Performing risk assessment for critical infrastructure protection: an investigation of transnational challenges and human decision-making considerations

ABSTRACT

This paper investigates the influence of transnational challenges and decision-making heuristics and biases on the implementation of risk assessment (RA) process in the context of Critical Infrastructure Protection (CIP). The investigation, which is based on a review of existing literature and a critical analysis of the ISO31000:2018 process, suggests that contemporary RA models and processes fail to adequately consider the domain-based characteristics of transnational Critical Infrastructure (CI) characteristics. They also fail to recognize the full extent of the human decision-making influence on the RA process itself, as well as the relative lack of homogeneity across assets, stakeholders, countries, paradigms, and people in transnational CI environments. The findings from this work provide a theoretical contribution towards a better understanding of the complexities introduced by the transnational nature of CIP and the effect of human decision-making. They can provide the impetus for further research in the fields of CIP and RA.

KEYWORDS:

• Risk
• critical infrastructure
• protection
• heuristics
• biases

1. Introduction

The concept and importance of CI-acquired prominence in our societies during the last decades of the twentieth Century. The worldwide interest in the protection of CI was triggered by headlining events such as the attacks on New York City’s World Trade Center towers in February 1993, the 1994 cyber-attacks against US Air Force systems at Rome Labs, and the 2004 al Qaeda train attacks in Madrid, Spain (Renda & Haemmerli, 2010; Sachs, 2022). CIs are characterized by their complex structure and their strong impact on all aspects of society. The first formal definition of the concept appeared in 1996 with President Clinton’s Executive Order 13,010 (US Election Assistance Commission, 2017). Since then, CI-related definitions appear to be in a perpetual advancement and improvement mode. For the purpose of the discussion presented in this paper, an adapted version of the European Critical Infrastructure (ECI) definition, infused with asset-level specifics from the Patriot Act (US Congress, 2021), has been adopted. Specifically, CIs are defined as ’Systems and assets or part thereof, whether physical or virtual, located in any group of nations or states whose disruption or destruction would have a significant impact on at least two group member nations or states.’

The risk management process which relates to the capacity of an entity to adequately prepare for and respond to serious incidents that involve the CI of a region or nation (European Council, 2008; White House, 1998) is commonly identified as the Critical Infrastructure Protection (CIP) Process. RA is at the heart of a CIP process given its role in the identification of threats, the assessment of vulnerabilities, and the evaluation of the impact on assets and systems (Giannopoulos, Filippini, & Schimmer, 2012). A characteristic example of such a process is the Risk Management Framework of the National Infrastructure Protection Plan (NIPP) developed by the Department of Homeland Security in the US, as depicted in Figure 1 (Homeland Security, nd).

Figure 1. Critical Infrastructure Protection Process.

Source: Homeland Security, nd

A multitude of RA methodologies have already been developed within the specific context of the CIP process; however, there is a significant differentiation in their scope of methodology, target audience, and domain of applicability. As a general framework, the established approach of the ISO31000 risk management framework (Rød, Lange, Theocharidou, et al., 2020) is being followed. This ‘gold standard’ (Figure 2), which is widely accepted around the world by most G20 countries, provides the principles, an overarching framework, and the process for managing risk (Dali & Lajtha, 2012). The standard is not welcomed by everyone in the academic community, with critics citing the lack of a solid conceptual framework for risk management and the absence of scientific justification (Aven, 2017; Aven & Ylönen, 2019). Despite such criticisms, it forms the backbone of the EU/US RA processes (European Commission, 2019a).

Figure 2. ISO 31,000 risk management process.

Source: Pursiainen and Rød (2021)

Despite the use of standardized RA frameworks for CIP, there are frequent failures in their implementation with significant societal cost associated with them. Typical examples include the Yucca Mountain nuclear waste project which cost the US Government in excess of $13 billion US Dollars (Slovic, Layman, & Flynn, 1991), and the Bhopal disaster for which the death toll is estimated to be in the region of 16.000 deaths in addition to 558,125 injuries (Varma & Varma, 2005). These failures provide clear indications of the significant challenges faced during the implementation of the CIP process. For the purpose of the discussion and analysis presented in this paper, we can categorize these challenges into two main types:

• Domain-based (CIP) challenges: The environment within which each RA process is taking place is unique in nature and is significantly affected by the domain characteristics of the CIP case considered. While these challenges vary greatly between each individual case, the EU region represents a prime example of the challenges which could potentially be faced: absence of a single hands-on government and the existence of a multitude of borders and legal frameworks (Skogstad, 2003) and looser controls on framework implementation and overview (Pursiainen & Rød, 2021). While specific attempts have been made to provide a harmonized framework for National Risk Assessments (NRA) at a European level (Theoharidou & Giannopoulos, 2015), these have not been able to produce significant results due to the aversion of member states of sharing sensitive information and the lack of an entity or process to serve as the sharing ‘medium’ (Yusta, Correa, & Lacal-Arántegui, 2011).

• Horizontal RA methodological challenges and issues: There are known horizontal issues associated with the implementation of an RA process in any type of domain. Such issues may include the incomplete definition of the RA context and its objectives (Lyon & Hollcroft, 2012), the unsuitable choice of RA tools (Giannopoulos, Filippini, & Schimmer, 2012), the lack of objectivity (Hermansson, 2012), the potential failure to identify hazards and prioritize them effectively (Zio, 2016), and the inefficient communication between RA stakeholders (Andersson et al., 2020). Additional challenges include the varying perception of the severity of risk estimated by different individuals (Slovic et al., 1979), the inefficient interpretation of the information stemming from the RA process (Fairbrother et al., 1995), and the misalignment in the estimation of acceptance risk (Fischoff, 1984; Reid, 2000). On top of all these issues, a crucial horizontal challenge during the implementation of a generic RA process concerns the so-called ‘human angle’, in other words the decision-making aspects which critically affect the implementation of the CIP process and are intrinsically related to the previous challenges (Lazari, 2014).

The main aim of this paper is to provide a theoretical contribution towards a better understanding of some of the challenges faced during the implementation of the RA process within the context of the overall CIP process. It is evident that the critical analysis (in the appropriate breadth and depth) of all possible parameters which affects this process would be an impossible task within the context and the limitations of a single study. For this reason, our investigation explicitly targeted a specific challenge from each of the categories specified above, based on the following criteria:

1. A domain-based (CIP) challenge which is deemed by practitioners to be critical for the successful implementation of the RA process within the context of CIP (transnational challenges).

