Standard Article

You have free access to this content

Critical Infrastructure Protection Decision Making

Part 2. Cross-Cutting Themes and Technologies

5. System and Sector Interdependencies

  1. Dennis R. Powell1,
  2. Sharon M. DeLand2,
  3. Michael E. Samsa3

Published Online: 14 NOV 2008

DOI: 10.1002/9780470087923.hhs234

Wiley Handbook of Science and Technology for Homeland Security

Wiley Handbook of Science and Technology for Homeland Security

How to Cite

Powell, D. R., DeLand, S. M. and Samsa, M. E. 2008. Critical Infrastructure Protection Decision Making. Wiley Handbook of Science and Technology for Homeland Security. 2:5:1–15.

Author Information

  1. 1

    Los Alamos National Laboratory, Los Alamos, New Mexico

  2. 2

    Sandia National Laboratories, Albuquerque, New Mexico

  3. 3

    Argonne National Laboratory, Argonne, Illinois

Publication History

  1. Published Online: 14 NOV 2008

The critical infrastructure protection decision support system (CIPDSS) is a Department of Homeland Security (DHS) risk assessment tool and analysis process that (i) simultaneously represents all 17 critical infrastructures and key resources 1 in a single integrated framework and (ii) includes a decision-aiding procedure that combines multiple, nationally important objectives into a single measure of merit so that alternatives can be easily compared over a range of threat or incident likelihoods. At the core of this capability is a set of computer models, supporting software, analysis processes, and decision support tools that inform decision makers who make difficult choices between alternative mitigation measures and operational tactics or who allocate limited resources to protect the United States' critical infrastructures against currently existing threats and against potential future threats. CIPDSS incorporates a fully integrated risk assessment process, explicitly accounting for uncertainties in threats, vulnerabilities, and the consequences of terrorist acts and natural disasters. Unlike most other risk assessment tools, CIPDSS goes beyond the calculation of first-order consequences in one or just a few infrastructures and instead models the primary interdependencies that link the 17 critical infrastructures and key resources together, calculating the impacts that cascade into these interdependent infrastructures and the national economy.

1 Background

  1. Top of page
  2. Background
  3. Infrastructure Models
  4. Case Studies
  5. Conclusion
  6. Cross-References
  7. References
  8. Further reading list

Choices made and actions taken to protect critical infrastructures must be based on a thorough assessment of risks and appropriately account for the likelihood of threat, vulnerabilities, and uncertain consequences associated with terrorist activities, natural disasters, and accidents. Initiated as a proof-of-concept in August 2003, the CIPDSS project has conducted analysis on disruption of telecommunications services, a smallpox outbreak and an influenza pandemic, and the accidental release of a toxic industrial chemical. Partial capability does exist to support analysis of physical disruption; cyber, insider, radiological or nuclear threats; and natural disaster scenarios.

1.1 Decision Support System and Infrastructure Risk

The project was developed in a system dynamics language (Vensim) to facilitate rapid development of capability. This decision support system is designed to address various infrastructure- and risk-related questions, such as these example questions:

  • What are the consequences of attacks on infrastructure in terms of national security, economic impact, public health, and conduct of government—including the consequences that propagate to other infrastructures?

  • Are there critical points in the infrastructures (i.e. areas where one or two attacks could have extensive cascading consequences)? What and where are these points?

  • What are the highest risk areas from a perspective incorporating consequence, vulnerability, and threat?

  • What investment strategies can the United States make that will have the most impact in reducing overall risk?

1.2 Two Modeling Scales: National and Metropolitan

The system has been designed to operate at two distinct scales of modeling: the national scale and the metropolitan scale. The national model represents the critical infrastructures at the national level, with resolution at a state level. The metropolitan (metro) model is intended to represent the functions of critical infrastructures at the local level, in urban landscapes with a population of 500,000 or more.

Within these two modeling scales, many questions of critical infrastructure disruption can be addressed within a risk-informed framework. In general, both the models calculate the consequences of a disruption both within the affected sector and in related sectors linked by primary interdependencies. For example, a disruption in telecommunications could have an effect on banking and finance and even on traffic. Consequences are computed in the broad metric categories of human health and safety, environmental effects, economic costs, public confidence, and national security.

