Misuraca, D. Osimo and F. Mureddu, A New Roadmap for Next-Generation Policy-Making, Proceedings of the

Cavallini, d’Alessandro, Volpe, Armenia, Carlini, Saullo, Brein & Assogna 17

[3]

[4] [5]

[6]

[7] [8]

[9] [10] [11]

[12]

[13] [14] [15] [16]

6th International Conference on Theory and Practice of Electronic Governance , ICEGOV, 2012. P. Assogna, G. Bertocchi, A. Di Carlo, F. Milicchio, A. Paoluzzi, G. Scorzelli, M. Vicentino and R. Zollo, Critical Infrastructures as Complex Systems: A Multi-level Protection Architecture, CRITIS, 2008. R. Behara, C.D. Huang and Q. Hu, A System Dynamics model of information security investments, 2007. F. Bisogni, P. Fusco, L. Ferraro, L. A. Remotti, G. Gasperini, A. Zanetti and S. Anselmucci, Study on Critical Events management model, Final Report of CEMM project, co-financed by DG Justice, Freedom and Security European Commission, December 2009. L. B. Boursque, K. I. Shoaf and L. H. Nguyen, Survey Research, International Jurnal of Mass Emergencies and Disasters, vol. 15, no. 1, pp. 71-101, 1997. W. Enders, T. Sandler, The political economy of terrorism, Cambridge University Press, 2011 European Commission, Council Directive 2008/114/EC of 8 December 2008 – Identification and designation of European critical infrastructures and the assessment of the need to improve their protection, 2008. S. Friedman, Learning to make more effective decisions: changing beliefs as a prelude to action, The Learning Organization, 2004. London Assembly, 7 July Review Committee, Volume 4: Follow-up report, August 2007 M.H. Lyons, I. Adjali, D. Collings and K.O. Jensen, Complex systems models for strategic decision making, Organization Science, vol. 11 (4), p.404-428, 2000. W.J. Orlikowski and S.V. Scott, Sociomateriality: Challenging the separation of technology, work and organization, Annals of the Academy of Management, vol. 2 (1), 2008. SAMUR Proteccin Civil, Memoria 2004-2005, Madrid, 2006 J.D. Sterman, Business dynamics: systems thinking and modeling for a complex world, 2000. L. Von Bertalanffy, General system theory, 1968. K. Warren and R. Thurlby, Understanding and Managing the Threat of Disruptive Events to the Critical National Infrastructure, Proceedings of the 30th International Conference of the System Dynamics Society, 2012.