Professional Documents
Culture Documents
Performing risk assessment for critical infrastructure protection an investigation of transnational challenges and human decision-making consideratio
Performing risk assessment for critical infrastructure protection an investigation of transnational challenges and human decision-making consideratio
To cite this article: Michalis Papamichael, Christos Dimopoulos & George Boustras (2024)
Performing risk assessment for critical infrastructure protection: an investigation of
transnational challenges and human decision-making considerations, Sustainable and Resilient
Infrastructure, 9:4, 367-385, DOI: 10.1080/23789689.2024.2340368
1. Introduction
The risk management process which relates to the
The concept and importance of CI-acquired promi capacity of an entity to adequately prepare for and
nence in our societies during the last decades of the respond to serious incidents that involve the CI of
twentieth Century. The worldwide interest in the pro a region or nation (European Council, 2008; White
tection of CI was triggered by headlining events such as House, 1998) is commonly identified as the Critical
the attacks on New York City’s World Trade Center Infrastructure Protection (CIP) Process. RA is at the
towers in February 1993, the 1994 cyber-attacks heart of a CIP process given its role in the identification
against US Air Force systems at Rome Labs, and the of threats, the assessment of vulnerabilities, and the
2004 al Qaeda train attacks in Madrid, Spain (Renda & evaluation of the impact on assets and systems
Haemmerli, 2010; Sachs, 2022). CIs are characterized (Giannopoulos, Filippini, & Schimmer, 2012).
by their complex structure and their strong impact on A characteristic example of such a process is the Risk
all aspects of society. The first formal definition of the Management Framework of the National Infrastructure
concept appeared in 1996 with President Clinton’s Protection Plan (NIPP) developed by the Department of
Executive Order 13,010 (US Election Assistance Homeland Security in the US, as depicted in Figure 1
Commission, 2017). Since then, CI-related definitions (Homeland Security, nd).
appear to be in a perpetual advancement and improve A multitude of RA methodologies have already been
ment mode. For the purpose of the discussion pre developed within the specific context of the CIP process;
sented in this paper, an adapted version of the however, there is a significant differentiation in their
European Critical Infrastructure (ECI) definition, scope of methodology, target audience, and domain of
infused with asset-level specifics from the Patriot Act applicability. As a general framework, the established
(US Congress, 2021), has been adopted. Specifically, approach of the ISO31000 risk management framework
CIs are defined as ’Systems and assets or part thereof, (Rød, Lange, Theocharidou, et al., 2020) is being fol
whether physical or virtual, located in any group of lowed. This ‘gold standard’ (Figure 2), which is widely
nations or states whose disruption or destruction accepted around the world by most G20 countries,
would have a significant impact on at least two provides the principles, an overarching framework,
group member nations or states.’ and the process for managing risk (Dali & Lajtha,
The search was conducted between September 2021 (Burgess, 2007; Fritzon, Ljungkvist, Boin, et al., 2007)
and December 2022 for English-only publications. No have been extensively used in the literature for this pur
restrictions were applied in relation to the year of pub pose. Whilst the terms ‘transnational’ and ‘transbound
lication. Screened publications themselves were ary’ could be thought of as being equivalent to some
a secondary source of publications through their respec extend (Cambridge on-line Dictionary, 2021), their use
tive referenced work which was searched manually. as part of the overall CIP process should be viewed
Inclusion was conditioned on at least one of the three through the following angles:
main themes of transnational challenges, the human
aspect of RA, and RA performance, be explicitly or ● The term ‘transnational’ specifically alludes to
implicitly referred to in the document. Document ana a state or a nation’s boundaries which is consistent
lysis steps of skimming, (in-depth) reading, and inter with the position expressed that a multinational
pretation were pursued for the purpose of identifying environment, such as the case of the EU, would
excerpts and learning from the papers which was then provide significant insights into the study.
be documented in support of answering the research ● It would appear that in so far as RA is concerned,
questions identified earlier. The method was tested by the term ‘transboundary’ is often used to refer to
exploring mechanisms for addressing interdependency- environmental or public health risk and of
related risk across three critical national infrastructure resources crossing national boundaries, such as
sectors in Sweden (Sonesson, Johansson, & Cedergren, rivers, which are outside the scope of this paper
2021). (Linnerooth-Bayer & Sjostedt, 2010; Lidskog,
The narrative literature review was supported by Soneryd, Uggla, et al., 2009).
a critical analysis of the ‘gold standard’ ISO31000:2018
RA process with regard to the way it addresses the Based on the previous considerations, it can be said
unique transnational and decision-making characteris that the term ‘transnational’ constitutes a valid basis
tics of a CIP project. The analysis was based on the for guiding the discussion which follows, however, it
critical examination of the provisions of the IS031000 should be stated that the alternative terms were also
RA framework, as these are described in the generic RA explicitly considered in our analysis, wherever they
literature and viewed within the context of unique CIP appeared in the literature in the context of the topic
transnational and decision-making challenges. considered.
As this study is not experimental in nature, its limita
tions are mainly related to the known limitations of any
3.2. Transnational considerations in the CIP
literature review study. It only provides a snapshot of
literature
what has currently been published in academic and
regulatory literature, thus it may not adequately reflect In general, it has been specifically argued that
the perception and practices of CIP practitioners. In Europe’s present-day vulnerabilities reside precisely
addition, although the study followed systematic ele in their transnational character (Högselius,
ments in its search strategy, there is always a minor Hommels, Kaijser, et al., 2013). Despite its recognized
possibility that a relevant work has not been identified, importance, the concept of transnational challenges
especially if this was presented in a conference setting. within the context of RA for CIP has not attracted
Finally, as this study is not quantitative in nature, there the attention of researchers to any significant degree
is a subjective element in the interpretation and analysis (Pursiainen & Rød, 2021). Some examples include the
of the findings, especially with regard to the critical EURAM model (Klaver, Luiijf, Nieuwenhuijs, et al.,
analysis process. 2008), the EURACOM framework (CORDIS, 2011),
and numerous multi-national CI-related crisis exer
cises run by EU and NATO (European Commission,
3. Transnational challenges in CIP 2016). Similarly, regulatory efforts to address transna
tional considerations through enhancing the compar
3.1. Conceptualization of transnational challenges
ability of National Risk Assessments in the EU have
There have been many attempts to conceptualize the not become influential through effectively a failure of
characteristic of risk which relates to the crossing of the endeavor itself (European Commission, 2022;
national and other borders within the context of CI. The Pursiainen & Kytömaa, 2023; Pursiainen & Rød,
terms ‘transnational’ (Van der Vleuten & Lagendijk, 2021; European Commission 2019b). Another such
2010b), ‘cross-border’ (Borghetti, Marchionni, Gugiatti, example is the effort to address the comparability
et al., 2020; Coman, 2017), and ‘transboundary’ issue between NRAs using the CRitical
SUSTAINABLE AND RESILIENT INFRASTRUCTURE 371
Infrastructures and Systems Risk and Resilience the potential risk posed by its non-consideration.
Assessment Methodology (CRISRRAM) model Fortunately, academic literature provides significant
(Theocharidou & Giannopoulos, 2015), which does evidence on this topic, as this is discussed in the
not seem to have attracted significant attention either. following sub-section.
It should be stated that the concept of transna
tional challenges is indeed frequently considered 3.2.1. Vulnerability
within the context of CI literature but not in Discrepancy in the interpretation of vulnerability is not
a direct manner. In particular, the following CI uncommon, as it has been showcased in the example of
areas of research are naturally related to transna the ‘European Blackout’ case (Van der Vleuten &
tional considerations: Lagendijk, 2010a, 2010b). Assigning an estimated value
to vulnerability during the risk evaluation phase of the
Threats to CI from foreign adversaries (Center for CIP process, especially in the transnational context, is
Homeland Defense and Security, 2020; Department
of Homeland Security, 2021; Hammond-Errey &
very challenging before an actual breakdown takes
Ray, 2021): This is a common consideration in CI place. Even then, the magnitude of the disruption is
papers relating to countries outside of the European influenced by mitigation measures implemented before
space, more frequently the US, Australia, and other the event. The example of the contested vulnerability of
geographies with few, if any, nation state neighbors. electrical power generation in the EU has prompted
In this case, transnational threats and risk relate to
increasing regulating powers for the EU on the pretext
adversaries outside the respective country’s hinter
land who aim to harm CI in some way. of economic and sustainability arguments. That said,
regulation is not always the answer given the paradox
● Cyber threats which defy any concept of geogra of sometimes additional CI vulnerability being pro
phy or border (Sofaer & Goodman, 2001; ENISA, duced by the very measures implemented to reduce
2021; Gaiser, 2018; Fischerkeller & Harknett, vulnerability in the first place (Disco & Lintsen, 1998;
2017): This body of work relates to cyber-type Van der Vleuten & Disco, 2004). The piecemeal linear
risk which is inherently transnational due to the approach of addressing vulnerabilities in isolation on
interconnected, cross-border nature of the present- the assumption that outcomes would be aggregatable
day information and communication technology has also been challenged (Birkmann, Feldmeyer,
infrastructure. McMillan, et al., 2021). It is proposed that the strength
● Threats against physical elements of CI which ening of transboundary approaches for the reduction of
span across country boundaries (Sofaer & vulnerability in recognition of the emergence of spatial
Goodman, 2001): Research work identified in this statistical hotspots as an outcome of a group of hazards
context is more frequently seen in relation to the rather than the influence of single hazards and yet
EU or EU member states and other countries. national approaches, at least in Europe, are an outcome
of the normal practice of positioning of individual coun
In the context of this paper, the term ‘transnational tries within vulnerability rankings which, in turn, is
ism’ will broadly ‘refer to multiple ties and interac linked to the linear RA models in use (Theocharidou
tions linking people or in situations across the & Giannopoulos, 2015). This realization discredits any
borders of nation-states’ (Vertovec, 1999, p. 447) RA process delving beyond the borders of a single
with its meaning grounded upon the distinct concep nation if it assumes that the outcomes of a piecemeal
tual premises of avenue of capital and the reconstruc approach to risk and vulnerability assessment could be
tion of ‘place’ or locality. Surprisingly, though and aggregatable, rendering transnational consolidation of
despite the fact that transnationalism is a domain- RAs for the purpose of CIP improbable.