2. A horizontal challenge which is perceived in academic literature to be critical for the successful implementation of the RA process in any domain but has not been studied in detail within the context of the CIP domain (decision-making heuristics and biases).

An investigation of this kind, for these specific challenges, has not appeared in the CIP academic literature in the past, to the best of the authors’ knowledge. The particular objectives associated with our study are the following:

Objective 1: Investigate how transnational challenges affect the implementation of the RA process within the context of CIP.

Objective 2: Investigate how decision-making heuristics and biases affect the implementation of the RA process within the context of CIP.

Objective 3: Identify specific strengths, gaps, and opportunities in relation to the challenges identified in the previous objectives and formulate questions which will drive future research work in this domain.

A non-systematic narrative literature review of the academic and regulatory literature was conducted in order to elicit and analyze scientific and regulatory information regarding these challenges. The review is supported by a critical analysis of the ISO31000 process with regard to the way it addresses the specific challenges considered.

The rest of the paper is organized as follows: Section 2 overviews the methodology which was followed in order to carry out the study in consideration. Section 3 presents the findings of the study with regard to the way transnational challenges affect the implementation of the CIP RA process. The effect of decision-making heuristics and biases within the context of a CIP RA process is examined in Section 4. Section 5 summarizes and discusses the main results of our study with regard to its specific objectives and provides directions for future research on the topics considered. Finally, Section 6 presents the conclusions of the study.

2. Methodological considerations

A narrative review of academic and regulatory texts was carried out for the purpose of formulating a ‘… authoritative argument, based on the informed wisdom that is convincing to an audience of fellow experts’ (Greenhalgh, Thorne, & Malterud, 2018) which then facilitated the presentation of the evidence and how this was drawn upon to formulate the conclusions, synthesizing of the data from these documents (Bowen, 2009). Guidelines in (Greener, 2018) and (Hutten, Van Horn, Uzieblo, et al., 2022) were drawn upon. A structured search of documents relating to the identified research questions was carried out using Google Scholar with Boolean AND OR combinations of the search strings depicted in Table 1.

Table 1. Search Strings for the document search.

Main Keyword String
risk assessment
risk management
critical infrastructure protection
transnational critical infrastructure
transboundary critical infrastructure
interdependencies in critical infrastructure protection
risk mitigation
security
protection
performance in risk assessment/risk management
security/safety manager

The search was conducted between September 2021 and December 2022 for English-only publications. No restrictions were applied in relation to the year of publication. Screened publications themselves were a secondary source of publications through their respective referenced work which was searched manually.

Inclusion was conditioned on at least one of the three main themes of transnational challenges, the human aspect of RA, and RA performance, be explicitly or implicitly referred to in the document. Document analysis steps of skimming, (in-depth) reading, and interpretation were pursued for the purpose of identifying excerpts and learning from the papers which was then be documented in support of answering the research questions identified earlier. The method was tested by exploring mechanisms for addressing interdependency-related risk across three critical national infrastructure sectors in Sweden (Sonesson, Johansson, & Cedergren, 2021).

The narrative literature review was supported by a critical analysis of the ‘gold standard’ ISO31000:2018 RA process with regard to the way it addresses the unique transnational and decision-making characteristics of a CIP project. The analysis was based on the critical examination of the provisions of the IS031000 RA framework, as these are described in the generic RA literature and viewed within the context of unique CIP transnational and decision-making challenges.

As this study is not experimental in nature, its limitations are mainly related to the known limitations of any literature review study. It only provides a snapshot of what has currently been published in academic and regulatory literature, thus it may not adequately reflect the perception and practices of CIP practitioners. In addition, although the study followed systematic elements in its search strategy, there is always a minor possibility that a relevant work has not been identified, especially if this was presented in a conference setting. Finally, as this study is not quantitative in nature, there is a subjective element in the interpretation and analysis of the findings, especially with regard to the critical analysis process.

3. Transnational challenges in CIP

3.1. Conceptualization of transnational challenges

There have been many attempts to conceptualize the characteristic of risk which relates to the crossing of national and other borders within the context of CI. The terms ‘transnational’ (Van der Vleuten & Lagendijk, 2010b), ‘cross-border’ (Borghetti, Marchionni, Gugiatti, et al., 2020; Coman, 2017), and ‘transboundary’ (Burgess, 2007; Fritzon, Ljungkvist, Boin, et al., 2007) have been extensively used in the literature for this purpose. Whilst the terms ‘transnational’ and ‘transboundary’ could be thought of as being equivalent to some extend (Cambridge on-line Dictionary, 2021), their use as part of the overall CIP process should be viewed through the following angles:

• The term ‘transnational’ specifically alludes to a state or a nation’s boundaries which is consistent with the position expressed that a multinational environment, such as the case of the EU, would provide significant insights into the study.

• It would appear that in so far as RA is concerned, the term ‘transboundary’ is often used to refer to environmental or public health risk and of resources crossing national boundaries, such as rivers, which are outside the scope of this paper (Linnerooth-Bayer & Sjostedt, 2010; Lidskog, Soneryd, Uggla, et al., 2009).

Based on the previous considerations, it can be said that the term ‘transnational’ constitutes a valid basis for guiding the discussion which follows, however, it should be stated that the alternative terms were also explicitly considered in our analysis, wherever they appeared in the literature in the context of the topic considered.

3.2. Transnational considerations in the CIP literature

In general, it has been specifically argued that Europe’s present-day vulnerabilities reside precisely in their transnational character (Högselius, Hommels, Kaijser, et al., 2013). Despite its recognized importance, the concept of transnational challenges within the context of RA for CIP has not attracted the attention of researchers to any significant degree (Pursiainen & Rød, 2021). Some examples include the EURAM model (Klaver, Luiijf, Nieuwenhuijs, et al., 2008), the EURACOM framework (CORDIS, 2011), and numerous multi-national CI-related crisis exercises run by EU and NATO (European Commission, 2016). Similarly, regulatory efforts to address transnational considerations through enhancing the comparability of National Risk Assessments in the EU have not become influential through effectively a failure of the endeavor itself (European Commission, 2022; Pursiainen & Kytömaa, 2023; Pursiainen & Rød, 2021; European Commission 2019b). Another such example is the effort to address the comparability issue between NRAs using the CRitical Infrastructures and Systems Risk and Resilience Assessment Methodology (CRISRRAM) model (Theocharidou & Giannopoulos, 2015), which does not seem to have attracted significant attention either.