1.3 Decision Model

Unique to CIPDSS is the coupling of the vulnerability and consequence simulation models with a decision model. This tool translates simulated fatalities, illnesses and injuries, economic costs, lost public confidence, and national security impacts into a single measure of merit for each mitigation measure, operational tactic, or policy option considered by a decision maker in a decision problem. Preferred options are plotted against threat or incident likelihood. As new intelligence information becomes available and as the view of the intelligence community evolves with respect to the near- and long-term capabilities and intentions of US adversaries, a preferred course of action that minimizes overall risk can be easily selected from a growing set of threat case studies.

2 Infrastructure Models

  1. Top of page
  2. Background
  3. Infrastructure Models
  4. Case Studies
  5. Conclusion
  6. Cross-References
  7. References
  8. Further reading list

Each infrastructure sector is represented by a model of the system that is captured in a system dynamics representation. Table 1 lists the critical infrastructures modeled in CIPDSS. The most common model form is a limited-capacity, resource-constrained model as shown in Figure 1. In this generic representation, the model is shown as a network of nodes, for example, variables that are linked by directed edges, or influences. The connection of variable A via a directed edge to variable B indicates that the value of A is used to calculate the value of B. This abstract relationship indicator hides the actual mathematical relationships, but serves as a graphical description of the workings of the model without delving into specifics. Nonetheless, it is the mathematical description, for example, a system of coupled ordinary differential equations, embedded in the syntax of the Vensim model that defines the actual model.

Table 1. Critical infrastructures represented in CIPDSS
Critical infrastructures
1. Agriculture and food
2. Banking and finance
3. Chemical industry and hazardous materials
4. Defense industrial base
5. Emergency services
6. Energy
7. Government
8. Information and telecommunications
9. Postal and shipping
10. Public health
11. Transportation
12. Water
Key asset categories
13. National monuments and icons
14. Nuclear power plants
15. Dams
16. Government facilities
17. Commercial key assets
thumbnail image

Figure 1. Structure of a generic resource limited module

A key aspect of the CIPDSS infrastructure models is the capturing of the primary interdependencies between infrastructures. In Figure 1, the dependencies are generically represented in the local availability of resources and materials and implicitly in the production operations. These functional dependencies are clearly called out in the infrastructure models. For example, the operation of telecommunication facilities depends on the supply of electrical power. Short durations of electrical power outages can be tolerated by the use of backup power generators. However, extended electrical power outages cause failure of selected equipment, which affects total communication capacity. The reduction in capacity may be compensated by other equipment with excess capacity (system resilience) or it may affect total throughput of calls. Because CIPDSS has a high level of representation of operations, not all dependencies are modeled, just the primary dependencies. Also, to maintain a consistent model resolution level, the effect of the dependency is modeled rather than the detailed interactions.

Each critical infrastructure sector is divided into a number of subsectors, which have a more uniform character and for which one or more separate Vensim subsector models are developed. For example, the emergency services sector is divided into (i) fire services, (ii) emergency medical services, (iii) law enforcement, and (iv) emergency support services. A Java-based program, the Conductor 2, is used to merge multiple system dynamics models, link variables that cross source code boundaries, and assemble a unified multisector model from individual sector model files. The Conductor identifies variables present in models with references to other source code files and resolves the references when the models are combined. As such, the program allows the models to be developed and tested at a modular level, but it enables simulation runs at the multisector level. The ability to develop modularly has allowed multiple developers from three geographically separated sites to codevelop the models.