based concept frequently associated with CIP pro
jects, it is not directly addressed in published studies 3.2.2. Interdependence
as an integral part of the CIP process. In particular, The terms interdependency and dependency are often
the review of the literature did not identify frame used interchangeably in the CIP literature. Dependency
works which explicitly address the existence of trans ‘ . . . is a uni-directional relationship of two infrastruc
national dynamics and spatial infrastructure tures through which the state of the depending infra
vulnerabilities during the implementation of the CIP structure is influenced by or is correlated to the state of
process. This finding creates the need for further the other’ and interdependency is a ’ . . . mutually reliant
investigation and analysis with regard to the actual relationship between entities (objects, individuals, or
need of explicitly addressing transnationalism as part groups)’ (Department of Homeland Security, 2013;
of the implementation of the CIP process, as well as Luiijf & Klaver, 2021; Rinaldi, Peerenboom, & Kelly,
372 M. PAPAMICHAEL ET AL.
2001). Both terms will be used as mentioned in the coordinated governance across a transnational CI pro
respective references for the sake of consistency. ject will face challenges if it is pursued only through the
CIs are complex, interdependent systems where respective ‘national’ tools of each country. The EU is
a potential failure propagating among infrastructures highlighted as a characteristic example of such chal
may affect the entirety of the network. While it has lenges (Bossong, 2014). In particular, it is argued that
been suggested that an indeterminate risk should be despite the advent of sector-specific DGs (General
accepted by governments in such cases (Clemente, Directorates), and the support of the Joint Research
2013), the CI literature is rich with attempts to pursue Center (JRC), its very own research unit, CI governance
models and processes that address the challenge of remains fragmented. It was suggested that these chal
adequately managing CI interdependency. These lenges can be attributed to the difficulties of managing
attempts are overwhelmingly considering the interde cross-sector policy programs and the significant harmo
pendency challenge solely within national borders. nization costs associated with the high level of regula
A typical US example is the early pioneering work of tory and institutional diversity (May & Koski, 2013). On
Rinaldi, Peerenboom, and Kelly (2001) who introduced the project level, transnational Public Private
the concept of infrastructures as complex adaptive sys Partnerships (PPP) remain the more prominent plat
tems and highlighted the challenges in developing, form for financing and delivering CI projects although
applying, and validating modeling and simulation the ‘ . . . phenomena . . . range from loose cooperation
methodologies for infrastructure interdependency ana forms to legally binding contracts for the implementa
lysis. The potential of propagation of failure of CIs and tion of specific projects’ (Schäferhoff, Campe, & Kaan,
the associated cascading effects throughout the network 2009, p. 6). Still, issues related to responsibilities, risk, or
was also discussed (Eusgeld, Nan, & Dietz, 2011); how authorities in the partnership, differences between the
ever, it is evident that such cascade effects may extend partners in working methods, as well as lack of commit
beyond the geographical borders of a nation. More ment from the partners, generate significant challenges
recent work which takes up the challenge of looking at to the management of CI projects (Yu, Chan, Chen,
the issue in much broader terms ran an analysis of et al., 2018).
a unique multinational database resource of CI and Summarizing, the analysis of the literature suggests
Critical Information Infrastructure (CII) threats, fail that transnationalism can have a strong impact on the
ures, disruptions, and lost infrastructure between 2004 implementation of the RA process within the context of
and 2010 (Van Eeten, Nieuwenhuijs, Luiijf, et al., 2011) CIP, especially in terms of asset vulnerability, interde
and again for data collected between 2004 and 2018 pendency between elements and functions of a project
(Luiijf & Klaver, 2021). Outcomes were consistent in across national boundaries, and governance, or absence
that the analysis of trends, dependencies and common of it thereof, in relation to the management of RA
cause failure phenomena, and the improved under transnational elements. The implications of this finding
standing of other CI/CII related phenomena in both of will be further discussed in section 5 of this paper.
these studies dictates that the pervasive web of CI/CII
dependencies has the potential to cause significant
3.3. Influence of transnationalism in the CIP
damage and societal disruption and may be challenging
process
to secure and govern (Luiijf & Klaver, 2021). Given that
the research work in a transnational context would be The need for the explicit consideration of transnation
hindered by methodological considerations such as the alism parameters as part of the CIP process is being
comparability of the results, the ambiguity of terms used extensively emphasized in academic literature. In parti
in the various geographies and respective sectors, and cular, it has been argued that, within the context of CIP,
the need for dependency analysis (Theocharidou & the concept of transnationalism influences the imple
Giannopoulos, 2015), effective RA for a transnational mentation of RA within the context of the CIP process
system is bound even more challenging. on a number of levels. Particular focus is given to the
dimensions of vulnerability, interdependency, and
3.2.3. Governance governance.
Given the complexity of CI projects, it is natural to Figure 3 provides the graphical framework for the
assume that the management of a transnational CI facilitation of discussion regarding the potential effects
from within national ‘silos’ can potentially introduce of transnationalism within the context of the CIP pro
governance issues. Moreover, the actual delivery of gov cess. In particular, the figure illustrates both the generic
ernance for CI could be in doubt when national RAs are ‘gold standard’ ISO31000:2018 Risk Management pro
not aligned and coordinated. It is suggested that cess, as well as a generic implementation framework of
SUSTAINABLE AND RESILIENT INFRASTRUCTURE 373
the CIP process. In between them, the main transna instances as an appreciation of risk which is the out
tionalism dimensions which are the focus of our discus come of deliberate analysis (Slovic, 2020). The assertion
sion are showcased. Association arrows have been is that they should be looked upon as the two sides of the
drawn between each of these aspects and the corre same coin irrespective of the disparity they represent.
sponding stages which can potentially be affected by The same individual is also capable of all but rational
them during the implementation of the ISO31000:2018 decisions and judgements as influenced by their own
process (and consequently during the implementation biases and prejudices. Early research in risk perception
of the CIP process), according to the academic showed that the more profound indication of risk for
literature. any given hazard is the degree to which it evokes feelings
Figure 3 indicates that there is a strong association of dread and that perceived risk and benefit are inversely
between the transnational dimensions in consideration correlated (Slovic, Fischhoff, & Lichtenstein, 1982).