It should be stated that the concept of transnational challenges is indeed frequently considered within the context of CI literature but not in a direct manner. In particular, the following CI areas of research are naturally related to transnational considerations:

Threats to CI from foreign adversaries (Center for Homeland Defense and Security, 2020; Department of Homeland Security, 2021; Hammond-Errey & Ray, 2021): This is a common consideration in CI papers relating to countries outside of the European space, more frequently the US, Australia, and other geographies with few, if any, nation state neighbors. In this case, transnational threats and risk relate to adversaries outside the respective country’s hinterland who aim to harm CI in some way.

• Cyber threats which defy any concept of geography or border (Sofaer & Goodman, 2001; ENISA, 2021; Gaiser, 2018; Fischerkeller & Harknett, 2017): This body of work relates to cyber-type risk which is inherently transnational due to the interconnected, cross-border nature of the present-day information and communication technology infrastructure.

• Threats against physical elements of CI which span across country boundaries (Sofaer & Goodman, 2001): Research work identified in this context is more frequently seen in relation to the EU or EU member states and other countries.

In the context of this paper, the term ‘transnationalism’ will broadly ‘refer to multiple ties and interactions linking people or in situations across the borders of nation-states’ (Vertovec, 1999, p. 447) with its meaning grounded upon the distinct conceptual premises of avenue of capital and the reconstruction of ‘place’ or locality. Surprisingly, though and despite the fact that transnationalism is a domain-based concept frequently associated with CIP projects, it is not directly addressed in published studies as an integral part of the CIP process. In particular, the review of the literature did not identify frameworks which explicitly address the existence of transnational dynamics and spatial infrastructure vulnerabilities during the implementation of the CIP process. This finding creates the need for further investigation and analysis with regard to the actual need of explicitly addressing transnationalism as part of the implementation of the CIP process, as well as the potential risk posed by its non-consideration. Fortunately, academic literature provides significant evidence on this topic, as this is discussed in the following sub-section.

3.2.1. Vulnerability

Discrepancy in the interpretation of vulnerability is not uncommon, as it has been showcased in the example of the ‘European Blackout’ case (Van der Vleuten & Lagendijk, 2010a, 2010b). Assigning an estimated value to vulnerability during the risk evaluation phase of the CIP process, especially in the transnational context, is very challenging before an actual breakdown takes place. Even then, the magnitude of the disruption is influenced by mitigation measures implemented before the event. The example of the contested vulnerability of electrical power generation in the EU has prompted increasing regulating powers for the EU on the pretext of economic and sustainability arguments. That said, regulation is not always the answer given the paradox of sometimes additional CI vulnerability being produced by the very measures implemented to reduce vulnerability in the first place (Disco & Lintsen, 1998; Van der Vleuten & Disco, 2004). The piecemeal linear approach of addressing vulnerabilities in isolation on the assumption that outcomes would be aggregatable has also been challenged (Birkmann, Feldmeyer, McMillan, et al., 2021). It is proposed that the strengthening of transboundary approaches for the reduction of vulnerability in recognition of the emergence of spatial statistical hotspots as an outcome of a group of hazards rather than the influence of single hazards and yet national approaches, at least in Europe, are an outcome of the normal practice of positioning of individual countries within vulnerability rankings which, in turn, is linked to the linear RA models in use (Theocharidou & Giannopoulos, 2015). This realization discredits any RA process delving beyond the borders of a single nation if it assumes that the outcomes of a piecemeal approach to risk and vulnerability assessment could be aggregatable, rendering transnational consolidation of RAs for the purpose of CIP improbable.

3.2.2. Interdependence

The terms interdependency and dependency are often used interchangeably in the CIP literature. Dependency ‘ … is a uni-directional relationship of two infrastructures through which the state of the depending infrastructure is influenced by or is correlated to the state of the other’ and interdependency is a ’ … mutually reliant relationship between entities (objects, individuals, or groups)’ (Department of Homeland Security, 2013; Luiijf & Klaver, 2021; Rinaldi, Peerenboom, & Kelly, 2001). Both terms will be used as mentioned in the respective references for the sake of consistency.

CIs are complex, interdependent systems where a potential failure propagating among infrastructures may affect the entirety of the network. While it has been suggested that an indeterminate risk should be accepted by governments in such cases (Clemente, 2013), the CI literature is rich with attempts to pursue models and processes that address the challenge of adequately managing CI interdependency. These attempts are overwhelmingly considering the interdependency challenge solely within national borders. A typical US example is the early pioneering work of Rinaldi, Peerenboom, and Kelly (2001) who introduced the concept of infrastructures as complex adaptive systems and highlighted the challenges in developing, applying, and validating modeling and simulation methodologies for infrastructure interdependency analysis. The potential of propagation of failure of CIs and the associated cascading effects throughout the network was also discussed (Eusgeld, Nan, & Dietz, 2011); however, it is evident that such cascade effects may extend beyond the geographical borders of a nation. More recent work which takes up the challenge of looking at the issue in much broader terms ran an analysis of a unique multinational database resource of CI and Critical Information Infrastructure (CII) threats, failures, disruptions, and lost infrastructure between 2004 and 2010 (Van Eeten, Nieuwenhuijs, Luiijf, et al., 2011) and again for data collected between 2004 and 2018 (Luiijf & Klaver, 2021). Outcomes were consistent in that the analysis of trends, dependencies and common cause failure phenomena, and the improved understanding of other CI/CII related phenomena in both of these studies dictates that the pervasive web of CI/CII dependencies has the potential to cause significant damage and societal disruption and may be challenging to secure and govern (Luiijf & Klaver, 2021). Given that the research work in a transnational context would be hindered by methodological considerations such as the comparability of the results, the ambiguity of terms used in the various geographies and respective sectors, and the need for dependency analysis (Theocharidou & Giannopoulos, 2015), effective RA for a transnational system is bound even more challenging.

