**1. Introduction**

As infrastructures are crucial for the functioning of the state and are irreplaceable or di fficult to replace, they are referred to as systems of critical infrastructure. Currently, systems of critical infrastructure are being widely discussed due to growing threats. In terms of maintaining the operability and continuity of this system, it is important to focus on their protection. Therefore, it is necessary to create measures which secure the functionality, the continuity of operation and also such measures which minimize the risks of disrupting the function of individual infrastructures (Rehak et al. 2019; Ristvej et al. 2013).

Infrastructures that are highly interconnected with dependent systems are considered especially important. The disruption or failure of these infrastructures would have far-reaching consequences for the security and economy of the state and basic human needs (European Council 2008). This is why it is necessary to especially protect these infrastructures by way of preventive measures in combination with the subsequent strengthening of their resilience towards specific threats. Resilience in the context of critical infrastructure can be perceived as the ability to reduce the magnitude, impact, or duration of a disruption. The e ffectiveness of a resilient infrastructure depends upon its ability to anticipate, absorb, adapt to, and/or rapidly recover from a potentially disruptive event (NIAC 2009). In the context of this

definition, the disruption of resilience can be understood as a degradation in the above-mentioned capabilities of critical infrastructure.

Managerial decision making plays an important role in the protection of critical infrastructure from the very beginning of solving the problem (Zimmerman 2004). Management is an integral part of economic, social and also technical solutions that help increase the resilience of critical infrastructure (Imani et al. 2020). The current critical infrastructure elements are managed by both the public and private sectors. As a result, the decision-making processes of public and private managers are also di fferent (Nutt 2005). For this reason, the problem is focused only on managers of public operators of critical infrastructure (Bozeman and Pandey 2004), with whom the authors have been cooperating for a long time.

Risk managemen<sup>t</sup> (ISO 2018) is commonly used for critical infrastructure element protection, making it possible to assess and manage these risks. This complex methodological overview was created as part of the publication Risk Assessment Methodologies for Critical Infrastructure Protection-Part I: A State of the Art (Giannopoulos et al. 2012) and Part II: A New Approach (Theocharidou and Giannopoulos 2015). The presented risk assessment methods are an e ffective preventive tool of a general nature, as they allow early identification of the risk, thus preventing the occurrence of adverse events (ISO 2018). However, these methods lack a link to the specifics related to resilience in a critical infrastructure system. By linking risk managemen<sup>t</sup> and strengthening resilience, the protection of critical infrastructure is extended by the repressive part, i.e., the response to already-occurring adverse events (NIAC 2009).

For this reason, in recent years, particular attention has been paid to research into methods for assessing and strengthening critical infrastructure resilience, as resilience goes beyond traditional risk managemen<sup>t</sup> (Petersen et al. 2020). This fact is evidenced, in particular, by articles dealing with resilience in the context of entire cities or urban areas (Chen et al. 2020; Li et al. 2020; Lu et al. 2020; Rehak et al. 2019) of their transport systems (Argyroudis et al. 2020; Machado-León and Goodchild 2017; Dvorak et al. 2017) or individual urban networks (Alizadeh and Sharifi 2020; Liu and Song 2020; Quitana et al. 2020; Shandiz et al. 2020). These approaches are realistically applicable and contribute to strengthening the resilience of critical infrastructure, but do not allow for the early indication of resilience disruption.

It can therefore be stated that there is currently no appropriate managerial tool that would explicitly deal with preventive measures for the protection of critical infrastructure elements. For this reason, the authors of this article have designed an entirely new process of managerial decision making for indicating a disruption in the resilience of critical infrastructure elements, which allows for the early identification of a potential disruption of the resilience of these elements. The added value of this proposal can be seen on two levels. At a theoretical level, it is an interdisciplinary integration of managerial decision making in the field of preventive protection of critical infrastructure elements. At a practical level, it is a matter of creating a new tool that will enable security managers to increase the preventive protection of critical infrastructure elements.

In conclusion, it is necessary to note that the presented article has the character of a conceptual document, which brings a possible solution forming the basic building blocks of the issue. This is a methodological procedure suitable for managerial decision making, the aim of which is to proactively increase the protection of critical infrastructure. Based on this fact, the authors defined the following research question: "Is it possible to preventively indicate a potential disruption of the critical infrastructure elements' resilience before the actual occurrence of the adverse event?"