and all stages of the RA implementation process within Moreover, work on how individuals think, described
the context of the CIP process. The nature of this asso as slow and fast modes, was subsequently shown to be
ciation is discussed in detail in the following paragraphs: indispensable to rational decision-making (Slovic,
Finucane, Peters, et al., 2004, Kahneman, 2011 as refer
4. Decision-making challenges in CIP enced in; Slovic, 2020, p. 3). These decisions are said to
be influenced by heuristics (Slovic, Finucane, Peters,
4.1. Conceptualization of risk perception and of et al., 2004).
decision-making heuristics and biases
Heuristics can be defined as the shortcuts to task
The Society for Risk Analysis (SRA) defines risk percep complexity in judgement, and biases as the space
tion as a person’s subjective judgement or appraisal of between normative and heuristically driven behavior
risk (Aven et al., 2008). The deviation between real risk (Kahneman & Tversky, 1982). They are dis-optimal,
and the way it is perceived is caused by a range of imperfect, and irrational approaches to problem solving
affective, cognitive, contextual, and individual factors which can, nonetheless, speed up the process of finding
(Aven et al., 2018a). Three of these four factors stem a satisfactory solution. Heuristics have been linked to
out of the qualities of the individual. Affective factors cognitive biases (Tversky & Kahneman, 1974), while
include emotions and feelings of the person in question, pre-event predictions of behavior requiring formal
while cognitive factors can include media coverage and modelling of the decision process are proposed
the framing of risk information. Individual factors relate (Gigerenzer & Todd, 1999). However, much as heuris
to the individual’s previous experience, age, and person tics are neither always accurate nor driven by logic, they
ality traits, while contextual factors relate to the way are often enough to satisfy a need and often seem to
information is framed and the way alternative informa work (Mousavi & Gigerenzer, 2014). In fact, it has been
tion sources are accessed. shown that at least for some business situations, heur
It has been suggested that perception of risk resides istic decision-making can be effective if some informa
within individuals sometimes as a feeling and in other tion is purposely ignored with less proving to be more
374 M. PAPAMICHAEL ET AL.
under uncertainty when knowledge takes precedence specifically argued in the academic literature that
over information abundance (Mousavi & Gigerenzer, the affect (as well as the availability heuristic dis
2014). cussed later) can directly influence the CIP RA
Focusing on the implementation of RA within the process by being a source of the so-called ‘blind-
context of the CIP process in particular, the onus is spots’ which could trigger catastrophe across CI
frequently on the RA professional, the cornerstone of systems (Blackwell, Tolone, Lee, et al., 2009).
the RA process, whose input is prevalent at all CIP Interestingly, the affect heuristic might also have
activity levels (Poljanšek, Casajus Valles, Marin Ferrer, an effect possible team-level discussions on the risk
et al., 2019) and whose judgement may be led astray by level, which constitutes a typical case for large
heuristic’s ability to ‘lubricate reason’ (Slovic, Finucane, projects. This effect will be discussed in more detail
Peters, et al., 2007). It has been argued that the RA in the following sub-sections.
professional has to make decisions during the CIP pro ● Availability Heuristic: Individuals use the heuris
cess lacking the tools and processes which can identify tic of availability, a mental shortcut that bases
and address the extent of systems links across national decisions on immediate examples that come to
borders and into other sectors (Pidgeon & O’Leary, mind, to estimate the frequency of an event or the
2000). The following subsection examines the use of likelihood of its occurrence by ‘the ease with which
decision-making heuristics by the RA professional relevant instances or associations come to mind’
within the context of the CIP process, as this has been (Tversky & Kahneman, 1973). The availability
discussed in academic literature. heuristic can have a significant effect on the risk
practitioner’s perception of the likelihood of an
event (Slovic et al., 1981). As such, it can influence
4.2. Decision-making heuristics and biases in the
RA activities in general, and the RA activities
CIP literature
within the context of the CIP process in process,
As in the case for the transnationalism concept, the where the team decision-making element is likely
review of the literature provides only a limited number to feature (Blackwell et al., 2009; Slovic et al., 1981).
of direct references related to the effect of RA decision- The availability heuristic has been reported to
making heuristics and biases within the specific context explain differences in the perception of risk across
of the CIP process. Research work on non-CIP-specific groups, cultures, and even nations effectively. This
human decision-making heuristics and biases is slightly finding bears additional relevance for CIP given its
more populus albeit with more focus on risk perception transnational nature (Sunstein, 2005).
rather than RA. However, given that the ‘gold standard’ ● Cognitive Reflection Ability: Cognitive reflection
RA methodology employed during CIP is the ISO relates to the ability or disposition to reflect on
31,000:2018 risk management process (as already dis a question and resist an automatic response
cussed in section 3 of this paper), the set of decision- (Frederick, 2005; Toplak, West, & Stanovich,
making heuristics which are reported in the literature to 2011). As such, cognitive reflection can have
be employed during the latter process are (in principle) a potential effect to the entirety of the RA process
applicable to the CIP process as well. A brief description within the context of CIP, from threat identifica
of these heuristics and biases, as well as their potential tion to the formulation of mitigation strategies.
impact on the RA process within the context of CIP, is Risk professionals can be biased by the context,
provided in the following paragraphs: and the way information is presented (Berger,
2015). In addition, the strength of the inverse cor
● The Affect Heuristic: The affect heuristic is relation is tied to individual cognitive abilities, with
defined as a feeling state such as happiness or cognitive reflection ability at the forefront
sadness but also as goodness or badness, assigned (Skagerlund, Forsblad, Slovic, et al., 2020).
to a stimulus experienced by people (Slovic, 2000). However, there are no direct references in the aca
It is considered to be a prominent heuristic in demic literature with regard to the implications of
relation to risk (Tversky & Kahneman, 1974). cognitive reflection ability for RA professionals
There is scientific evidence which showcases the within the CIP context.
direct influence of the affect heuristic on risk per ● Cross-cultural Differences and Cultural Bias:
ception (Van Schaik, Renaud, Wilson, et al., 2020) While these concepts are not heuristics in their
and its impact on affective information to per own right, their transnational nature can introduce
ceived-risk judgments (Pachur et al., 2012). More biases which extend beyond the confines of a single
importantly (for the scope of this paper) it has been nation. In particular, differences in risk preference
SUSTAINABLE AND RESILIENT INFRASTRUCTURE 375
between nations are associated with national culture the influence of decision-making heuristics on the level
differences in their peoples’ respective perception of of an individual professional’s risk perception (Aven
risk rather than their attitudes towards perceived et al., 2018a; Aven, Ben-Haim, Andersen, et al., 2018;
risk (Weber & Hsee, 1998). Studies have shown Slovic, 2020) and how this may affect decisions made in
that in addition to cross-cultural disparities between the context of RA for CIP. The second relates to how
professional groups within a country, there are also a team-based RA may be influenced in the context of
considerable cross-national differences in how risk these decision-making heuristics (Slovic, Fischhoff, &
is perceived (Rohrmann, 2000). In addition, a wide Lichtenstein, 1982; Slovic et al., 2004), viewed within the
range of basic psychological processes have been context of RA professionals employed in mass for a CIP
known to be influenced by culture including the project.
likelihood of the fundamental attribution error and
probabilistic thinking (Weber & Hsee, 1998). It is
4.3. Influence of decision-making heuristics in the
therefore evident that with the multitude of national
cip process (individual level)
stakeholders in each of the facets of a CIP project,
maintaining consistency in RA evaluations as well as Human input is apparent in all phases of the CIP pro
a uniform risk perception across regions and states cess (Figure 4), including the actual RA activity, the
constitutes a serious challenge. Despite this, such training to build the necessary RA expertise, including
challenges have not been considered/examined in the evolution of requirements stemming from CI system
RA literature in the context of CIP. adaptivity and the assessment of relevant capabilities.
The identification and selection of the specific CI to be
Summarizing, while there exists considerable literature included in any analysis and the very definition of what
on the effect of decision-making heuristics and biases in constitutes a CI are looked upon differently between
the generic RA process, their implication has not been policymakers and operators which emphasizes the
adequately examined within the specific context of CIP. value of the individual in the process (Poljanšek et al.,
In particular, the review of the literature did not identify 2019).
works which critically analyze the use of decision- Human input is apparent in all phases of the RA
making heuristics within the complex, transnational process and beyond; the actual RA activity, the training
environment of a CIP process, as this has been unveiled to build the necessary RA expertise, including the evo
in the discussion of Section 4.1. Therefore, further lution of requirements stemming from CI system adap
investigation and analysis are necessary with regard to tivity and the assessment of said capabilities.
the potential influence of decision-making heuristics The practitioner is effectively the cornerstone of the
and biases as part of the implementation of the CIP RA process within the context of CIP. Knowledge and
process, in particular. To this end, the following subsec expertise in this respect needs to be built. Poljanšek,
tions discuss two types of decision-making dimensions Casajus Valles, Marin Ferrer, et al. (2019) have shown
which can potentially emerge during the implementa that continuously assessing one’s risk management cap
tion of RA within the context of CIP. The first relates to ability can be a significant driver to the development of
Figure 4. The influence of decision-making heuristics in the CIP RA Process (individual level).
376 M. PAPAMICHAEL ET AL.
those capabilities. One common characteristic of CI is will invariably lead to additional scope and complexity,
that they are complex adaptive systems (CAS) in that through sheer size, in identifying and addressing deci
their many constituent elements affect the overall sys sion-making heuristics and biases, transnational vulner
tem as a result of the respective learning processes over abilities, and regulation streamlining and coordination
time; transformers and battery systems degrade over issues, such as reliability and safety standards, across the
time, pipelines rust and age, the operating team larger footprint of the project (Roe & Schulman, 2018).
improves in their adaptation and ability to manage the
system over time (Rinaldi, Peerenboom, & Kelly, 2001).