3.2.3. Governance

Given the complexity of CI projects, it is natural to assume that the management of a transnational CI from within national ‘silos’ can potentially introduce governance issues. Moreover, the actual delivery of governance for CI could be in doubt when national RAs are not aligned and coordinated. It is suggested that coordinated governance across a transnational CI project will face challenges if it is pursued only through the respective ‘national’ tools of each country. The EU is highlighted as a characteristic example of such challenges (Bossong, 2014). In particular, it is argued that despite the advent of sector-specific DGs (General Directorates), and the support of the Joint Research Center (JRC), its very own research unit, CI governance remains fragmented. It was suggested that these challenges can be attributed to the difficulties of managing cross-sector policy programs and the significant harmonization costs associated with the high level of regulatory and institutional diversity (May & Koski, 2013). On the project level, transnational Public Private Partnerships (PPP) remain the more prominent platform for financing and delivering CI projects although the ‘ … phenomena … range from loose cooperation forms to legally binding contracts for the implementation of specific projects’ (Schäferhoff, Campe, & Kaan, 2009, p. 6). Still, issues related to responsibilities, risk, or authorities in the partnership, differences between the partners in working methods, as well as lack of commitment from the partners, generate significant challenges to the management of CI projects (Yu, Chan, Chen, et al., 2018).

Summarizing, the analysis of the literature suggests that transnationalism can have a strong impact on the implementation of the RA process within the context of CIP, especially in terms of asset vulnerability, interdependency between elements and functions of a project across national boundaries, and governance, or absence of it thereof, in relation to the management of RA transnational elements. The implications of this finding will be further discussed in section 5 of this paper.

3.3. Influence of transnationalism in the CIP process

The need for the explicit consideration of transnationalism parameters as part of the CIP process is being extensively emphasized in academic literature. In particular, it has been argued that, within the context of CIP, the concept of transnationalism influences the implementation of RA within the context of the CIP process on a number of levels. Particular focus is given to the dimensions of vulnerability, interdependency, and governance.

Figure 3 provides the graphical framework for the facilitation of discussion regarding the potential effects of transnationalism within the context of the CIP process. In particular, the figure illustrates both the generic ‘gold standard’ ISO31000:2018 Risk Management process, as well as a generic implementation framework of the CIP process. In between them, the main transnationalism dimensions which are the focus of our discussion are showcased. Association arrows have been drawn between each of these aspects and the corresponding stages which can potentially be affected by them during the implementation of the ISO31000:2018 process (and consequently during the implementation of the CIP process), according to the academic literature.

Figure 3. The influence of transnationalism in the CIP RA process.

Figure 3 indicates that there is a strong association between the transnational dimensions in consideration and all stages of the RA implementation process within the context of the CIP process. The nature of this association is discussed in detail in the following paragraphs:

4. Decision-making challenges in CIP

4.1. Conceptualization of risk perception and of decision-making heuristics and biases

The Society for Risk Analysis (SRA) defines risk perception as a person’s subjective judgement or appraisal of risk (Aven et al., 2008). The deviation between real risk and the way it is perceived is caused by a range of affective, cognitive, contextual, and individual factors (Aven et al., 2018a). Three of these four factors stem out of the qualities of the individual. Affective factors include emotions and feelings of the person in question, while cognitive factors can include media coverage and the framing of risk information. Individual factors relate to the individual’s previous experience, age, and personality traits, while contextual factors relate to the way information is framed and the way alternative information sources are accessed.

It has been suggested that perception of risk resides within individuals sometimes as a feeling and in other instances as an appreciation of risk which is the outcome of deliberate analysis (Slovic, 2020). The assertion is that they should be looked upon as the two sides of the same coin irrespective of the disparity they represent. The same individual is also capable of all but rational decisions and judgements as influenced by their own biases and prejudices. Early research in risk perception showed that the more profound indication of risk for any given hazard is the degree to which it evokes feelings of dread and that perceived risk and benefit are inversely correlated (Slovic, Fischhoff, & Lichtenstein, 1982). Moreover, work on how individuals think, described as slow and fast modes, was subsequently shown to be indispensable to rational decision-making (Slovic, Finucane, Peters, et al., 2004, Kahneman, 2011 as referenced in; Slovic, 2020, p. 3). These decisions are said to be influenced by heuristics (Slovic, Finucane, Peters, et al., 2004).

Heuristics can be defined as the shortcuts to task complexity in judgement, and biases as the space between normative and heuristically driven behavior (Kahneman & Tversky, 1982). They are dis-optimal, imperfect, and irrational approaches to problem solving which can, nonetheless, speed up the process of finding a satisfactory solution. Heuristics have been linked to cognitive biases (Tversky & Kahneman, 1974), while pre-event predictions of behavior requiring formal modelling of the decision process are proposed (Gigerenzer & Todd, 1999). However, much as heuristics are neither always accurate nor driven by logic, they are often enough to satisfy a need and often seem to work (Mousavi & Gigerenzer, 2014). In fact, it has been shown that at least for some business situations, heuristic decision-making can be effective if some information is purposely ignored with less proving to be more under uncertainty when knowledge takes precedence over information abundance (Mousavi & Gigerenzer, 2014).

Focusing on the implementation of RA within the context of the CIP process in particular, the onus is frequently on the RA professional, the cornerstone of the RA process, whose input is prevalent at all CIP activity levels (Poljanšek, Casajus Valles, Marin Ferrer, et al., 2019) and whose judgement may be led astray by heuristic’s ability to ‘lubricate reason’ (Slovic, Finucane, Peters, et al., 2007). It has been argued that the RA professional has to make decisions during the CIP process lacking the tools and processes which can identify and address the extent of systems links across national borders and into other sectors (Pidgeon & O’Leary, 2000). The following subsection examines the use of decision-making heuristics by the RA professional within the context of the CIP process, as this has been discussed in academic literature.

4.2. Decision-making heuristics and biases in the CIP literature

As in the case for the transnationalism concept, the review of the literature provides only a limited number of direct references related to the effect of RA decision-making heuristics and biases within the specific context of the CIP process. Research work on non-CIP-specific human decision-making heuristics and biases is slightly more populus albeit with more focus on risk perception rather than RA. However, given that the ‘gold standard’ RA methodology employed during CIP is the ISO 31,000:2018 risk management process (as already discussed in section 3 of this paper), the set of decision-making heuristics which are reported in the literature to be employed during the latter process are (in principle) applicable to the CIP process as well. A brief description of these heuristics and biases, as well as their potential impact on the RA process within the context of CIP, is provided in the following paragraphs:

• The Affect Heuristic: The affect heuristic is defined as a feeling state such as happiness or sadness but also as goodness or badness, assigned to a stimulus experienced by people (Slovic, 2000). It is considered to be a prominent heuristic in relation to risk (Tversky & Kahneman, 1974). There is scientific evidence which showcases the direct influence of the affect heuristic on risk perception (Van Schaik, Renaud, Wilson, et al., 2020) and its impact on affective information to perceived-risk judgments (Pachur et al., 2012). More importantly (for the scope of this paper) it has been specifically argued in the academic literature that the affect (as well as the availability heuristic discussed later) can directly influence the CIP RA process by being a source of the so-called ‘blind-spots’ which could trigger catastrophe across CI systems (Blackwell, Tolone, Lee, et al., 2009). Interestingly, the affect heuristic might also have an effect possible team-level discussions on the risk level, which constitutes a typical case for large projects. This effect will be discussed in more detail in the following sub-sections.

