Risk Governance for Critical Infrastructure

SCK•CEN Mentor

Nagy Ahmed, anagy@sckcen.be, +32 (0)14 33 21 70

Expert group

Crisis Management and Decision Support

SCK•CEN Co-mentor

van der Meer Klaas , kvdmeer@sckcen.be , +32 (0)14 33 21 52


A critical infrastructure is considered an asset necessary for the proper  functioning of a society and economy. In 2006 the European commission launched a programme for critical infrastructure protection (EPCIP) aimed at the protection of infrastructure in Europe. This initiative involved a proposal for developing tools that can be used to carry out vulnerability assessment for european critical infrastructure. On the other hand, the American homeland security (DHS) championed an initiative of identifying the necessary critical infrastructures in the United states to protect and develop vulnerability assessment. The critical infrastructure identified included a comprehensive set of measures and techniques to improve security and address vulnerabilities in chains of critical infrastructure. The American presidential directive addressed the chain dependence and referred to information and communication infrastructures as a core infrastructure with high level of interdependence among others. Critical infrastructure protection is a cornerstone in ensuring resilient societies. There is a plethora of work to carry out risk assessment and vulnerability checks for critical infrastructure.  However, there is no clear approach of which methods could be useful for specific critical infrastructures.


Work Extension

Consolidating knowledge harnessed in concept graphs will provide an opportunity to operationalise the literature survey. Depending on the needs of the researcher/ intern Using concept graphs can help identify relevant actors in the domain and can further be used to build multicriteria decision making approach to assess vulnerabilities and identify dependencies for a critical infrastructure. Approaches to convert the concept graph to an analytic network process (ANP) to assess security risk (Nima Khakzad 2019).


Keywords: Risk Governance, Vulnerability Assessment, Critical Infrastructure Protection, Dependency Chains.


Key Milestones


  1. Identify key methods for vulnerability assessment for infrastructure protection

  2. Locate and describe key methods for general risk governance and specific for critical infrastructure

  3. Describe relevant attributes for infrastructure protection and assessment

  4. List the relevant attributes or entities in Excel format or other handy tools  and use one of the methods to aggregate attributes for security risk assessment of a typical critical infrastructure




The work aims at carrying out a literature survey to identify the key methods and approaches for the protection of critical infrastructure through risk governance. The literature review should focus on identifying vulnerability assessment methods and security assessment methods. Further, identifying dependency chains is important to develop effective infrastructure protection mechanisms. Multiple approaches rely on identifying relevant risks and developing scenario based strategies to protect the infrastructure. The work aims at carrying a literature review for the different approaches of risk governance for critical infrastructure and available tools.

The review should focus on presenting a critical perspective that identifies weaknesses and strengths for each method. Depending on the candidates interest, an example of a risk identification method for critical infrastructures can be implemented  using user friendly existing tools (Excel). Identification of important attributes in the approaches reviewed is a useful step that could make it easy to convert the method to a graph based or a hierarchy vulnerability assessment support tool.

Attention should be given to a set of important critical infrastructure that can be selected from the following: power plants, water networks, dams, key governmental offices, nuclear facilities, cyber / information and critical infrastructure. The American presidential directive lists 16 types of critical infrastructure that are important to protect  and strengthen to maintain a secure running infrastructure.

Developing a list of relevant concepts can help in summarising the key areas of attention. The candidate can be supported to produce a conceptual / knowledge graph with the core concepts. This can include the attributes relevant to vulnerabilities, risks, dependencies, consequences and assets.  

The minimum diploma level of the candidate needs to be

Academic bachelor