4.4. Influence of decision-making heuristics in the
The importance of this in the context of the paper is the
cip process (team level)
need for individuals engaged in RA for CIP to recognize
in their decision-making activities the inherent nat The team-based approach to decision-making has been
ure of CI and their emergent behaviors in this respect suggested as a remedy to decision-making heuristic
in terms of risk and its assessment thereof, but also in deficiencies as it may attenuate cognitive biases
terms of possible interdependencies between systems (Cianni & Wnuck, 1997). However, it has been argued
and elements of infrastructure. that teams might also be inclined towards similar infor
Figure 4 provides a graphical framework of an indi mation-processing biases (Schwenk, 1986). Moreover, it
vidual’s decision-making aspects as these are perceived is reported that these teams often use the same ‘rules of
during the implementation of the ‘gold standard’ thumb’ individuals use to process information, invari
ISO31000:2018 RA process and the RA process within ably leading to similar errors in judgement (Houghton,
the context of the CIP. Looking deeper into this frame Simon, Aquino, et al., 2000).
work, based on what has been published in academic The RA literature predominantly discusses the opti
literature, it can be said that CIP-specific RA models in mal formation of a decision-making team rather than its
use are not unlike generic RA models as attested by the decision-making characteristics, including the existence
convergence in their linear approach to process, and of heuristics and biases. A typical example is the pro
their likeness to the ISO 31,000:2018 standard. In this posed ‘high-functioning risk team’ approach, which has
respect, decision-making heuristics and biases particu actually been suggested for the case of CIP projects,
lar to RA are also relevant to CIP. Such associations can without providing any further details on the suitability
be found between the process of risk perception and the of this approach for the particular domain (Baggett &
affect and availability heuristics (Pachur, Hertwig, & Stout, 2022). Alternative team-based approaches which
Steinmann, 2012; Sunstein, 2005; Van Schaik, Renaud, can potentially be relevant to the CIP process include
Wilson, et al., 2020), between the entire RA process and the ‘unity of effort’ approach (Baggett & Stout, 2022;
the cognitive reflection ability (Berger, 2015; Stockton & Roberts, 2008), which constitutes one of the
Skagerlund, Forsblad, Slovic, et al., 2020), and between key tenants of RA, ensuring a consistent approach by all
the perceived severity of risk and the cross-national stakeholders for maximum effectiveness. This approach
differences and cultural biases (Bontempo, Bottom, & calls for the selection of a team from both internal and
Weber, 1997; Jasanoff, 1991; Sunstein, 2005). external stakeholders, supervisory, and line, who would
However, it is of critical importance to state that the need to be trained in RA methods. Another example is
unique nature of a CI project introduces additional the ‘red-team’ approach to critical operations (Veland &
challenges to the implementation of the RA process in Aven, 2015) where the RA is carried out by two different
relation to the characteristics in consideration. This teams and where the external team subsequently chal
relates to the increased complexity of CI projects in lenges the self-evaluation of the internal analyst team,
relation to non-CI projects (Ulusan, Ergun, & He, and both eventually work together for a final consensus,
2018), even if not transnational, which requires an while group decision-making sessions using the Delphi
enlarged pool of RA professionals to cover the increased method and sources of knowledge, such as risk-event
scope which, in turn, introduces additional heuristic histories, during the RA process are also proposed
decision-making challenges. In addition, the transna (Yildiz, Dikmen, & Birgonul, 2014).
tional nature of CI projects (Heino, Takala, Based on the previous, Figure 5 provides a graphical
Jukarainen, et al., 2019), which necessitates the ability framework of the team’s decision-making aspects as
to define issues across geographical boundaries, can be these are perceived during the implementation of the
the source of an enlarged scope for RA with additional RA process within the context of the CIP. What can be
risk professionals contributing from different geogra deduced from this framework is that all team decision-
phies and countries, a multi-faceted regulatory frame making approaches discussed above fail to address the
work, and an increased stakeholder population. This added complexity and enlarged scope which CIP brings
SUSTAINABLE AND RESILIENT INFRASTRUCTURE 377
Figure 5. The influence of decision-making heuristics in the CIP RA Process (team level).
about. Specifically, beyond the actual composition of the converge in their linear approach to process and are
decision-making team, the sheer size of a CI project largely based on the ISO 31,000:2018 ‘gold standard’.
introduces added complexity (Heino, Takala, Our study investigated whether this standardized
Jukarainen, et al., 2019). Transnational-driven issues of approach would actually ‘fit’ for the case of CIP, or if
vulnerability, interdependence and governance and there are CIP-specific considerations (‘challenges’)
decision-making heuristics were shown to influence which are potentially not adequately addressed by the
the CIP process, with the latter being additionally chal use of the ‘gold standard’ approach to the RA imple
lenged by a transnational-team or team-of-teams mentation within the context of CIP. As discussed in the
approach to RA, given the much wider scope of CI introductory section, two particular ‘challenges’ were
(Ulusan, Ergun, & He, 2018) and their inherent struc investigated for their influence on the implementation
tural and dynamic complexities (Zio, 2016). of the CIP RA process. In particular, the influence of the
Summarizing, much as there are not many studies transnationalism dimension, which is a CIP-specific
discussing and analyzing the team-level decision- challenge, and also the use of decision-making heuris
making characteristics of the RA process within the tics and biases, which is a horizontal RA challenge.
context of CIP, there are advocates of the team-based A narrative literature review was employed in order to
approach in the literature, as seen in this section. identify relevant information which has been published
However, what is advocated remains at a high-level in academic literature. Given the limited amount of
and does not specifically prescribe how the team will research which has been conducted on these topics
function together nor how practitioner characteristics (from the CIP perspective), our study also considered
will be prevented from influencing local and indeed academic research works from the generic RA literature
regional RA work. and showcased how the CIP process can potentially be
affected by the two main challenges in consideration.
Given the objectives of the study which were pre
5. Discussion
sented in the introductory section of this paper, the
The concept and importance of CI, as well as its protec main findings of the study are presented below:
tion (CIP), acquired prominence in our societies during Objective 1: Investigate how the concept of transna
the last decades of the twentieth Century following tionalism currently affects the implementation of the RA
numerous high-profile terrorist attacks (Renda & process within the context of CIP.
Haemmerli, 2010; Sachs, 2022). RA is at the heart of Conceptualizing transnationalism in its own merit is
this CIP risk management process which relates to the not a straightforward task, as evidenced by the discus
capacity of an entity to adequately prepare for and sion in section 3.1. It does, however, constitute an
respond to such serious incidents. The information extensively researched notion albeit in isolation of the
presented and the analysis of the previous sections indi RA practitioner, employed by practitioners within the
cates that the RA models employed within the context of context of CIP due to its perceived importance. For this
CIP-specific are similar to generic RA models as they reason, the apparent lack of studies which explicitly
378 M. PAPAMICHAEL ET AL.
consider transnationalism as an integral part of the CIP Naturally, a further investigation was conducted on
RA process specifically and have developed appropriate the potential influence of specific decision-making
tools to this end at the RA practitioner level, was a rather heuristics and biases on the CIP RA process (both
unexpected, but a very important finding of our study. from the individual and the team perspective), based
Naturally, the study extended to the potential influ on the findings of the generic RA literature and the
ence of some principal dimensions of transnationalism theoretical foundations of the CIP process. The heuris
on the RA process within the context of CIP. In parti tics and biases investigated were the affect and avail
cular, the dimensions of vulnerability, interdependency, ability heuristics, the cognitive reflection ability, as well
and governance were investigated, based on what has as the cross-national and cultural differences. While it
been published in the generic RA literature, as well as on became evident from our investigation that these heur
the theoretical foundations of the CIP process. What istics and biases are naturally relevant to the implemen
was evidenced is that the transnational complexity of tation of the entire RA process within the context of the
CIP projects can potentially render the use of generic CIP, our study also suggests that their influence on the
linear RA models ineffective within the context of CIP. CIP RA process should be viewed within the following
In particular: context:
The findings of this study which were discussed transnational CI projects and to recognize the full extent
within the context of study objectives 1 and 2 provide of the human decision-making influence on the RA
a convenient basis for the identification of the main gaps process itself can only be the outcome of thorough
which currently exist in the literature. In general, it can analysis of numerous case studies. Whilst this cannot
be said that academic studies related to the analysis of be possible in a paper of this nature given the restrictive
the overall RA process within the specific context of CIP word-count limitation, two CI examples portray signs of
have been limited. Naturally, this means that studies for these traits.