• Availability Heuristic: Individuals use the heuristic of availability, a mental shortcut that bases decisions on immediate examples that come to mind, to estimate the frequency of an event or the likelihood of its occurrence by ‘the ease with which relevant instances or associations come to mind’ (Tversky & Kahneman, 1973). The availability heuristic can have a significant effect on the risk practitioner’s perception of the likelihood of an event (Slovic et al., 1981). As such, it can influence RA activities in general, and the RA activities within the context of the CIP process in process, where the team decision-making element is likely to feature (Blackwell et al., 2009; Slovic et al., 1981). The availability heuristic has been reported to explain differences in the perception of risk across groups, cultures, and even nations effectively. This finding bears additional relevance for CIP given its transnational nature (Sunstein, 2005).

• Cognitive Reflection Ability: Cognitive reflection relates to the ability or disposition to reflect on a question and resist an automatic response (Frederick, 2005; Toplak, West, & Stanovich, 2011). As such, cognitive reflection can have a potential effect to the entirety of the RA process within the context of CIP, from threat identification to the formulation of mitigation strategies. Risk professionals can be biased by the context, and the way information is presented (Berger, 2015). In addition, the strength of the inverse correlation is tied to individual cognitive abilities, with cognitive reflection ability at the forefront (Skagerlund, Forsblad, Slovic, et al., 2020). However, there are no direct references in the academic literature with regard to the implications of cognitive reflection ability for RA professionals within the CIP context.

• Cross-cultural Differences and Cultural Bias: While these concepts are not heuristics in their own right, their transnational nature can introduce biases which extend beyond the confines of a single nation. In particular, differences in risk preference between nations are associated with national culture differences in their peoples’ respective perception of risk rather than their attitudes towards perceived risk (Weber & Hsee, 1998). Studies have shown that in addition to cross-cultural disparities between professional groups within a country, there are also considerable cross-national differences in how risk is perceived (Rohrmann, 2000). In addition, a wide range of basic psychological processes have been known to be influenced by culture including the likelihood of the fundamental attribution error and probabilistic thinking (Weber & Hsee, 1998). It is therefore evident that with the multitude of national stakeholders in each of the facets of a CIP project, maintaining consistency in RA evaluations as well as a uniform risk perception across regions and states constitutes a serious challenge. Despite this, such challenges have not been considered/examined in RA literature in the context of CIP.

Summarizing, while there exists considerable literature on the effect of decision-making heuristics and biases in the generic RA process, their implication has not been adequately examined within the specific context of CIP. In particular, the review of the literature did not identify works which critically analyze the use of decision-making heuristics within the complex, transnational environment of a CIP process, as this has been unveiled in the discussion of Section 4.1. Therefore, further investigation and analysis are necessary with regard to the potential influence of decision-making heuristics and biases as part of the implementation of the CIP process, in particular. To this end, the following subsections discuss two types of decision-making dimensions which can potentially emerge during the implementation of RA within the context of CIP. The first relates to the influence of decision-making heuristics on the level of an individual professional’s risk perception (Aven et al., 2018a; Aven, Ben-Haim, Andersen, et al., 2018; Slovic, 2020) and how this may affect decisions made in the context of RA for CIP. The second relates to how a team-based RA may be influenced in the context of these decision-making heuristics (Slovic, Fischhoff, & Lichtenstein, 1982; Slovic et al., 2004), viewed within the context of RA professionals employed in mass for a CIP project.

4.3. Influence of decision-making heuristics in the cip process (individual level)

Human input is apparent in all phases of the CIP process (Figure 4), including the actual RA activity, the training to build the necessary RA expertise, including the evolution of requirements stemming from CI system adaptivity and the assessment of relevant capabilities. The identification and selection of the specific CI to be included in any analysis and the very definition of what constitutes a CI are looked upon differently between policymakers and operators which emphasizes the value of the individual in the process (Poljanšek et al., 2019).

Figure 4. The influence of decision-making heuristics in the CIP RA Process (individual level).

Human input is apparent in all phases of the RA process and beyond; the actual RA activity, the training to build the necessary RA expertise, including the evolution of requirements stemming from CI system adaptivity and the assessment of said capabilities.

The practitioner is effectively the cornerstone of the RA process within the context of CIP. Knowledge and expertise in this respect needs to be built. Poljanšek, Casajus Valles, Marin Ferrer, et al. (2019) have shown that continuously assessing one’s risk management capability can be a significant driver to the development of those capabilities. One common characteristic of CI is that they are complex adaptive systems (CAS) in that their many constituent elements affect the overall system as a result of the respective learning processes over time; transformers and battery systems degrade over time, pipelines rust and age, the operating team improves in their adaptation and ability to manage the system over time (Rinaldi, Peerenboom, & Kelly, 2001). The importance of this in the context of the paper is the need for individuals engaged in RA for CIP to recognize in their decision-making activities the inherent nature of CI and their emergent behaviors in this respect in terms of risk and its assessment thereof, but also in terms of possible interdependencies between systems and elements of infrastructure.

Figure 4 provides a graphical framework of an individual’s decision-making aspects as these are perceived during the implementation of the ‘gold standard’ ISO31000:2018 RA process and the RA process within the context of the CIP. Looking deeper into this framework, based on what has been published in academic literature, it can be said that CIP-specific RA models in use are not unlike generic RA models as attested by the convergence in their linear approach to process, and their likeness to the ISO 31,000:2018 standard. In this respect, decision-making heuristics and biases particular to RA are also relevant to CIP. Such associations can be found between the process of risk perception and the affect and availability heuristics (Pachur, Hertwig, & Steinmann, 2012; Sunstein, 2005; Van Schaik, Renaud, Wilson, et al., 2020), between the entire RA process and the cognitive reflection ability (Berger, 2015; Skagerlund, Forsblad, Slovic, et al., 2020), and between the perceived severity of risk and the cross-national differences and cultural biases (Bontempo, Bottom, & Weber, 1997; Jasanoff, 1991; Sunstein, 2005).