Based on the above, the article is designed into four consecutive sections. The first section presents the critical infrastructure system and its resilience in the context of threats and the occurrence of adverse events that disrupt this resilience. Subsequently, attention is paid to the application of managerial decision making in the critical infrastructure system. The main part of the article is the third section, which presents the created process for indicating the disruption of the resilience of critical infrastructure elements. The last section then demonstrates the practical use of this process in the form of a case study.

### **2. Perception of Critical Infrastructure and Its Resilience**

Critical infrastructure (CI) means an asset, system or part thereof located within Member States that is essential for the maintenance of vital societal functions and the health, safety, security, economic or social wellbeing of people, the disruption or destruction of which would have a significant impact on a Member State as a result of the failure to maintain those functions (European Council 2008). Critical infrastructure entities are understood to be owners/operators of CI elements responsible for investments in, and/or day-to-day operation of, a particular asset, system or part (European Council 2008).

The elements of critical infrastructure are, in particular, the buildings, facilities, resources or public infrastructure, which are designated according to cross-cutting and sectoral criteria.

### *2.1. Critical Infrastructure System*

The purpose of the critical infrastructure system is to protect the critical infrastructure elements and to ensure the continuity of their operation, i.e., the provision of critically important services. To this end, an infrastructure element protection managemen<sup>t</sup> process was created (see Figure 1), which shows the principles of the continual managemen<sup>t</sup> cycle, e.g., the Plan–Do–Check–Act Cycle—PDCA (Tague 2005)—adapted to the conditions of the critical infrastructure system.

**Figure 1.** Critical infrastructure element protection managemen<sup>t</sup> process (Rehak et al. 2018a).

The first sub-process of protection managemen<sup>t</sup> is the designation of critical infrastructure elements. This sub-process consists of correctly setting criteria for the identification of elements on the European, national, but also regional level. Within this process phase, it is also necessary to consider the suitability of the corresponding method for the identification of elements, which can be based on either the top-down or bottom-up principle (Twidale and Floyd 2008).

The second sub-process of protection managemen<sup>t</sup> consists of the assessment of critical infrastructure elements. This sub-process consists of the risk assessment of relevant disruptive events (ISO 2018; IEC 2019; Bernatik et al. 2013) and the resilience assessment of an element of interest, its robustness, recoverability and adaptability (NIAC 2009).

The securing of critical infrastructure elements is the last sub-process in protection managemen<sup>t</sup> and consists of managing risks and strengthening resilience. Risk managemen<sup>t</sup> consists of the selection and implementation of one or more options in order to minimize risks, i.e., risk retention, risk transfer, risk reduction and/or risk avoidance (see e.g., ISO/IEC 2013). Strengthening resilience (e.g., Government of Canada 2014; Labaka et al. 2015) minimizes the vulnerability of subsystems, which in turn minimizes the occurrence, intensity and spread of failures and their impact on the critical infrastructure system and on society.

### *2.2. Resilience in a Critical Infrastructure System*

The protection of critical infrastructure elements from the impacts of disruptive events is achieved through resilience. The e ffectiveness of a resilient infrastructure or enterprise depends upon its ability to anticipate, absorb, adapt to and/or rapidly recover from a potentially disruptive event (NIAC 2009).

Resilience in a critical infrastructure system that must necessarily be understood as a cyclical process of continual improvement of the prevention, absorption, recovery and adaptation of the system. Figure 2 presents a cycle showing the strengthening of resilience from the original level (i.e., the black

dashed line) to a new level (i.e., the red dashed line). The difference between these levels Δ is the degree of resilience strengthening.