specific RA considerations within the context of CIP, The first example relates to the 2013 terrorist attack
such as transnational considerations and decision- at the Statoil In Amenas gas facility in Algeria. An
making heuristics and biases would also be limited. investigation into the attack (Equinor, 2013) whose
However, what was rather unexpected (as discussed in purpose was to clarify the chain of events and to facil
the previous paragraphs) was not only the fact that the itate learning and further improvements within risk
number of studies on these particular considerations assessment, security, and emergency preparedness
was very low but also the observation that the limited revealed a number of security vulnerabilities and short
attempts which have appeared in the literature have not comings stemming from a combination of a number of
seemed to trigger the implementation of further factors including the project’s transnational nature.
research work on their analysis. This gap is especially Concerns were raised in reference to the scope of the
important when viewed under the analysis presented in risk assessment at the terminal for failing to capture and
this paper (sections 3.3 and 4.3), which showcased how consider the significance of regional geopolitical events
the CIP RA process can potentially be affected by these and their potential impact (Institute of Strategic Risk
unique challenges. Management, 2023). Risk Assessment activity was ‘split’
Looking into the gaps identified for the transnation between Statoil’s Algiers office with emergency response
alism challenge in particular, it can be said that there is plans influenced by the experience in Egypt and Libya,
a need to analyze in depth the process of aggregating the London office, and company headquarters in
risk across CI during a vulnerability assessment of Norway with stakeholders spread across geographies,
a transnational CIP project. Current RA models do businesses, and functions (Statoil, 2013). In fact,
not accommodate this calculation, and it is not readily Lambrechts and Blomquist (2017) suggest that Statoil
obvious how this process should be performed. At the lacked a holistic approach to risk management, with
same time, there seem to be no models available which political risk seen as a public relations issue and security
allow the assessment of cascading effects of a CI failure risk normally outsourced.
on transnational, interdependent CIP projects. Last but The second relates to the BTC (Baku-Tbilisi-Ceyhan)
not least, there is a gap in the investigation of the effects pipeline and the RA failings that supposedly led to the
of governance issues on the implementation of the CIP attack in 2008, although the accuracy of the cyber-attack
RA process in transnational projects. report itself has been questioned (Lee, 2015). These
Challenges and issues have also been identified based failings suggest that actual security infrastructure and
on the analysis of decision-making heuristics and biases the socio-political risks may not have been adequately
during the implementation of the CIP RA process. The addressed. This may be an outcome of the transnational
horizontal RA nature of these challenges means that nature of the project which led to differing levels of
models and procedures do exist in the literature which activity at the national, tri-party, and regional levels
provide solid frameworks for their analysis. However, for delivering protection (Starr & Cornell, 2005), non-
once the specific characteristics which underline the aligned regional and local cooperation fora, and ad hoc
unique nature of the CIP process are considered (com geographical security alliances beyond the tri-party
plexity of the adaptive system, transnationalism), our organization involving subsets of the BTC consortium
analysis showcases that current approaches might be state players and other regional states. Furthermore,
ineffective in modelling and managing the individual even the language barriers at the risk assessment practi
and team-based decision-making characteristics of the tioner level may have contributed as well (Kogan, 2014)
risk assessor in CIP projects. The gap becomes especially in addition to decision-making biases which have con
evident in the case of the generic team-based RA deci tributed to disasters in the past like the Challenger Space
sion-making approaches which, as reported in the lit Shuttle Disaster in 1986 through confirmation bias
erature, do not readily accommodate the characteristics which allowed launching during suboptimal tempera
of complex, transnational CIP projects. tures (Murata, Nakamura, & Karwowski, 2015),
Validation through real-world examples of the pro Hurricane Katrina in 2005 where optimistic bias was
posed failure of the RA process to capture the realities of a major contributing factor to inadequate response
380 M. PAPAMICHAEL ET AL.
(Trumbo, Lueck, Marlatt, et al., 2011), and the Global focused on investigating how this process addresses
Financial Crisis in 2008 where confirmation biases led the specific CIP challenges in consideration.
to the underestimation of the risks (Shefrin, 2015). The Our study showcased that the implementation of RA
previous discussion provides the basis for the formula within the context of CIP processes has not been ade
tion of a number of fundamental research questions on quately addressed. In particular, not only is the number
the implementation of RA within the context of a CIP of publications explicitly discussing the topic limited but
process. These questions can potentially be investigated also, as showcased by our critical analysis, the imple
through future research activities on the topics consid mentation of the generic ‘gold standard’ RA process fails
ered. In particular: to capture the realities of transnational CI projects and
to recognize the full extent of the human decision-
● How do CIP risk assessors perceive the applicabil making influence on the RA process itself.
ity and relevance of the generic ISO31000 ‘gold Our study suggests that the lack of homogeneity
standard’ RA process to the implementation of across assets, stakeholders, countries, paradigms, and
the CIP RA process? people in transnational CIP environments challenges
● How are CIP risk assessors influenced by transna the existing generic RA processes. An improved,
tionalism considerations (including vulnerability, domain-specific RA process within the context of CIP,
interdependence, and governance) during the can potentially provide the framework for improved
implementation of their tasks within the context protection of CI. Nevertheless, it is evident that addi
of a CIP process? tional research work is necessary in order to better
● How are CIP risk assessors influenced by decision- understand the challenges considered.
making heuristics and biases during the implementa
tion of their tasks within the context of a CIP process?
Disclosure statement
● How do CIP risk assessors perceive the applicabil
ity and relevance of generic team-based decision- No potential conflict of interest was reported by the author(s).
making approaches to the implementation of the
CIP RA process?
Notes on contributors
● How can RA tasks which are implemented within
the context of a CIP process be improved in order to Michalis Papamichael was born in Larnaca, Cyprus, in 1964.
explicitly address the unique characteristics of CI? is a PhD Candidate in the Occupational Safety and Health
Program at the European University Cyprus. He has over 32
years’ experience in the entirety of oil and gas value chain
The development of research designs which would
(upstream, midstream, and downstream) in regional roles of
investigate the practitioners’ perception of the RA increasing accountability in the engineering, business, secur
implementation within the context of a CIP process ity, emergency management, and risk management context in
can provide the basis for addressing these questions. Europe, the UK, and the Eastern Mediterranean. In his cur
The authors of this paper are committed to further rent role, he is the regional Security and Emergency Response
investigating this topic. Manager for an oil and gas major and a member of the
company’s Global Corporate Emergency Response Team.
Michalis holds a BSc in Electrical Engineering from Brown
6. Conclusions University, USA (1988), an MBA from Brunel University, UK
(1997), and an MSc in Security and Risk Management from
The main aim of this paper was to provide the University of Leicester, UK (2014). He holds certifications
a theoretical contribution towards a better under in the Incident Command System (now part of the National
Incident Management System [NIMS] in the US), Kidnap for
standing of some of the unique challenges faced dur
Ransom incident management, the management of major
ing the implementation of RA within the context of emergencies including oil spill management, International
a CIP process. In particular, the influence of transna Ship and Port Facility Security (ISPS) Code at a Vessel,
tional considerations as well as of decision-making Company, and Facility security level, Security Consultancy,
heuristics and biases was investigated. Our study was Business Continuity and Resilience, Intelligence Analysis,
primarily based on the use of a non-systematic, nar Open-source intelligence (OSINT) analysis, and investiga
tions. He is an Honorary Research Fellow of the European
rative literature review on the implementation of RA University, Cyprus, and the co-chair of the OSAC (Overseas
tasks in CIP projects, which discussed existing works Security Advisory Council of the US State Department)
that discuss the challenges of transnationalism and Cyprus chapter.
decision-making heuristics and biases. The review Christos Dimopoulos was born in Athens in May 1973.
was supported by a critical analysis of the implemen Christos is an Associate Professor of Computer Science &
tation generic ‘gold standard’ RA process, which Engineering, and co-Director of the Centre of Excellence in
SUSTAINABLE AND RESILIENT INFRASTRUCTURE 381
Risk and Decision Sciences (CERIDES). He received his BSc Analysis: Fundamental Principles. Retrieved December 15,
degree in Automation from the Technological Educational 2021, from. https://www.sra.org/wp-content/uploads/2020/
Institute (TEI) of Piraeus. He received both his MSc and 04/SRA-Fundamental-Principles-R2.pdf
PhD degrees in Control Engineering from the University of Aven, T., Ben-Haim, Y., Andersen, H. B., Cox, T.,
Sheffield. He is a multidisciplinary researcher and practitioner Droguett, E. L., Greenberg, M., Guikema, S., Kroeger, W.,
with a significant focus in the area of Disaster Management. Renn, O., Thompson, K. M., & Zio, E. (2018). SRA glossary.
His research accomplishments include a considerable number Retrieved December 15, 2021, from. https://www.sra.org/
of refereed articles and book chapters. In 2002, he received the risk-analysis-introduction/risk-analysis-glossary/
‘Outstanding Paper of the Year Award’ by the Neural Aven, T., & Ylönen, M. (2019). The strong power of standards
Networks Council of IEEE. He is currently participating in the safety and risk fields: A threat to proper develop
(and has participated in the past) as project coordinator, ments of these fields? Reliability Engineering & System
principal investigator and research collaborator in numerous Safety, 189, 279–286. https://doi.org/10.1016/j.ress.2019.
