The CIRAS project is devoted to the advancement of protection of critical infrastructures in Europe. It is a two-year project which was launched in September 2014 by the European Commission’s Directorate-General for Home Affairs from a call for proposals on Prevention, Preparedness and Consequence Management of Terrorism and Other Security-Related Risks (CIPS).
CIRAS aims at supporting decision-makers by providing a methodology and toolset to compare several alternatives. The project promotes a new approach to risk assessment in critical infrastructure protection (CIP). It is focused on advanced risk assessment which compares security measures alternatives and takes into account the typical critical infrastructure (CI) effects of interdependencies of systems, and of cascading and escalation of incident consequences.
The CIRAS project CIRAS provides a methodology and decision support system (DSS) for public and private CI/CIP managers, which allow a holistic assessment of how to reduce risks in critical infrastructures at a cost-efficient way, and at the same time considering social and political needs and restrictions.
The CIRAS Decision Support System offers a comparison of different security measures alternatives that may comprise several security measures by performing several assessments as follows:
- Risk Reduction Assessment (RRA): for measuring the risk reduction capability of the different Security Measures and the Alternatives that include them. It implies two steps: first of all, an Asset oriented Business Impact Analysis is done to evaluate the consequences and impact levels in case of an incident. Secondly, an Asset Oriented Risk Analysis is carried out to calculate the risks levels that would be achieved after the implementation of security measures alternatives.
- Cost and Benefit Assessment (CBA): for assessing the different alternatives based on the cost (immediate and operational) and future benefits of the Security Measures considered during a certain period of years. These costs are evaluated according to different financial categories and the results comprise key indicators values such as: total investment costs, total future benefits and current value of costs. These indicators allow to rank the alternatives and to select the most financially reasonable. The results provide graphs for each financial category and the calculation of time-profile trade-offs and break-even points.
- Qualitative Criteria Assessment (QCA): for the assessment the “social” and other non-tangible criteria related to the Security Measures, thus putting into numbers these criteria that are, otherwise, difficult to measure objectively.
CIRAS offers two ways of performing this kind of assessment. On the one hand, QCA could be performed via a Utility Function based method (UFBA). It allows to associate verbal subjective descriptions with numerical graphs to quantify the extent of the possible values. On the other hand, CIRAS introduces an innovative method developed within the project called MAHP. It is a modification of the AHP concept introduced by Thomas Saaty in the 1990s
- Aggregated Results are provided to compare all the alternatives individually and together considering the assessments performed. A report is generated displaying in tables and graphs how security measures alternatives are ranked according to RRA, CBA, QCA. If both ways of QCA have been carried out it means a specific rank for UFBA and another one for MAHP.