However, it is of critical importance to state that the unique nature of a CI project introduces additional challenges to the implementation of the RA process in relation to the characteristics in consideration. This relates to the increased complexity of CI projects in relation to non-CI projects (Ulusan, Ergun, & He, 2018), even if not transnational, which requires an enlarged pool of RA professionals to cover the increased scope which, in turn, introduces additional heuristic decision-making challenges. In addition, the transnational nature of CI projects (Heino, Takala, Jukarainen, et al., 2019), which necessitates the ability to define issues across geographical boundaries, can be the source of an enlarged scope for RA with additional risk professionals contributing from different geographies and countries, a multi-faceted regulatory framework, and an increased stakeholder population. This will invariably lead to additional scope and complexity, through sheer size, in identifying and addressing decision-making heuristics and biases, transnational vulnerabilities, and regulation streamlining and coordination issues, such as reliability and safety standards, across the larger footprint of the project (Roe & Schulman, 2018).

4.4. Influence of decision-making heuristics in the cip process (team level)

The team-based approach to decision-making has been suggested as a remedy to decision-making heuristic deficiencies as it may attenuate cognitive biases (Cianni & Wnuck, 1997). However, it has been argued that teams might also be inclined towards similar information-processing biases (Schwenk, 1986). Moreover, it is reported that these teams often use the same ‘rules of thumb’ individuals use to process information, invariably leading to similar errors in judgement (Houghton, Simon, Aquino, et al., 2000).

The RA literature predominantly discusses the optimal formation of a decision-making team rather than its decision-making characteristics, including the existence of heuristics and biases. A typical example is the proposed ‘high-functioning risk team’ approach, which has actually been suggested for the case of CIP projects, without providing any further details on the suitability of this approach for the particular domain (Baggett & Stout, 2022). Alternative team-based approaches which can potentially be relevant to the CIP process include the ‘unity of effort’ approach (Baggett & Stout, 2022; Stockton & Roberts, 2008), which constitutes one of the key tenants of RA, ensuring a consistent approach by all stakeholders for maximum effectiveness. This approach calls for the selection of a team from both internal and external stakeholders, supervisory, and line, who would need to be trained in RA methods. Another example is the ‘red-team’ approach to critical operations (Veland & Aven, 2015) where the RA is carried out by two different teams and where the external team subsequently challenges the self-evaluation of the internal analyst team, and both eventually work together for a final consensus, while group decision-making sessions using the Delphi method and sources of knowledge, such as risk-event histories, during the RA process are also proposed (Yildiz, Dikmen, & Birgonul, 2014).

Based on the previous, Figure 5 provides a graphical framework of the team’s decision-making aspects as these are perceived during the implementation of the RA process within the context of the CIP. What can be deduced from this framework is that all team decision-making approaches discussed above fail to address the added complexity and enlarged scope which CIP brings about. Specifically, beyond the actual composition of the decision-making team, the sheer size of a CI project introduces added complexity (Heino, Takala, Jukarainen, et al., 2019). Transnational-driven issues of vulnerability, interdependence and governance and decision-making heuristics were shown to influence the CIP process, with the latter being additionally challenged by a transnational-team or team-of-teams approach to RA, given the much wider scope of CI (Ulusan, Ergun, & He, 2018) and their inherent structural and dynamic complexities (Zio, 2016).

Figure 5. The influence of decision-making heuristics in the CIP RA Process (team level).

Summarizing, much as there are not many studies discussing and analyzing the team-level decision-making characteristics of the RA process within the context of CIP, there are advocates of the team-based approach in the literature, as seen in this section. However, what is advocated remains at a high-level and does not specifically prescribe how the team will function together nor how practitioner characteristics will be prevented from influencing local and indeed regional RA work.

5. Discussion

The concept and importance of CI, as well as its protection (CIP), acquired prominence in our societies during the last decades of the twentieth Century following numerous high-profile terrorist attacks (Renda & Haemmerli, 2010; Sachs, 2022). RA is at the heart of this CIP risk management process which relates to the capacity of an entity to adequately prepare for and respond to such serious incidents. The information presented and the analysis of the previous sections indicates that the RA models employed within the context of CIP-specific are similar to generic RA models as they converge in their linear approach to process and are largely based on the ISO 31,000:2018 ‘gold standard’.

Our study investigated whether this standardized approach would actually ‘fit’ for the case of CIP, or if there are CIP-specific considerations (‘challenges’) which are potentially not adequately addressed by the use of the ‘gold standard’ approach to the RA implementation within the context of CIP. As discussed in the introductory section, two particular ‘challenges’ were investigated for their influence on the implementation of the CIP RA process. In particular, the influence of the transnationalism dimension, which is a CIP-specific challenge, and also the use of decision-making heuristics and biases, which is a horizontal RA challenge. A narrative literature review was employed in order to identify relevant information which has been published in academic literature. Given the limited amount of research which has been conducted on these topics (from the CIP perspective), our study also considered academic research works from the generic RA literature and showcased how the CIP process can potentially be affected by the two main challenges in consideration.

Given the objectives of the study which were presented in the introductory section of this paper, the main findings of the study are presented below:

Objective 1: Investigate how the concept of transnationalism currently affects the implementation of the RA process within the context of CIP.

Conceptualizing transnationalism in its own merit is not a straightforward task, as evidenced by the discussion in section 3.1. It does, however, constitute an extensively researched notion albeit in isolation of the RA practitioner, employed by practitioners within the context of CIP due to its perceived importance. For this reason, the apparent lack of studies which explicitly consider transnationalism as an integral part of the CIP RA process specifically and have developed appropriate tools to this end at the RA practitioner level, was a rather unexpected, but a very important finding of our study.

