A Group Model Building approach for identifying Simulation Scenarios in Critical Infrastructure Finn Olav Sveen University of Agder, Gjøvik University College, Norway finnos@uia.no Eliot Rich University at Albany, SUNY, USA e.rich@albany.edu Jose Manuel Torres TECNUN (University of Navarra), Spain jmtorres@tecnun.es Josune Hernantes TECNUN (University of Navarra), Spain jhernantes@tecnun.es Jose J. Gonzalez University of Agder, Gjøvik University College, Norway jose.j.gonzalez@uia.no Abstract Table-top and field simulation exercises are common tools for learning and practicing responses to unplanned IT security and critical infrastructure (CI) events. Preparing, executing and debriefing complex exercises are expensive and time consuming. Computer simulations can generate numerous potential scenarios and focus exercises on those that generate the most informative results. Credible scenarios must be based on a grounded causal structure that drives the dynamics of the crisis and response. As part of a project to examine a CI & IT crisis with cross-border effects we used Group Model Building (GMB) and system dynamics to develop plausible scenarios. Expert consensus was achieved about the crisis causal structure “driving” the event into a cross-border crisis. The model shows the negative effects of uncoordinated single country action on crisis perception and resource misallocation, in turn escalating crisis duration and severity. It is particularly severe if the crisis is exacerbated by ICT failures. 1. Introduction Critical Infrastructure Protection (CIP) is an extremely complex challenge involving knowns and unknowns. Particularly worrying are the “unknown unknowns” – such as particulars about threats and hazards; uncharted factors deriving from interdependencies and cross-border interactions; emergent technical, organizational, human and cultural dynamic relations in pre-crisis, crisis and post-crisis situations. The role of ICT in infrastructure crisis management is critical. In the 2003 North American blackout, serious faults in the high voltage power transmission network were not discovered because an operations center alarm system stalled shortly before the faults occurred [1]. The failure of the alarm software and subsequent human error allowed a cascading effect that left 50 million people without power. Another example comes from the handling of hurricane Katrina. “Hurricane Katrina devastated communications infrastructure across the Gulf Coast, incapacitating telephone service, police and fire dispatch centers, and emergency radio systems.” [2] Consequently, local, State, and Federal officials were forced to depend on a variety of conflicting reports from a combination of media, government and private sources. These provided inaccurate or incomplete information which limited the understanding of the situation in New Orleans. “In fact, some uncertainty about the specific causes and times of the breaches and overtoppings persists to this day.” [2] National agencies for civil protection employ simulation exercises to improve prevention and early detection of crises, crisis management, damage mitigation and crisis recovery. Simulation exercises challenge the participants to manage a crisis scenario. The desired CIP improvement requires the recognition of security gaps, followed by an analysis and lesson learned phase, with subsequent implementation of improved crisis planning. A “good” simulation exercise reveals major security gaps and allows the participants to practice crisis management skills, increasing preparedness and ability to handle a real crisis. Although highly useful, exercises are expensive because the many participants have to take time away from their normal day-to-day duties. Participation 1 Proceedings of the 43rd Hawaii International Conference on System Sciences - 2010 978-0-7695-3869-3/10 $26.00 © 2010 IEEE