**Figure 2.** Critical Infrastructure Resilience Cycle (Rehak et al. 2018a).

In reference to the above, it can be noted that the resilience of critical infrastructure elements is determined by four components, which are resistance, robustness, recoverability and adaptability (NIAC 2009). Resistance is the ability of an element to protect itself from the occurrence of a disruptive event, i.e., prevention (Sugden 2001). Robustness is the ability of an element to absorb the impacts of a disruptive event without experiencing fluctuations in the provision of services, i.e., absorption (Stochino et al. 2019). Recoverability is the ability of an element to recover its activity to its original state or required operation level, i.e., recovery (Slivkova et al. 2017). Adaptability is the ability of an organization to adapt its element to the recurrence of an already occurred disruptive event-to learn from the past addressed disruptive events, i.e., adaptation (Denyer 2017). These components are further determined by individual variables, which are presented in Table 1.

**Table 1.** Components and variables determining the resilience of critical infrastructure elements (adjusted according to Rehak et al. 2018a).


Resistance, robustness and recoverability are the foundation blocks of the technical resilience of critical infrastructure elements. These three components are determined in each element by three basic factors, which are the technological structure of the element, the element security measures and disruptive events, which are affected by resilience (Rehak et al. 2019).

Aside from technical resilience, the protection of critical infrastructure elements is also ensured by organizational resilience, which is created uniformly for all elements of the given operating organization (Rehak 2020). The organization's managemen<sup>t</sup> assesses and strengthens this type of resilience from the prevention phase onward, and uses previous experience from dealing with elimination and recovery work processes to adjust the level of internal processes that are necessary in the critical infrastructure element adaptation phase.

### *2.3. Disruption of Resilience of Critical Infrastructure Elements*

The technical organizational level of resilience of critical infrastructure elements can be disrupted by the impact of a disruptive event. Disruptive events are the harmful effects of forces and phenomena caused by human activity and natural events, but also technical accidents that can endanger an element of the critical infrastructure. Within the context of the critical infrastructure, these disruptive events are caused by the negative impacts of threats, which can be classified into six basic categories (see Table 2).

**Table 2.** Classification of categories of threats to critical infrastructure elements (Rehak et al. 2019).


These threats are divided into internal and external, depending on the environment. Further division is then made based on the type of impact, naturogenic, technogenic or anthropogenic. This threat classification is based primarily on the Peril Classification and Hazard Glossary (IRDR 2014). The cascading threats category was added to the existing list due to the possibility of tracking the spread of failures across the critical infrastructure system due to cascading e ffects (Rinaldi et al. 2001; Rehak et al. 2018b).

During the course of an ongoing threat, the purpose of resilience is to protect the critical infrastructure element from the disruption of its function and to aid it in its recovery and adaptation to this event. During the threat's impact, however, it is being gradually weakened, which may lead to the disruption of the resilience itself. This state occurs mainly in the prevention phase, when the resistance of an element protects it from the occurrence of a disruptive event, and in the absorption phase, when the robustness of an element absorbs the impacts of an ongoing disruptive event.

### **3. Managerial Decision Making in the Critical Infrastructure System**

The same rules for managerial decision making in critical infrastructure entities apply as in other organizations. Managerial decision making is a process which consists of six basic steps, namely setting managerial objectives, searching for alternatives, comparing and evaluating alternatives, the act of choice, implementing decisions and follow-up and control (Harrison 1999; Cifuentes 1972). This process is used for both general and specific activities. The general activities particularly include the decision making associated with the everyday managemen<sup>t</sup> of the organization, planning or problem-solving. On the other hand, specific activities are those associated with the organization's specific focus.

The critical infrastructure entities' main activity is to provide services necessary for ensuring the security of the state and satisfying basic human needs (European Council 2008). Managerial decision making is implemented primarily in the phase of the identification and determination of critical infrastructure elements and their subsequent protection. For example, in the Czech Republic, critical infrastructure protection falls within the domain of crisis managemen<sup>t</sup> (Rehak et al. 2016; Bartosikova et al. 2014). The main goal of critical infrastructure element protection is the managemen<sup>t</sup> of such risks that can cause the disruption or failure of the function of these elements.