2.1 Other Supporting Models to Represent Disruption Effects

Models of the infrastructure sectors and subsectors are in themselves insufficient to represent the full suite of effects and artifacts of a disruption. Since the output metrics of interest are human health and safety, a population model is used to account for those people injured by the disruption event compared with the natural processes of illness, injury, and death. Straightforward accounting of population groups in terms of birth/death processes and recovery from health impairment provide a basis for consequence modeling. To model the effect of scenario consequences on subcategories of the population, particularly workers in the critical infrastructures, the model uses occupation data from the US Bureau of labor statistics to estimate the initial size of the group. Because the scenario time frame that is modeled is usually on the order of a year or less, these models do not cover all of the dynamics that could arise in a disruption, for example, product substitution, restructuring of industry or practices, or evolutionary transformations that take years to manifest.

Economic modeling 3 assesses initial sector impacts from the incident in the individual sectors with interdependencies modeled to produce possible secondary effects. Most sectors compute revenue losses and other losses from clean-up, repairs, rebuilding, and so on. Other sectors, such as the energy subsectors, contain further information to give baseline revenue values with or without an incident. All of the metrics are passed into the economic sector model for further computation. Estimation of impacts to the rest of the economy is based on the North American Industry Classification System (NAICS) supersectors. Value-added, a measure of productivity in an industry is more conservative than lost sales or revenues since lost sales are often only temporary and can be recovered within a short period of time after an incident. Lost value-added tends to be permanent over short periods of time and is, therefore, a more accurate measure of the economic losses from temporary disruptions.

2.2 Scenario Models

While the infrastructure models exist as a body of interacting systems, the modeling of a disruption to one or more infrastructures often requires that specific code is developed to initiate a disruption event and stimulate the infrastructure models to render specific effects required by the disruption scenario. The models that accomplish these effects are called scenario models. Scenario models for biological threats, chemical threats, and telecommunications disruptions have been developed and form a robust basis for other threat scenarios listed in Table 2. For a given study, if an appropriate scenario model does not exist, it must be developed or adapted from a previously developed scenario model.

Table 2. Threat scenario categories to be addressed by CIPDSS
Physical disruption
Natural disaster

2.3 Consequence Models

Consequence models simulate the dynamics of individual infrastructures and couple separate infrastructures with each other according to their interdependencies. For example, repairing damage to the electric power grid in a city requires transportation to repair sites and delivery of parts, fuel for repair vehicles, telecommunications for problem diagnosis and coordination of repairs, and availability of labor. The repair itself involves diagnosis, ordering parts, dispatching crews, and performing repairs. The electric power grid responds to the initial damage and to the completion of repairs with changes in its operating capacity (the number of megawatts that can be distributed to customers). Dynamic processes like these are represented in the CIPDSS infrastructure sector simulations by differential equations, discrete events, and codified rules of operation, as appropriate for the sector being modeled.

2.4 Decision Support

The CIPDSS team has conducted an ongoing series of formal and informal interviews of critical infrastructure protection decision makers and stakeholders to identify requirements for the decision support system, scope out the decision environment, and quantify the prioritization of consequences. The taxonomy of decision metrics derived from this research involves six categories: (i) sector specific, (ii) human health and safety—public and occupational fatalities, nonfatal injuries, and illnesses, (iii) economic—immediate and interdependent costs of event, including the implementation and operating cost for optional measures, (iv) environmental—air and water emissions, nonproductive land, and intrinsic value loss, (v) sociopolitical—perceived risk, public confidence, trust in government sector-specific effects, and market confidence, and (vi) national security—continuity of military and critical civilian government services. The preferences of three representative decision makers were encoded using structured interview techniques to arrive at multiattribute utility functions consonant with the output of the consequence models and applicable to the case studies described below.

The primary building block for decision analysis in CIPDSS is a case. A case consists of two or more scenario pairs (base scenario pairs and alternative scenario pairs); each scenario pair is composed of a readiness scenario and an incident scenario:

  • Base scenario pair

    • Base readiness scenario

      Business-as-usual conditions; consequences in the absence of terrorist events or other disruptions.

    • Base incident scenario

      Postulated event occurs with no additional optional measures implemented, beyond what exists at the time.

  • One or more alternative scenario pair(s)

    • Alternative readiness scenario

      A specific set of additional optional measures are in place; postulated event is not initiated.

    • Alternative incident scenario

      Optional measures are in place; postulated event occurs.