European and Cypriot-level research projects. He has also 04.035
served as the Scientific Coordinator and Head Evaluator in Baggett, R. K., & Stout, A. L. (2022). Critical Infrastructure
multiple Civil Protection Full-Scale Exercises funded by DG- risk analysis and management. In Masys, A.J. (Eds.),
ECHO. He is the recipient of an Honorary Award by the Handbook of Security Science, (pp. 3–22). Cham: Springer
Cyprus Environmental Commissioner for providing services International Publishing. https://doi.org/10.1007/978-3-
to the Republic of Cyprus towards achieving its 319-51761-2_1-1
Environmental Targets.
Berger, T. B. (2015). Risk assessment competencies of risk
Georgios Boustras was born in Athens in May 1973. George is management professionals (in Germany). SSRN Electronic
a Professor in Risk Assessment at European University Journal. SSRN 2815654. https://doi.org/10.2139/ssrn.
Cyprus, Director of the Centre of Risk and Decision 2815654
Sciences (CERIDES - Excellence in Innovation and Birkmann, J., Feldmeyer, D., McMillan, J. M., Solecki, W.,
Technology), Visiting Researcher at the National Totin, E., Roberts, D., Trisos, C., Jamshed, A., Boyd, E., &
Observatory of Athens and Visiting Professor at University Wrathall, D. (2021). Regional clusters of vulnerability show
of Haifa. He is a Member of the EU Mission: Adaptation to the need for transboundary cooperation. Environmental
Climate Change. George is Editor-in-Chief of Safety Science Research Letters, 16(9), 094052. https://doi.org/10.1088/
(Elsevier, IF 6.392) and Member of the Editorial Board of Fire 1748-9326/ac1f43
Technology (Springer Nature) and the International Journal Blackwell, J., Tolone, W. J., Lee, S. W., Xiang, W. N., &
of Critical Infrastructure Protection (Inderscience). He (co) Marsh, L. (2009). An ontology-based approach to blind
supervises five PhD students; six of his students are now spot revelation in critical infrastructure protection planning.
PhDs. In Setola, R., Geretshuber, S. (Eds.), Critical information
infrastructure security: Third international workshop,
CRITIS 2008, Rome, Italy, October 13-15 2008 (pp. 352–
ORCID 359). Springer, Berlin, Heidelberg. https://doi.org/10.1007/
978-3-642-03552-4_34
Michalis Papamichael http://orcid.org/0009-0003-1085-
Bontempo, R. N., Bottom, W. P., & Weber, E. U. (1997).
291X
Cross‐cultural differences in risk perception: A model‐
based approach. Risk analysis, 17(4), 479–488. https://doi.
Data availability statement org/10.1111/j.1539-6924.1997.tb00888.x
Borghetti, F., Marchionni, G., Gugiatti, E., Ambrosi, C.,
Data sharing are not applicable to this article as no new data Czerski, D., & Melzi, C. (2020). Cross border critical infra
were created or analyzed in this study. structure: A new approach for the protection evaluation.
Proceedings of the 30th European Safety and Reliability
Conference and the 15th Probabilistic Safety Assessment
References and Management Conference ESREL 2020 PSAM (Vol.
Andersson, M. G., Elving, J., Nordkvist, E., Urdl, M., 15ed. pp. 21–26, Venice. June, 2020
Engblom, L., Mader, A., Ali, B., Kowalczyk, J., Lahrssen‐ Bossong, R. (2014). The European programme for the protec
Wiederholt, M., Tuominen, P., Joutsen, S., Suomi, J., tion of critical infrastructures–meta-governing a new
Mikkelä, A., Hinkka, N., Siekkinen, K.-M., der Fels‐ security problem? European Security, 23(2), 210–226.
Klerx, H. J. V., van den Borne, B., & Ali, B. (2020). https://doi.org/10.1080/09662839.2013.856307
Communication inside Risk Assessment and Risk Bowen, G. A. (2009). Document analysis as a qualitative
Management (COMRISK). EFSA Supporting Publications, research method. Qualitative Research Journal, 9(2),
17(7), 1891E. https://doi.org/10.2903/sp.efsa.2020.EN-1891 27–40. https://doi.org/10.3316/QRJ0902027
Aven, T. (2017). The flaws of the ISO 31000 conceptualisation Burgess, J. P. (2007). Social values and material threat: The
of risk. Proceedings of the Institution of Mechanical European Programme for critical infrastructure protection.
Engineers, Part O: Journal of Risk and Reliability, 231(5), International Journal of Critical Infrastructures, 3(3–4),
467–468. https://doi.org/10.1177/1748006X17690672 471–487. https://doi.org/10.1504/IJCIS.2007.014121
Aven, T., Andersen, H. B., Cox, T., Droguett, E. L., Cambridge on-line Dictionary. (2021). Transnational.
Greenbergm M., Guikema, S., Kröger, W., McComas, K., Retrieved December 3, 2021, from. https://dictionary.cam
Renn, O., M. Thompson, K., & Zio, Eet al. (2018a). Risk bridge.org/dictionary/english/transnational
382 M. PAPAMICHAEL ET AL.
Center For Homeland Defense and Security. (2020). July 2, 2021, from. https://www.eumonitor.eu/9353000/1/
Homeland Threat Assessment. Retrieved December 2, j9vvik7m1c3gyxp/vitgbgipfoqy#p3
2021, from. https://www.hsdl.org/?view&did=845195 Eusgeld, I., Nan, C., & Dietz, S. (2011). “System-of-systems”
Cianni, M., & Wnuck, D. (1997). Individual growth and team approach for interdependent critical infrastructures.
enhancement: Moving toward a new model of career Reliability Engineering & System Safety, 96(6), 679–686.
development. Academy of Management Perspectives, 11 https://doi.org/10.1016/j.ress.2010.12.010
(1), 105–115. https://doi.org/10.5465/ame.1997. Fairbrother, A., Kapustka, L. A., Williams, B. A., & Glicken, J.
9707100663 (1995). Risk assessment in practice: Success and failure.
Clemente, D. (2013). Cyber security and global interdepen Human and Ecological Risk Assessment: An International
dence: What is critical?. Chatham House, Royal Institute Journal, 1(4), 367–375. https://doi.org/10.1080/
of International Affairs. 10807039509380021
Coman, I. M. (2017). Cross-border cyber-attacks and critical Fischerkeller, M. P., & Harknett, R. J. (2017). Deterrence is not
infrastructure protection. International Journal of a credible strategy for cyberspace. Orbis, 61(3), 381–393.
Information Security and Cybercrime (IJISC), 6(2), 47–52. https://doi.org/10.1016/j.orbis.2017.05.003
https://doi.org/10.19107/IJISC.2017.02.07 Fischoff, B. (1984). Acceptable risk. Cambridge University
CORDIS. (2011). European Risk Assessment and Contingency Press.
Planning Methodologies for Interconnected energy networks Frederick, S. (2005). Cognitive reflection and decision
(EURACOM). Retrieved October 29, 2023, from. https:// making. Journal of Economic Perspectives, 19(4), 25–42.
cordis.europa.eu/article/id/89833-increasing-the-security- https://doi.org/10.1257/089533005775196732
of-europes-energy-supply Fritzon, Å., Ljungkvist, K., Boin, A., & Rhinard, M. (2007).
Dali, A., & Lajtha, C. (2012). ISO 31000 risk management - Protecting Europe’s critical infrastructures: Problems and
“The gold standard”. EDPACS, 45(5), 1–8. https://doi.org/ prospects. Journal of Contingencies and Crisis Management,
10.1080/07366981.2012.682494 15(1), 30–41. https://doi.org/10.1111/j.1468-5973.2007.
Department of Homeland Security. (2013). NIPP 2013: 00502.x
Partnering for critical infrastructure security and resilience. Gaiser, L. (2018). European critical infrastructure protection:
https://www.dhs.gov/sites/default/files/publications/ The need for a regional approach and a cyber constant
National-Infrastructure-Protection-Plan-2013-508.pdf contact strategy. National Security and the Future, 19(1–
Department of Homeland Security. (2021). Transnational 2), 45–63.
crime. (7 Dec. 2021). https://www.dhs.gov/keywords/trans Giannopoulos, G., Filippini, R., & Schimmer, M. (2012). Risk
national-crime.(Accessed assessment methodologies for Critical Infrastructure
Disco, C., & Lintsen, H. W. (1998). Het nijvere verbond. Protection. Part I: A state of the art. JRC Technical Notes,
Techniek in Nederland in de twintigste eeuw, 1 https://ris. 1(1), 1–53.
utwente.nl/ws/portalfiles/portal/134685575/lint011tech01_ Gigerenzer, G., & Todd, P. M. (1999). Simple heuristics that
01.pdf. make us smart. Oxford University Press.