Risk management, within critical infrastructure protection, is based on general risk managemen<sup>t</sup> principles (ISO 2018). The basic activities within risk managemen<sup>t</sup> are the assessment and managemen<sup>t</sup> of risks a ffecting the functioning of the critical infrastructure element (Rehak et al. 2016). Important work is continuously being published about this area, e.g., Risk assessment methodologies for critical infrastructure protection (Giannopoulos et al. 2012; Theocharidou and Giannopoulos 2015), Risk managemen<sup>t</sup> goals and identification of critical infrastructures (Fekete et al. 2012), Risk managemen<sup>t</sup> in critical infrastructure—Foundation for its sustainable work (Bialas 2016) and Applying risk managemen<sup>t</sup> process in critical infrastructure protection (Luskova and Dvorak 2019). These publications focus primarily on the risk managemen<sup>t</sup> process and the methodology of risk assessment and management.

However, the development of security engineering is accompanied by the identification of new possible approaches to protecting critical infrastructure elements, e.g., in the area of Indication of critical infrastructure resilience failures (Rehak et al. 2017). The disruption of resilience causes the weakening of the protection of the critical infrastructure elements, due to which they are more vulnerable, leading to the possibility of their disruption or failure of their function. Due to this, the predictive identification process is a very beneficial approach, but has not ye<sup>t</sup> been properly defined. At the same time, it is worth noting that the implementation of risk managemen<sup>t</sup> in decision-making processes leads to the timely identification of potential risks, which can then be taken into account in individual phases of the decision-making process, especially in finding, comparing and evaluating alternatives to security measures (ISO 2018).

### **4. The Process of Indicating the Disruption of the Resilience of Critical Infrastructure Elements**

The indication process consists of eight interconnected steps (see Figure 3), which provide the assessor with comprehensive instructions for assessing a possible disruption of the resilience of critical infrastructure elements. At the same time, it enables the assessment of the element's current level of resilience to disruptive elements and forms the basis for the decision to implement a security measure, which will make it possible to mitigate the impacts of the disruptive events weakening the resilience of the element. The resilience disruption indication process, among other things, sets the limit of exhaustion of the resilience absorption capacity, i.e., the limit beyond which the function of the element fails or is disrupted.

**Figure 3.** The process of indicating the disruption of the resilience of critical infrastructure elements.

The starting point for the creation of this process was to identify the absence of an approach suitable for indicating the disruption of the critical infrastructure elements' resilience. The current approaches are focused only on the assessing and strengthening of critical infrastructure resilience. Based on this fact, the authors created the process presented below, the essence of which is the analysis of the current state of interest of critical infrastructure and the subsequent introduction of optimal security measures contributing to good governance and cost-e ffective use of institutional funds. The methodological basis of this process is mainly the managerial and engineering methods presented in Figure 3.

### *4.1. Step 1: Selection and Description of a Critical Infrastructure Element*

The first step of the process of indicating the disruption of the resilience of a critical infrastructure element is selection and subsequent description. The selection of the element is based on the participative decision making of interested parties, i.e., owners and operators of the critical infrastructure. In this step, it is appropriate to use methods which consist in the identification, assessment, assignment of weight and determination of the best possible option out of the selection. For this purpose can be used e.g., Multi-Criteria Analysis (Figueira et al. 2005), Method of Paired Comparations (David 1969) or methods of data mining and machine learning (Zagorecki et al. 2013). These methods take into account the type of element, its strategic significance, substitutability, security or its main vulnerability.

The aim of multi-criteria decision making is to determine one specific critical infrastructure element of the same type, which will be analyzed in detail. To this end, there are decision criteria made, i.e., properties of the element (quantitative or qualitative), according to which the individual or team will assess the element. The portfolio of criteria is based on the preferences of the assessor. Each criterion is assigned a weighting factor which expresses the importance of the individual criteria in comparison to others.

After selecting an element, it is necessary to characterize it, for example, with the help of functional analysis (Kantorovich and Akilov 1982), to provide a comprehensive identification of the element, define and describe its individual functions that are key to the operation of the element. The analysis must be made with regard to the element's ability to absorb the impact of disruptive events. It is important to focus on the selected element's structural and performance parameters, i.e., its topological structure (point, linear or planar element) and key technologies (number and performance of the element's crucial processes and technologies).