Each scenario requires a separate simulation over a period of time (defined by the case) with the detailed national and metropolitan models. By comparing the alternative scenario pairs with the base scenario pairs, decision makers can evaluate the effects that various investments and strategies could have, if implemented. (The various investments and strategies, labeled here as optional measures include hardware, processes, and strategies related to prevention, protection, mitigation, response, and recovery.)

2.5 Uncertainty and Sensitivity Analysis

Aggregate models such as those in the CIPDSS model set embody a degree of uncertainty in their formulation. Both uncertainty and sensitivity analyses 4 are essential tools in assessing the uncertainties arising when applying computer models to meaningful analyses. Rather than considering single predictions from the input space, prudent analysis considers the range of possible inputs and maps those to a range of outcomes. Uncertainty analysis defines methods to estimate the distribution of the model outputs, given uncertainties in the model inputs. Sensitivity analysis specifies a process by which sources of variance in the model outputs can be identified with uncertainties in the model inputs. Such information is useful when it is desirable to reduce the uncertainty of the outputs, as the information indicates which input variables are the greatest contributors to output variance. Both uncertainty analysis and sensitivity analysis are supported by the CIPDSS architecture and routinely applied when performing analyses. Although arbitrary experiment designs are supported, orthogonal array (OA), Latin hypercube sampling (LHS), and hybrid OA-based LHS designs are commonly used to support uncertainty and sensitivity analysis.

3 Case Studies

  1. Top of page
  2. Background
  3. Infrastructure Models
  4. Case Studies
  5. Conclusion
  6. Cross-References
  7. References
  8. Further reading list

Throughout its development cycle, CIPDSS has been exercised by producing a case study for each disruption capability. Each case study is used to expose each capability's potential cascading consequences and place a disruption scenario in a risk-informed context.

In general, CIPDSS can address case studies to support decision making relative to a standardized set of scenarios defined by DHS (Table 2), although not all capabilities are currently well developed. Current work is focused on the physical disruption capability, where the disruption may be caused by explosive devices, assault teams, natural events, or accidents. The program's goal is to cover all types of disruptions of interest to DHS policy makers.

In this section, three case studies are briefly described: a telecommunications disruption, an outbreak of a contagious disease, and an accidental release of a toxic industrial chemical.

3.1 Telecommunications Disruption Case Study

The earliest version of CIPDSS was exercised in a proof-of-concept case study that demonstrated the project's feasibility. The case study—chosen to broadly perturb many infrastructure sectors—involved a telecommunications disruption that degraded the operation of other infrastructure sectors. In each of three northeastern cities, major telecommunication switching stations were bombed with explosives in a simultaneous attack. Significant switching capacity was lost at each site and a large number of casualties were inflicted. CIPDSS consulted with the National Communications System and Lucent Technologies to assure appropriate modeling of the disruption in telecommunication services. Decision metrics and utility values were computed for several investment alternatives that would mitigate the impact of the incidents.

For the telecommunications case study, two optional measures were examined: (i) improving the restoration capability of the system and (ii) consolidating the targeted facilities away from dense urban areas. The former alternative was expected to reduce the secondary economic impact of the incident, while the latter was expected to reduce the impact on human health and safety. While undergoing repairs, the telecommunications system loses revenue as well as requiring capital to replace lost capability. The impact on human health and safety was caused by casualties imposed by the bomb blast. Casualties were relatively high because one switching facility was near a metro mass transportation station and the blast occurred at a time of day when commuter traffic was heavy. The alternative to consolidate the switching facilities and move them to a less busy part of the metro region was expected to cost $7 billion. This posed an interesting trade-off between the mitigation alternatives. In improving the restoration capability, presumed to cost $1.5 billion, the economic losses from the incident would be lower. On the other hand, consolidation of facilities would reduce fatalities and injuries. In accounting for such trade-offs, the decision modeling method combines the primary metrics of the consequences of a scenario with the implementation costs associated with the scenario. Another way to represent the decision, depicted in Figure 2, is as a decision tree, which consists of decision nodes and chance nodes. The utility of the base readiness scenario is 99.2 for a given decision profile. This is the expected utility for the chance node for each decision alternative. The expected utility of the base incident scenario is 16.3. For an attack having the probability of 0.1, the expected utility of the base alternative is, therefore, 90.9. The utilities of all alternatives are calculated and shown in Figure 2.