Naturally, the study extended to the potential influence of some principal dimensions of transnationalism on the RA process within the context of CIP. In particular, the dimensions of vulnerability, interdependency, and governance were investigated, based on what has been published in the generic RA literature, as well as on the theoretical foundations of the CIP process. What was evidenced is that the transnational complexity of CIP projects can potentially render the use of generic linear RA models ineffective within the context of CIP. In particular:

• Vulnerability assessments in a transnational setting become very complex, rendering tasks such as the aggregation of risk in some cross-border or cross-regional cases close to impossible.

• The interdependencies across multiple assets and borders, as well as the possible propagation of failure of CI and the associated cascading effects become even more difficult to fathom, document, and subsequently manage.

• Governance issues related to responsibilities, risk, or authorities in the partnership of CI, generate significant challenges to their management but also increase the cost of harmonization given the higher level of regulatory and institutional diversity.

Finally, it should be noted that the previous findings should also be viewed within the context of the added risk and difficulties introduced by PPP structures, a prominent platform for delivering CI, and by the increase of the number of CI stakeholders from across different national and international boundaries.

Objective 2: Investigate how various decision-making heuristics and biases currently affect the implementation of the RA process within the context of CIP.

The fact that human decision-making (both on the individual and the team level) is affected by heuristics and biases has been well discussed in academic literature. In the domain of RA in particular, the impact of decision-making heuristics on the professional’s perception of risk is a significant consideration. The limited literature discussing the effect of decision-making heuristics and biases in RA within the context of the CIP process was therefore the second unexpected and important finding of this study.

Naturally, a further investigation was conducted on the potential influence of specific decision-making heuristics and biases on the CIP RA process (both from the individual and the team perspective), based on the findings of the generic RA literature and the theoretical foundations of the CIP process. The heuristics and biases investigated were the affect and availability heuristics, the cognitive reflection ability, as well as the cross-national and cultural differences. While it became evident from our investigation that these heuristics and biases are naturally relevant to the implementation of the entire RA process within the context of the CIP, our study also suggests that their influence on the CIP RA process should be viewed within the following context:

• CI is complex adaptive systems; therefore, the inherent nature of CI and their respective emergent behaviors can have a significant influence on the decision-making activities during the CIP RA process.

• The cross-national differences and the cultural biases are amplified within the context of a transnational CIP project, potentially affecting the perceived severity of risk across borders.

• The CIP domain-specific concept of transnationalism (which has been discussed in detail in section 3 of this document) provides an additional layer of complexity in addressing decision-making heuristics and biases of the individual decision-maker.

• While generic RA team-based decision-making approaches which appear in the literature are potentially applicable to the CIP RA process, these can be challenged by the much wider scope of a CI project (in relation to simple generic RA processes) and the well-documented structural and dynamic complexities of a CIP project and the consistency of CIP RA evaluations.

Based on the previous, one of the most interesting findings of our study is related to the fact that the approach to the two ‘challenges’ originally selected for independent investigation (transnationalism and decision-making heuristics and biases) ‘converge’ in their linear approach to process during the analysis of the RA CIP literature. This finding showcases the need for further investigation of the topics considered, as this is discussed in the following paragraph.

Objective 3: Identify specific gaps and opportunities in relation to the challenges outlined in the previous objectives and formulate questions which will drive future research work in this domain.

The findings of this study which were discussed within the context of study objectives 1 and 2 provide a convenient basis for the identification of the main gaps which currently exist in the literature. In general, it can be said that academic studies related to the analysis of the overall RA process within the specific context of CIP have been limited. Naturally, this means that studies for specific RA considerations within the context of CIP, such as transnational considerations and decision-making heuristics and biases would also be limited. However, what was rather unexpected (as discussed in the previous paragraphs) was not only the fact that the number of studies on these particular considerations was very low but also the observation that the limited attempts which have appeared in the literature have not seemed to trigger the implementation of further research work on their analysis. This gap is especially important when viewed under the analysis presented in this paper (sections 3.3 and 4.3), which showcased how the CIP RA process can potentially be affected by these unique challenges.

Looking into the gaps identified for the transnationalism challenge in particular, it can be said that there is a need to analyze in depth the process of aggregating risk across CI during a vulnerability assessment of a transnational CIP project. Current RA models do not accommodate this calculation, and it is not readily obvious how this process should be performed. At the same time, there seem to be no models available which allow the assessment of cascading effects of a CI failure on transnational, interdependent CIP projects. Last but not least, there is a gap in the investigation of the effects of governance issues on the implementation of the CIP RA process in transnational projects.

Challenges and issues have also been identified based on the analysis of decision-making heuristics and biases during the implementation of the CIP RA process. The horizontal RA nature of these challenges means that models and procedures do exist in the literature which provide solid frameworks for their analysis. However, once the specific characteristics which underline the unique nature of the CIP process are considered (complexity of the adaptive system, transnationalism), our analysis showcases that current approaches might be ineffective in modelling and managing the individual and team-based decision-making characteristics of the risk assessor in CIP projects. The gap becomes especially evident in the case of the generic team-based RA decision-making approaches which, as reported in the literature, do not readily accommodate the characteristics of complex, transnational CIP projects.

Validation through real-world examples of the proposed failure of the RA process to capture the realities of transnational CI projects and to recognize the full extent of the human decision-making influence on the RA process itself can only be the outcome of thorough analysis of numerous case studies. Whilst this cannot be possible in a paper of this nature given the restrictive word-count limitation, two CI examples portray signs of these traits.

The first example relates to the 2013 terrorist attack at the Statoil In Amenas gas facility in Algeria. An investigation into the attack (Equinor, 2013) whose purpose was to clarify the chain of events and to facilitate learning and further improvements within risk assessment, security, and emergency preparedness revealed a number of security vulnerabilities and shortcomings stemming from a combination of a number of factors including the project’s transnational nature. Concerns were raised in reference to the scope of the risk assessment at the terminal for failing to capture and consider the significance of regional geopolitical events and their potential impact (Institute of Strategic Risk Management, 2023). Risk Assessment activity was ‘split’ between Statoil’s Algiers office with emergency response plans influenced by the experience in Egypt and Libya, the London office, and company headquarters in Norway with stakeholders spread across geographies, businesses, and functions (Statoil, 2013). In fact, Lambrechts and Blomquist (2017) suggest that Statoil lacked a holistic approach to risk management, with political risk seen as a public relations issue and security risk normally outsourced.