### *4.2. Step 2: Selection and Description of the Threat Category of Interest*

The threats which negatively impact the element can be grouped into a number of categories depending on the environment in which they occur and their nature (see Table 2). Within this step, it is necessary to select and then describe the specific threat category. It is appropriate to apply risk managemen<sup>t</sup> in this selection process (ISO 2018), which will help to identify the threat category to which the examined element is most vulnerable.

### *4.3. Step 3: Determination of the Level of Resilience of a Critical Infrastructure Element*

Determining the level of resilience of a critical infrastructure element is a crucial step in the process. This step provides information about the realistic level of resilience to a specific threat and is the basis for setting security measures. The resulting element resilience level is used as a basis for selecting indicators and setting the limit of the exhaustion of the absorption abilities of resilience.

The level of resilience of the selected element is determined with the help of specific methods (Rehak et al. 2019; Alheib et al. 2016; Bertocchi et al. 2016; Petit et al. 2013). It is appropriate to use the Critical Infrastructure Elements' Resilience Assessment (CIERA) method (Rehak et al. 2019), which provides an overall picture of the element's resilience, its components and variables. This method systematically assesses individual measurable variable items with respect to the threat category. One of the outputs of the CIERA method is data sheets of measurable items which are divided into sections

according to their resilience level. These data sheets can be used as a basis for creating a proposal for measures for strengthening the resilience of the element. The resulting resilience levels are subdivided according to the CIERA methodology (Rehak et al. 2019) into five levels (see Table 3).

**Table 3.** Comparative table for the assessment of the element's resilience level (Rehak et al. 2019).


### *4.4. Step 4: Identification of Indicators of Resilience Disruption*

The fourth step of the process is the identification of indicators, i.e., indicators signalizing the disruption of resilience, most likely causing the degradation or failure of the element's key functions. These indicators are the individual security threats that are classified on the basis of Table 2. The threats may be identified using specially designed methods (IEC 2019). Examples of these include Fault Tree Analysis—FTA (IEC 2006a), Preliminary Hazard Analysis—PHA (Ericson 2005), Failure Mode and Effects Analysis—FMEA (IEC 2006b) or a combination thereof.

In the first phase of this step, the FTA method can be used, which finds the possible causes of the degradation of the element's resilience by gradually dividing and analyzing the peak event. Subsequently, it is appropriate to use PHA or FMEA methods, which provide information on the severity or consequences of the threat. Among other things, they provide the possibility of assigning possible measures to individual threats. The assessor will thus have a summary document on security threats.

### *4.5. Step 5: Identification of Indication Parameters*

Indicators must be functional, meet certain conditions and, above all, must provide informative values. So-called indication parameters of individual threats are set to meet these conditions. In the fifth step, in the process of indication of the disruption of an element's resilience, a detailed analysis of individual threats must be performed. Each identified threat has specific properties, such as its character, degree or level of danger, according to which they can be measured, assessed and compared or their level of danger to the element. These values, i.e., indicative threat parameters, are compared with the element's resilience level in Step 6. For example, extreme wind, which falls into the group of meteorological threats, is measured using the Beaufort scale (RMetS 2018). The individual values of this scale determine the indication parameters of this threat. An example of the classification of indication parameters for the threat of "extreme wind" is presented in Table 4.


**Table 4.** Example of classification of indication parameters for the threat of "extreme wind".

The percentage expression of threat indication parameters is organized into five levels based on the impacts of these threats on the critical infrastructure element. While the 0% level of the indication parameter represents no threat to the element, 100% is critical for the element and the failure of the function of the element is assumed with fatal consequences. The example presented above shows that the indication parameters are defined only for those threat levels which can potentially disrupt the function of the critical infrastructure element. For this reason, levels below 62 km/h on Beaufort's scale are not included in the extreme wind indication parameters (RMetS 2018).

Indication parameters can be identified through a graphical–analytical technique known as a Tree Diagram (Salkind 2007). This is a systematic tool which determines detailed information characterizing a threat (e.g., its intensity, danger level, frequency of occurrence) by gradual linear processing. Subsequently, it is possible to set specific values for the indication parameters in the context of the expected impacts with the use of an A ffinity Diagram or Relation Diagram (Graham and Cleary 2000).