thumbnail image

Figure 2. Tree representation of decision alternatives

Figure 3 depicts a decision map that provides a convenient mechanism for the decision maker to assess investment alternatives as a function of the expected annual likelihood of the threat event. Figure 3 illustrates how a risk-neutral decision maker would prefer no action so long as the annual likelihood of the event is less than one incident in 13 years. When the likelihood is between one in 13 years and one in 5 years, that decision maker would prefer to improve the restoration capability; when the likelihood is greater than one in 5 years, that decision maker would prefer to consolidate facilities. The relative preferences are determined by the form of the decision maker's multiattribute utility function and risk tolerance profile.

thumbnail image

Figure 3. Decision map of a scenario parameterized by the likelihood of the incident

3.2 Biological Pandemic Case Study

An analysis of a biological threat scenario was performed to assess infrastructure interdependency and economic effects resulting from the consequences of a highly infectious biological attack. To identify the conditions under which various alternatives are preferred, the consequences of the attack were combined with cost estimates for various protective measures within the decision model.

At the core of this case study is an infectious disease scenario model. The infectious disease model is a modified susceptible-exposed-infected-recovered (SEIR) model 5, based on an extended set of disease stages, demographic groupings, an integrated vaccination submodel, and representation of quarantine, isolation, demographic, and disease-stage-dependent human behavior. As a variant on the SEIR model paradigm, the CIPDSS model represents populations as homogeneous and well mixed with exponentially distributed residence times in each stage 6. The use of additional stages and demographic groupings is designed to add additional heterogeneity, where it can be useful in capturing key differences in disease spread and response in different subpopulations.

The disease stages are generically represented so that the model can be used for a large number of infectious agents simply by adjusting the input parameters appropriately. For example, with the studied hypothetical biological agent like smallpox, the first stage is the exposed or incubating stage during which a vaccine can still be effective (about 3 days) and the next stage represents the remainder of the incubating period when the vaccine is no longer effective. This is followed by a prodromal phase when the disease is sometimes infectious and is symptomatic, but with nonspecific flu-like symptoms. The disease progresses into a rash stage, where the risk of contagion is highest, and then into the scab phase. The patient then either recovers from the disease, or dies.

The analysis specifically considered the following incident and alternatives:

  • Base incident

    1000 people initially infected with smallpox and implementation of existing vaccination policies.

  • Alternative A

    Installation of biodetectors to provide early detection of the disease.

  • Alternative B

    Use of antiviral drugs to treat the disease.

  • Alternative C

    Mass quarantine to reduce the spread of the disease.

  • Alternative D

    Improved training of health care personnel to administer existing vaccines more rapidly.

Large-scale simulations were used to characterize the uncertainty in the consequence results and understand which model parameters had the strongest effects on the decision metrics. Considering uncertainities, the number of fatalities in the base incident scenario ranged from 277 to 7041. Incorporation of individual alternatives A–D reduced the lower end of the fatality range slightly and in all cases significantly reduced the maximum number of simulated fatalities. Primary economic costs in the metropolitan area, where 1000 persons are initially infected, were calculated to range from $7.5 to $9.5 billion, except for the mass quarantine alternative (Alternative C) where the primary economic costs would be up to three times greater because of loss of worker productivity during a quarantine. On a national scale, economic costs might easily be driven by a widespread self-isolation response resulting from the general population seeking to protect itself by reducing exposure to potentially infected individuals. A severe self-isolation response could significantly impact business and industrial productivity as workers stay home from their jobs and reduce normal spending by avoiding shopping and other commercial areas where they might come in contact with infected persons. The interdependent private sector economic costs and personal income losses associated with a severe, widespread self-isolation response were calculated to be as great as $450 billion, or 15–45 times the primary economic costs of the infectious disease event. Government costs could be similar.