The second relates to the BTC (Baku-Tbilisi-Ceyhan) pipeline and the RA failings that supposedly led to the attack in 2008, although the accuracy of the cyber-attack report itself has been questioned (Lee, 2015). These failings suggest that actual security infrastructure and the socio-political risks may not have been adequately addressed. This may be an outcome of the transnational nature of the project which led to differing levels of activity at the national, tri-party, and regional levels for delivering protection (Starr & Cornell, 2005), non-aligned regional and local cooperation fora, and ad hoc geographical security alliances beyond the tri-party organization involving subsets of the BTC consortium state players and other regional states. Furthermore, even the language barriers at the risk assessment practitioner level may have contributed as well (Kogan, 2014) in addition to decision-making biases which have contributed to disasters in the past like the Challenger Space Shuttle Disaster in 1986 through confirmation bias which allowed launching during suboptimal temperatures (Murata, Nakamura, & Karwowski, 2015), Hurricane Katrina in 2005 where optimistic bias was a major contributing factor to inadequate response (Trumbo, Lueck, Marlatt, et al., 2011), and the Global Financial Crisis in 2008 where confirmation biases led to the underestimation of the risks (Shefrin, 2015). The previous discussion provides the basis for the formulation of a number of fundamental research questions on the implementation of RA within the context of a CIP process. These questions can potentially be investigated through future research activities on the topics considered. In particular:

• How do CIP risk assessors perceive the applicability and relevance of the generic ISO31000 ‘gold standard’ RA process to the implementation of the CIP RA process?

• How are CIP risk assessors influenced by transnationalism considerations (including vulnerability, interdependence, and governance) during the implementation of their tasks within the context of a CIP process?

• How are CIP risk assessors influenced by decision-making heuristics and biases during the implementation of their tasks within the context of a CIP process?

• How do CIP risk assessors perceive the applicability and relevance of generic team-based decision-making approaches to the implementation of the CIP RA process?

• How can RA tasks which are implemented within the context of a CIP process be improved in order to explicitly address the unique characteristics of CI?

The development of research designs which would investigate the practitioners’ perception of the RA implementation within the context of a CIP process can provide the basis for addressing these questions. The authors of this paper are committed to further investigating this topic.

6. Conclusions

The main aim of this paper was to provide a theoretical contribution towards a better understanding of some of the unique challenges faced during the implementation of RA within the context of a CIP process. In particular, the influence of transnational considerations as well as of decision-making heuristics and biases was investigated. Our study was primarily based on the use of a non-systematic, narrative literature review on the implementation of RA tasks in CIP projects, which discussed existing works that discuss the challenges of transnationalism and decision-making heuristics and biases. The review was supported by a critical analysis of the implementation generic ‘gold standard’ RA process, which focused on investigating how this process addresses the specific CIP challenges in consideration.

Our study showcased that the implementation of RA within the context of CIP processes has not been adequately addressed. In particular, not only is the number of publications explicitly discussing the topic limited but also, as showcased by our critical analysis, the implementation of the generic ‘gold standard’ RA process fails to capture the realities of transnational CI projects and to recognize the full extent of the human decision-making influence on the RA process itself.

Our study suggests that the lack of homogeneity across assets, stakeholders, countries, paradigms, and people in transnational CIP environments challenges the existing generic RA processes. An improved, domain-specific RA process within the context of CIP, can potentially provide the framework for improved protection of CI. Nevertheless, it is evident that additional research work is necessary in order to better understand the challenges considered.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Data availability statement

Data sharing are not applicable to this article as no new data were created or analyzed in this study.

Additional information

Notes on contributors

Michalis Papamichael

Michalis Papamichael was born in Larnaca, Cyprus, in 1964. is a PhD Candidate in the Occupational Safety and Health Program at the European University Cyprus. He has over 32 years’ experience in the entirety of oil and gas value chain (upstream, midstream, and downstream) in regional roles of increasing accountability in the engineering, business, security, emergency management, and risk management context in Europe, the UK, and the Eastern Mediterranean. In his current role, he is the regional Security and Emergency Response Manager for an oil and gas major and a member of the company’s Global Corporate Emergency Response Team. Michalis holds a BSc in Electrical Engineering from Brown University, USA (1988), an MBA from Brunel University, UK (1997), and an MSc in Security and Risk Management from the University of Leicester, UK (2014). He holds certifications in the Incident Command System (now part of the National Incident Management System [NIMS] in the US), Kidnap for Ransom incident management, the management of major emergencies including oil spill management, International Ship and Port Facility Security (ISPS) Code at a Vessel, Company, and Facility security level, Security Consultancy, Business Continuity and Resilience, Intelligence Analysis, Open-source intelligence (OSINT) analysis, and investigations. He is an Honorary Research Fellow of the European University, Cyprus, and the co-chair of the OSAC (Overseas Security Advisory Council of the US State Department) Cyprus chapter.

Christos Dimopoulos

Christos Dimopoulos was born in Athens in May 1973. Christos is an Associate Professor of Computer Science & Engineering, and co-Director of the Centre of Excellence in Risk and Decision Sciences (CERIDES). He received his BSc degree in Automation from the Technological Educational Institute (TEI) of Piraeus. He received both his MSc and PhD degrees in Control Engineering from the University of Sheffield. He is a multidisciplinary researcher and practitioner with a significant focus in the area of Disaster Management. His research accomplishments include a considerable number of refereed articles and book chapters. In 2002, he received the ‘Outstanding Paper of the Year Award’ by the Neural Networks Council of IEEE. He is currently participating (and has participated in the past) as project coordinator, principal investigator and research collaborator in numerous European and Cypriot-level research projects. He has also served as the Scientific Coordinator and Head Evaluator in multiple Civil Protection Full-Scale Exercises funded by DG-ECHO. He is the recipient of an Honorary Award by the Cyprus Environmental Commissioner for providing services to the Republic of Cyprus towards achieving its Environmental Targets.

George Boustras

Georgios Boustras was born in Athens in May 1973. George is a Professor in Risk Assessment at European University Cyprus, Director of the Centre of Risk and Decision Sciences (CERIDES - Excellence in Innovation and Technology), Visiting Researcher at the National Observatory of Athens and Visiting Professor at University of Haifa. He is a Member of the EU Mission: Adaptation to Climate Change. George is Editor-in-Chief of Safety Science (Elsevier, IF 6.392) and Member of the Editorial Board of Fire Technology (Springer Nature) and the International Journal of Critical Infrastructure Protection (Inderscience). He (co)supervises five PhD students; six of his students are now PhDs.