### *4.6. Step 6: Determination of the Disruption Limit of Element Resilience*

The threat indication parameters themselves can only tell us about threats. Therefore, it is necessary to compare these threat parameters with the corresponding resilience of the element and to set a certain limit. The limit is the maximum threat level that the element's resilience is able to absorb (Rehak et al. 2019). If this limit is exceeded, it is assumed that the element's resilience is disrupted, which may result in the failure of its function. This limit is determined based on a comparison of the already-calculated level of resilience (Step 3) and the indication parameters of the threats (Step 5), i.e., their value, nature, degree or level of danger.

The resulting limit varies depending on the level of resilience of the critical infrastructure element. The higher the element resilience level, the higher this limit is (Rehak et al. 2019). This means that the element is able to withstand a higher impact of a given threat, up to the level of the corresponding relevant indication parameter (Rehak et al. 2018a). For example, an element with an acceptable level of resilience (i.e., 69–84%) is able to withstand the e ffects of a violent storm (i.e., 61–80%). Exceeding the set limit indicates an insu fficient level of resilience and the subsequent disruption or failure of the critical infrastructure element.

### *4.7. Step 7: Defining, Comparing and Evaluating Alternatives to Security Measures*

If there is a risk of disrupting the element's resilience, it is necessary to perform this next step, which is the definition, comparison and evaluation of security measures. The first phase of this step is to clearly define security measures, i.e., define their character (suitability of a measure, acceptability feasibility, does the element have the necessary requirements for implementing the security measure, etc.). Subsequently, it is necessary to compare and evaluate the identified alternatives. The most suitable method for this phase is Multi-Criteria Analysis (Figueira et al. 2005) where, provided with a set of decision criteria and the linkages between them, it is possible to find the option which scores the highest in each criterion (see Figure 4). It is important to set security measures after consulting critical infrastructure operators and other competent persons who have the exclusive decision making right over the entire element. For this purpose, it is appropriate to use the Brainstorming method (Curedale 2013).


**Figure 4.** Comparison and evaluation of security measures on decision-making criteria (IEC 2005).

The comparison and evaluation of possible alternatives to security measures are carried out on the basis of the three key decision criteria listed in Figure 4. The cells in red represent those measures that are unsuitable to implement due to the excessive financial costs for the critical infrastructure entity and due to the time needed to implement these security measures being disproportionate to their e ffectivity. The orange cells represent those types of security measures whose e ffectiveness is acceptable in terms of the time needed for implementation, and the financial costs are comparable with current operational costs. The green cells represent the security measures that can be implemented immediately or within a few days with high e ffect and minimum costs.

### *4.8. Step 8: Implementation of Security Measures and Feedback*

If a suitable security measure option is chosen, it is possible to continue to the last step of the process of indicating a disruption of resilience. The implementation of measures, i.e., the process of preparation of the implementation of security measures set out in Step 7, will be carried out with the help of a so-called implementation plan (see Figure 5). This plan consists of a set of activities with the aim of e ffectively and systematically implementing measures in a pre-determined time.

**Figure 5.** Sub-process of implementation of security measures (Blumenthal and Stoddard 1999).

The first step of the implementation sub-process is the publication of internal documentation (policy, regulation, rule). Then, it is necessary to designate and inform competent persons about the changes which are to be carried out. Then, the implementation of the measure itself can begin. It shall be continuously monitored, and in the event of deficiencies, this step will be adapted to the current conditions (updated). This update step retroactively adjusts the gradual implementation of the measures.

The process of indicating a disruption of a critical infrastructure element is based on the PDCA method (Tague 2005). It is precisely the principle of this method which makes it possible to review the e ffectiveness of the implemented security measures. Their e ffectiveness can be evaluated on the basis of an internal audit (Institute of Internal Auditors 2020) of the critical infrastructure element and on a subsequent Comparative Method (Collier 1993), the purpose of which is to compare the

assumed requirements of the security measure with the actual state. The result is a table that provides an overall picture of fulfilled expectations. If these expectations are not fulfilled, this implementation process becomes insu fficient. This is why it is suitable to reevaluate the element's resilience level by re-performing Step 3, in which specific deficiencies of the security measures and associated risks can be identified. This step completes the entire process of the indication of the critical infrastructure element's resilience.