Within the initially affected metropolitan area, the primary indirect or “cascading” effects of the incident involve the transportation and telecommunications sectors, with other sectors being affected by these in turn. Quarantine measures impact nearly half of the workers in the metropolitan area during the peak period of the crisis, resulting in much lower usage of the transportation system and losses in personal income because workers would not report to work and businesses would close temporarily.

In accordance with the numerous infectious disease model results that are currently available 7, 8, the CIPDSS results show that given the initiating event, a significant epidemic will ensue, with an average of 6100 nonfatal illnesses and 1500 fatalities in the base case. CIPDSS results particularly agree with Gani and Leach 9 who point out the importance of delays in detecting the first cases and the importance of setting up effective public health interventions. In the CIPDSS analysis, the addition of biodetectors provides a high degree of early warning, enabling a rapid effective response that almost completely stops the spread of the disease outside the initially infected metropolitan area, thereby significantly reducing the number of cases and subsequent mortalities. The study indicates that time to intervention and effective response is a critical component in controlling the health impacts resulting from a deadly infectious biological outbreak.

The national economic consequences are primarily caused by a behavioral response that could lead to widespread self-isolation and severe economic impacts. Because the magnitude of such a response is largely unstudied in the literature, the uncertainty surrounding this parameter is very great. Rather than assuming that more is known than is actually the case about the possible public self-isolation response to an intentional release of infectious smallpox virus, the analysis presents the decision model results parameterized with respect to the relative level of widespread self-isolation behavior.

For a risk-neutral profile, a preference map was derived by combining the calculated consequences in a decision model based on multiattribute decision theory and by assigning the attribute trade-off values that are consistent with values suggested by several DHS decision makers (Figure 4). The preference map indicates that up to an expected likelihood of one incident in 1200 years, the preferred alternative would be to continue existing vaccination and quarantine policies, regardless of the level of national self-isolation response.

thumbnail image

Figure 4. A preference map for preferred alternatives in a biological disease case

Likewise, between an incident likelihood of one in 1200 years and one in 135 years the preferred alternative would be to pretrain and implement a larger number of medical and emergency responders to vaccinate the public more rapidly, in the event of an intentional smallpox release. Without a widespread self-isolation response (0%), the antiviral drug alternative would be preferred when the incident likelihood increases to one in 90 years.

At greater incident likelihoods, the detector alternative is preferred because it produces the lowest level of combined consequences across all simulations of the scenarios. When the level of self-isolation response increases, the antiviral strategy is the preferred alternative at increasing incident likelihoods, being preferred over detectors at the maximum level of self-isolation and incident likelihood of one in 35 years. This trend in increasing self-isolation takes place because the biodetectors would result in earlier disease detection and thus public notification, which in turn would result in an earlier commencement of the economic impacts caused by the widespread self-isolation response.

3.3 Toxic Industrial Chemical Case Study

The chemical threat scenario analysis was performed to demonstrate the CIPDSS capability to provide risk-informed assessments of potential mitigation measures for this class of threats 10. Coupled threat scenario, infrastructure interdependency, and economic effects models were used to estimate the consequences of an accidental release of a toxic industrial chemical, namely chlorine, in an urban setting. The consequences were combined with cost estimates for various protective measures within the decision model to identify the conditions under which various alternatives would be preferred. The analysis specifically considered the following incident and alternatives:

  • Base incident

    A large (70 percentile event) in a “normally prepared” community and a “normally trained” set of emergency responders.

  • Alternative A

    Installation of chemical detectors to detect the extent of spread of the chemical.

  • Alternative B

    Use of temporary or mobile triage/treatment sites to handle expected volumes of exposed persons.

  • Alternative C

    Application of comprehensive community preparedness training for chemical releases.

  • Alternative D

    Increased training and response preparedness for emergency responders and health providers.

  • Alternative E

    Application of comprehensive community preparedness training for chemical releases with an emphasis on significantly reducing the population response time.