ENISA. (2021). European Union Agency for Cybersecurity. Greener, S. (2018). Research limitations: The need for honesty
Retrieved April 5, 2021, from. https://www.enisa.europa.eu/ and common sense. Interactive Learning Environments, 26
Equinor. (2013). Publication of the investigation report on the (5), 567–568. https://doi.org/10.1080/10494820.2018.
in Amenas terrorist attack. Retrieved March 25, 2024, from. 1486785
https://www.equinor.com/news/archive/2013/09/12/ Greenhalgh, T., Thorne, S., & Malterud, K. (2018). Time to
12SepInAmenasreport challenge the spurious hierarchy of systematic over narra
European Commission. (2016). VITEX 2016 was the first EU- tive reviews? European Journal of Clinical Investigation, 48
Wide exercise focused on the effects of large-scale failure of (6). https://doi.org/10.1111/eci.12931
critical (electricity) infrastructure across Europe. Retrieved Hammond-Errey, M., & Ray, K. (2021). A new methodology
October 29, 2023, from. https://erncip-project.jrc.ec. for strategic assessment of transnational threats. Police
europa.eu/events/vitex-2016-was-first-eu-wide-exercise- Practice & Research, 22(1), 40–56. https://doi.org/10.1080/
focussed-effects-large-scale-failure-critical 15614263.2019.1699411
European Commission. (2019a). Commission notice - report Heino, O., Takala, A., Jukarainen, P., Kalalahti, J., Kekki, T., &
ing guidelines on disaster risk management. Art. 6(1)d of Verho, P. (2019). Critical infrastructures: The operational
decision No 1313/2013/EU (2019/C 428/07). Official environment in cases of severe disruption. Sustainability,
Journal of the European Union 20.12.2019, C 428/8-33. 11(3), 838. https://doi.org/10.3390/su11030838
European Commission. (2019b). Critical infrastructure Hermansson, H. (2012). Defending the conception of “objec
protection. Retrieved May 13, 2021, from. https://ec.europa. tive risk”. Risk Analysis: An International Journal, 32(1),
eu/jrc/en/research-topic/critical-infrastructure-protection 16–24. https://doi.org/10.1111/j.1539-6924.2011.01682.x
European Commission. (2022). Opening remarks by commis Högselius, P., Hommels, A., Kaijser, A., & Van der Vleuten, E.
sioner Johansson at the press conference on EU critical (Eds). (2013). The making of Europe’s critical infrastructure:
infrastructure resilience. Retrieved November 27, 2022, Common connections and shared vulnerabilities. Palgrave
from. https://ec.europa.eu/commission/presscorner/detail/ Macmillan, UK.
en/SPEECH_22_6265 Homeland Security. (n.d.). National infrastructure protection
European Council. (2008). Directive 2008/114 - Identification plan - risk management framework. https://www.dhs.gov/
and designation of European critical infrastructures and the xlibrary/assets/NIPP_RiskMgmt.pdf. (Accessed 12 Sept
assessment of the need to improve their protection. Retrieved 2021.
SUSTAINABLE AND RESILIENT INFRASTRUCTURE 383
Houghton, S. M., Simon, M., Aquino, K., & Goldberg, C. B. Mousavi, S., & Gigerenzer, G. (2014). Risk, uncertainty, and
(2000). No safety in numbers: Persistence of biases and heuristics. Journal of Business Research, 67(8), 1671–1678.
their effects on team risk perception and team decision https://doi.org/10.1016/j.jbusres.2014.02.013
making. Group & Organization Management, 25(4), Murata, A., Nakamura, T., & Karwowski, W. (2015). Influence
325–353. https://doi.org/10.1177/1059601100254002 of cognitive biases in distorting decision making and lead
Hutten, J. C., Van Horn, J. E., Uzieblo, K., van der ing to critical unfavorable incidents. Safety, 1(1), 44–58.
Veeken, F. C., & Bouman, Y. H. (2022). Toward a risk https://doi.org/10.3390/safety1010044
management strategy: A narrative review of methods for Pachur, T., Hertwig, R., & Steinmann, F. (2012). How do
translation of risk assessment into risk management. people judge risks: Availability heuristic, affect heuristic,
Journal of Forensic Psychology Research and Practice, or both? Journal of Experimental Psychology: Applied, 18(3),
22(5), 444–469. https://doi.org/10.1080/24732850.2021. 314. https://doi.org/10.1037/a0028279
2013359 Pidgeon, N., & O’Leary, M. (2000). Man-made disasters: Why
Institute of Strategic Risk Management. (2023). ISRM amenas technology and organizations (sometimes) fail. Safety
case study. Retrieved March 25, 2024, from. https://www. Science, 34(1–3), 15–30. https://doi.org/10.1016/S0925-
theisrm.org/en/amenas-case-study 7535(00)00004-7
Jasanoff, S. (1991). Cross-national differences in policy Poljanšek, K., Casajus Valles, A., Marin Ferrer, M., De
implementation. Evaluation Review, 15(1), 103–119. Jager, A., Dottori, F., Galbusera, L., Garcia Puerta, B.,
https://doi.org/10.1177/0193841X9101500106 Giannopoulos, G., Girgin, S., Hernandez Ceballos, M.,
Kahneman, D., & Tversky, A. (1982). The psychology of Iurlaro, G., Karlos, V., Krausmann, E., Larcher, M.,
preferences. Scientific American, 246(1), 160–173. https:// Lequarre, A., Theocharidou, M., Montero Prieto, M.,
doi.org/10.1038/scientificamerican0182-160 Naumann, G., Necci, A., Salamon, P., Sangiorgi, M.,
Klaver, M. H. A., Luiijf, H. A. M., Nieuwenhuijs, A. H., Raposo De M. Do N. E S. De Sotto Mayor, M., Trueba
Cavenne, F., Ulisse, A., & Bridegeman, G. (2008). Alonso, C., Tsionis, G., Vogt, J. & Wood, M. (2019).
European risk assessment methodology for critical Recommendations for national risk assessment for disaster
infrastructures. 2008 First International Conference on risk management in EU. Publications Office of the
Infrastructure Systems and Services: Building Networks for European Union, Luxembourg. https://doi.org/10.2760/
a Brighter Future (INFRA) (pp. 1–5). Rotterdam, 147842JRC114650
Netrherlands: IEEE. https://doi.org/10.1109/infra.2008. Pursiainen, C., & Kytömaa, E. (2023). From European critical
infrastructure protection to the resilience of European cri
5439614 .
tical entities: What does it mean? Sustainable and Resilient
Kogan, E. (2014). Expert opinion - trilateral military and energy
Infrastructure, 8(sup1), 85–101. https://doi.org/10.1080/
security co-operation: Reactions from Moscow and
23789689.2022.2128562
Washington, Georgian foundation for strategic and interna
Pursiainen, C., & Rød, B. (2021). National disaster risk assess
tional studies. Retrieved May 31, 2022, from. https://gfsis.org.
ments in Europe. How comparable are they and why? Risk,
ge/files/library/opinion-papers/17-expert-opinion-eng.pdf
Hazards & Crisis in Public Policy, 12(2), 194–214. https://
Lambrechts, D., & Blomquist, L. B. (2017). Political–security
doi.org/10.1002/rhc3.12215
risk in the oil and gas industry: The impact of terrorism on
Reid, S. G. (2000). Acceptable risk criteria. Progress in
risk management and mitigation. Journal of Risk Research,
Structural Engineering and Materials, 2(2), 254–262.
20(10), 1320–1337. https://doi.org/10.1080/13669877.2016.
https://doi.org/10.1002/1528-2716(200004/06)2:2<254:
1153502 AID-PSE30>3.0.CO;2-K
Lazari, A. (2014). European critical infrastructure protection. Renda, A., & Haemmerli, B. (2010). Protecting critical infra
Springer International Publishing. structure in the EU: CEPS task force report. Retrieved
Lee, R. (2015). Closing the case on the reported 2008 Russian October 22, 2021, from. https://www.ceps.eu/ceps-
cyber attack on the BTC pipeline June 15, 2015. Retrieved publications/protecting-critical-infrastructure-eu/,2010
March 26, 2024, from. https://www.sans.org/blog/closing- Rinaldi, S. M., Peerenboom, J. P., & Kelly, T. K. (2001).
the-case-on-the-reported-2008-russian-cyber-attack-on- Identifying, understanding, and analyzing critical infra
the-btc-pipeline/ structure interdependencies. IEEE Control Systems
Lidskog, R., Soneryd, L., Uggla, Y., & Irwin, A. (2009). Magazine, 21(6), 11–25.