The initiating event for the base incident and alternative mitigation measure scenarios is a statistical representation (model) of the unmitigated consequences of a large-scale chlorine release. The potential number of injuries and fatalities and the number of hospital beds and geographical areas rendered unusable during and some time after the passage of a toxic plume are estimated on a probabilistic basis. To accomplish this, historical accidental release data, maximum stored volumes, and meteorological data were used as inputs into a heavy gas dispersion model. Multiple runs were performed using plausible distributions on the dispersion model inputs to generate a generic statistical distribution of injuries and fatalities associated with specific toxic chemicals for four different regions of the United States, using actual geographic locations and population distributions as a basis for the calculations. The stochastic distributions of unmitigated injuries and fatalities were developed as a function of time, parameterized as a function of cumulative probability of the event, and normalized to a population base of 1 million persons in a 5-km radius from the release site to mask the identification of the actual site.

The analysis of health effects employed Acute Exposure Guideline Levels (AEGLs) developed by Environmental Protection Agency (EPA) and National Research Council (NRC) 11, for which six different averaging times ranging from 5 min to 8 h are given. Three AEGLs were used in the analysis as follows:

  • Persons within AEGL-1 footprint could experience adverse effects such as notable discomfort, irritation, or certain asymptomatic nonsensory effects. The effects are transient and reversible upon cessation of exposure.

  • Persons within AEGL-2 footprint could experience irreversible or other injuries, long-lasting adverse health effects, or an impaired ability to escape.

  • Persons within AEGL-3 footprint could experience life-threatening health effects or death.

Furthermore, three additional health criteria that further disaggregate AEGL-3 were exercised to provide better definition of victim status or condition to the CIPDSS public health sector model. These additional criteria enabled a more complete modeling of healthcare response to the event.

In this analysis, an unmitigated base case is compared to each of five modeled mitigation measures with respect to key operational parameters in the CIPDSS models relative to the value of the same variable in the base incident scenario.

On the basis of the uncertainty analysis performed with the CIPDSS models, the minimum, mean, and maximum values for the mitigation measure costs, fatalities, injuries, economic losses, and losses in public confidence (decision metrics) for each of the above incident scenarios display virtually no variation in the results among the five alternative mitigation measure scenarios. Furthermore, there is almost no variation in the results between the alternative mitigation measure scenarios and the base incident scenario, which includes no additional mitigation measures. The reason for this is the rapidity with which the plume disperses; there is simply insufficient time to react. Even with accelerated response times, the majority of the population that would be exposed without additional mitigation measures would still receive exposure even with the additional mitigation measures.

Because all of the measures that were modeled had an insignificant effect on mitigating the consequences of a large-scale chlorine release, the various options differentiated on the basis of implementation cost alone. Thus, as calculated in the CIPDSS decision model, the order in which the measures would be preferred is in direct relationship to their implementation cost. The analysis indicated that investing in any of the mitigation options considered is less desirable than taking no action, regardless of how likely it may be that the incident would occur. Of course, this conclusion is obvious from the fact that none of the modeled measures had any significant mitigation effect on the consequences of an accidental release. The rank ordering of preference for the alternatives, shown in Figure 5, was (i) base case, no mitigation; (ii) alternative A, chemical detectors; (iii) alternative D, response preparedness and training; (iv) alternative E, community preparedness II; (v) alternative C, community preparedness I; and (vi) alternative B, mobile treatment facilities. These results are consistent with other studies of chlorine releases 12. One conclusion to draw is that investment should focus on prevention of a chemical release rather than on improving mitigation efforts after a release.

thumbnail image

Figure 5. The preference map for a chemical release scenario

These results do suggest, however, that in the effort to protect the public from large accidental releases of chlorine, consideration should be given to measures designed to prevent the release rather than measures designed to mitigate the consequences of a release once it has occurred.

4 Conclusion

  1. Top of page
  2. Background
  3. Infrastructure Models
  4. Case Studies
  5. Conclusion
  6. Cross-References
  7. References
  8. Further reading list

CIPDSS has demonstrated its capability to provide meaningful risk-informed decision support for several categories of threats of interest to the DHS. As a system dynamics suite of simulations, it has confirmed the ability of system dynamics to support a wide range of analyses of interest to policy makers through aggregate level simulation of multiple infrastructure systems.

Combined with the flexibility and extensibility conferred by the conductor, the uncertainty and sensitivity analysis capability, the decision model, and the breadth of coverage, including all 12 critical infrastructures and 5 key resource categories, CIPDSS is a unique capability for investigating consequences of infrastructure disruption. CIPDSS incorporates a fully integrated risk assessment process, explicitly and rigorously accounting for uncertainties in threats, vulnerabilities, and the consequences of terrorist acts and natural disasters. CIPDSS goes beyond the sole calculation of first-order consequences in one or just a few infrastructures. CIPDSS models the primary interdependencies that link the 17 critical infrastructures and key resources together and calculates the impacts that cascade into these interdependent infrastructures and into the national economy.


  1. Top of page
  2. Background
  3. Infrastructure Models
  4. Case Studies
  5. Conclusion
  6. Cross-References
  7. References
  8. Further reading list
  • 1
    Moteff, J., and Parfomak, P. (2004). Critical Infrastructure and Key Assets: Definition and Identification. Congressional Research Service, Report RL32631, Library of Congress, Washington, DC.
  • 2
    Thompson, D., Bush, B., and Powell, D. (2005). Software Practices Applied to System Dynamics: Support for Large-Scale Group Development. Los Alamos National Laboratory Report, LA-UR-05-1922, Los Alamos, NM.
  • 3
    Dauelsberg, L., and Outkin, A. (2005). Modeling Economic Impacts to Critical Infrastructures in A System Dynamics Framework. Los Alamos National Laboratory Report, LA-UR-05-4088, Los Alamos, NM.
  • 4
    Helton, J. C., and Davis, F. J. (2000). Sampling-Based Methods for Uncertainty and Sensitivity Analysis. Sandia National Laboratories, SAND99-2240, Albuquerque, NM.
  • 5
    Murray, J. D. (1989). Mathematical Biology vol 19. Springer-Verlag, Berlin.
  • 6
    Hethcote, H. W. (2000). The mathematics of infectious diseases. SIAM Rev. 42(4), 599653.
  • 7
    Fraser, C., Riley, S., Anderson, R., and Ferguson, N. (2004). Factors that make an infectious disease outbreak controllable. Proc. Natl. Acad. Sci. U.S.A. 101(16), 61466151.
  • 8
    Halloran, M. E., Longini, I. M., Jr. Nizam, A., and Yang, Y. (2002). Containing bioterrorist smallpox. Science 298, 14281432.
  • 9
    Gani, R., and Leach, S. (2001). Transmission potential of smallpox in contemporary populations. Science 414, 748751.
  • 10
    Shea, D., and Gottron, F. (2004). Small-Scale Terrorist Attacks using Chemical and Biological Agents: An Assessment Framework and Preliminary Comparisons, Congressional Research Service, RL32391, Library of Congress, Washington, DC.
  • 11
    National Research Council (NRC). (1993). Guidelines for Developing Community Emergency Exposure Levels for Hazardous Substances. National Academy Press, Washington, DC.
  • 12
    Streit, G., Thayer, G., O'Brien, D., Witkowski, M., McCown, A., and Pasqualini, D. (2005). Toxic Industrial Chemical Release as a Terrorist Weapon: Attack on a Chemical Facility in an Urban Area. Los Alamos National Laboratory, LA-CP-0575 Los Alamos, NM.

Further reading list

  1. Top of page
  2. Background
  3. Infrastructure Models
  4. Case Studies
  5. Conclusion
  6. Cross-References
  7. References
  8. Further reading list
  • United States of America. (1998). Executive Office of the President, Critical Infrastructure Protection, Presidential Decision Directive (PDD) 63.
  • United States of America. (2003). Executive Office of the President, The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets.
  • United States of America. (2003). Executive Office of the President. Homeland Security Presidential Directive–7. Critical Infrastructure Identification, Prioritization, and Protection.