Transboundary risk governance. Routledge. Rød, B., Lange, D., Theocharidou, M., & Pursiainen, C.
Linnerooth-Bayer, J., & Sjostedt, G. (Eds.). (2010). (2020). From risk management to resilience management
Transboundary risk management. Routledge. in critical infrastructure. Journal of Management in
Luiijf, E., & Klaver, M. (2021). Analysis and lessons identified Engineering, 36(4), 04020039. https://doi.org/10.1061/
on critical infrastructures and dependencies from an (ASCE)ME.1943-5479.0000795
empirical data set. International Journal of Critical Roe, E., & Schulman, P. R. (2018). A reliability & risk
Infrastructure Protection, 35, 100471. https://doi.org/10. framework for the assessment and management of sys
1016/j.ijcip.2021.100471 tem risks in critical infrastructures with central control
Lyon, B. K., & Hollcroft, B. (2012). Risk Assessments. rooms. Safety Science, 110, 80–88. https://doi.org/10.
Professional Safety, 57(12), 28–34. 1016/j.ssci.2017.09.003
May, P. J., & Koski, C. (2013). Addressing public risks: Extreme Rohrmann, B. (2000). Cross-cultural studies on the percep
events and critical infrastructures. Review of Policy Research, tion and evaluation of hazards. In: Renn, O., Rohrmann, B.
30(2), 139–159. https://doi.org/10.1111/ropr.12012 (Eds.), Cross-Cultural Risk Perception. Technology, Risk,
384 M. PAPAMICHAEL ET AL.
and Society (pp. 103–143). Springer, Boston, MA. https:// Sonesson, T. R., Johansson, J., & Cedergren, A. (2021).
doi.org/10.1007/978-1-4757-4891-8_3 Governance and interdependencies of critical infrastruc
Sachs, M. (2022). Reflections on executive order 13010. tures: Exploring mechanisms for cross-sector resilience.
Retrieved October 9, 2022, from. https://mccrary.auburn. Safety Science, 142, 105383. https://doi.org/10.1016/j.ssci.
edu/work/insights/reflections-on-executive-order-13010/ 2021.105383
Schäferhoff, M., Campe, S., & Kaan, C. (2009). Transnational Starr, S. & Cornell, S. (2005). The baku-tbilisi-ceyhan pipeline:
public-private partnerships in international relations: Oil window to the west. Central Asia-Caucasus Institute &
Making sense of concepts, research frameworks, and Silk Road Studies Program. (Accessed 20 September.
results. International Studies Review, 11(3), 451–474. https://www.silkroadstudies.org/resources/pdf/
https://doi.org/10.1111/j.1468-2486.2009.00869.x Monographs/2005_01_MONO_Starr-Cornell_BTC-
Schwenk, C. H. (1986). Information, cognitive biases, and com Pipeline.pdf
mitment to a course of action. Academy of Management Statoil. (2013). The in Amenas report, report on the investiga
Review, 11(2), 298–310. https://doi.org/10.2307/258461 tion into the terrorist attack on in Amenas. Prepared for
Shefrin, H. (2015). How psychological pitfalls generated the statoil ASA’s board of directors. Retrieved March 25, 2024,
global financial crisis. In Laurence B. S (Ed.), The Routledge from. https://www.equinor.com/news/archive/2013/09/12/
companion to strategic risk management (pp. 289–315). downloads/In%20Amenas%20report.pdf
Routledge. Stockton, P., & Roberts, P. (2008). Findings from the Forum on
Skagerlund, K., Forsblad, M., Slovic, P., & Västfjäll, D. (2020). Homeland Security after the Bush Administration: Next steps
The affect heuristic and risk perception–stability across in building unity of effort. Homeland Security Affairs, 4(2).
elicitation methods and individual cognitive abilities. Article 4 (June 2008). https://www.hsaj.org/articles/121
Frontiers in Psychology, 11, 970. https://doi.org/10.3389/ Sunstein, C. R. (2005). Precautions against what? the avail
fpsyg.2020.00970 ability heuristic and cross-cultural risk perception. SSRN
Skogstad, G. (2003). Legitimacy and/or policy effectiveness?: Electronic Journal, 57, 75. https://doi.org/10.2139/ssrn.
Network governance and GMO regulation in the European 578303
Union. Journal of European Public Policy, 10(3), 321–338. Theocharidou, M., & Giannopoulos, G. (2015). Risk assess
https://doi.org/10.1080/1350176032000085333 ment methodologies for critical infrastructure protection.
Part II: A new approach. Scientific and Technical Research
Slovic, P. (2000). The Perception of Risk. www.routledge.com
Reports, Report EUR 27332 EN. https://doi.org/10.2788/
Slovic, P. (2020). Risk perception and risk analysis in
621843
a hyperpartisan and virtuously violent world. Risk analysis,
Toplak, M. E., West, R. F., & Stanovich, K. E. (2011). The
40(S1), 2231–2239. https://doi.org/10.1111/risa.13606
cognitive reflection test as a predictor of performance on
Slovic, P., Baruch Fischhoff, B., & Lichtenstein, S. (1979).
heuristics-and-biases tasks. Memory & Cognition, 39(7),
Rating the Risks. Environment: Science and Policy for
1275–1289. https://doi.org/10.3758/s13421-011-0104-1
Sustainable Development, 21(3), 14–39. https://doi.org/10.
Trumbo, C., Lueck, M., Marlatt, H., & Peek, L. (2011). The
1080/00139157.1979.9933091
effect of proximity to Hurricanes Katrina and Rita on sub
Slovic, P., Finucane, M. L., Peters, E., & MacGregor, D. G.
sequent hurricane outlook and optimistic bias. Risk
(2004). Risk as analysis and risk as feelings: Some thoughts Analysis: An International Journal, 31(12), 1907–1918.
about affect, reason, risk, and rationality. Risk Analysis, 24 https://doi.org/10.1111/j.1539-6924.2011.01633.x
(2), 311–322. https://doi.org/10.1111/j.0272-4332.2004. Tversky, A., & Kahneman, D. (1973). Availability: A heuristic
00433.x for judging frequency and probability. Cognitive
Slovic, P., Finucane, M. L., Peters, E., & MacGregor, D. G. Psychology, 5(2), 207–232. https://doi.org/10.1016/0010-
(2007). The affect heuristic. European Journal of 0285(73)90033-9
Operational Research, 177(3), 1333–1352. https://doi.org/ Tversky, A., & Kahneman, D. (1974). Judgment under uncer
10.1016/j.ejor.2005.04.006 tainty: Heuristics and biases: Biases in judgments reveal
Slovic, P., Fischhoff, B., & Lichtenstein, S. (1981). Rating the some heuristics of thinking under uncertainty. Science,
Risks. In Y. Y. Haimes (Ed.), Risk/Benefit analysis in water 185(4157), 1124–1131. https://doi.org/10.1126/science.
resources planning and management (pp. 193–217). 185.4157.1124
Springer. https://doi.org/10.1007/978-1-4899-2168-0_17 Ulusan, A., Ergun, O., & He, Z. (2018). Restoration of services
Slovic, P., Fischhoff, B., & Lichtenstein, S. (1982). Why study in disrupted infrastructure systems: A network science
risk perception? Risk analysis, 2(2), 83–93. https://doi.org/ approach. Public Library of Science ONE, 13(2), e0192272.
10.1111/j.1539-6924.1982.tb01369.x https://doi.org/10.1371/journal.pone.0192272
Slovic, P., Layman, M., & Flynn, J. H. (1991). Risk perception, US Congress. (2021). Public law 107-56 uniting and strength
trust, and nuclear waste: Lessons from Yucca Mountain. ening America by providing appropriate tools required to
Environment: Science and Policy for Sustainable intercept and obstruct terrorism (USA Patriot Act) Act of
Development, 33(3), 6–30. https://doi.org/10.1080/ 2001. Retrieved October 23, 2021, from. https://www.con
00139157.1991.9931375 gress.gov/107/plaws/publ56/PLAW-107publ56.pdf
Sofaer, A. D., & Goodman, S. E. (2001). Cyber crime and US Election Assistance Commission. (2017). History of critical
security. The transnational dimension. In A.D. Sofaer & S. Infrastructure designation. Retrieved October 23, 2021,
E. Goodman (Eds), The Transnational Dimension of Cyber- from. https://www.eac.gov/ci-scoop-history-of-critical-
Crime and Terrorism, (pp. 1–34). Hoover Institution Press. infrastructure-designation
https://onlinebooks.library.upenn.edu/webbin/metabook? Van der Vleuten, E., & Disco, C. (2004). Water wizards:
id=hoovercyber . Reshaping wet nature and society. History and
SUSTAINABLE AND RESILIENT INFRASTRUCTURE 385