CRITICAL INFRASTRUCTURE ASSET IDENTIFICATION: A MULTI-CRITERIA DECISION SYSTEM AND AVIATION CASE STUDY by CHRISTINE OGECHUKWU IZUAKOR B.S. DeVry University, 2010 M.S. University of Houston, 2012
A dissertation submitted to the Graduate Faculty of the University of Colorado Colorado Springs In partial fulfillment of Requirements for the degree of Doctor of Philosophy Department of Computer Science 2016
© 2016 CHRISTINE OGECHUKWU IZUAKOR ALL RIGHTS RESERVED
This dissertation for the Doctor of Philosophy Degree by Christine Ogechukwu Izuakor has been approved for the Department of Computer Science by
Edward Chow, Chair
Richard White, Co-Chair
Terry Boult
Bill Ayen
Chris Bronk
Date: ______
ii
Izuakor, Christine Ogechukwu (Ph.D. Engineering – Security) Critical Infrastructure Asset Identification: A Multi-Criteria Decision System and Aviation Case Study Dissertation directed by Professor Edward Chow and Assistant Research Professor Richard White
ABSTRACT In a world where terrorism, natural disasters, and unknown unknowns threaten the security posture of various nations, comprehensive risk management remains the recommended action for protection of critical infrastructure. Furthermore, the threat landscape is rapidly evolving as critical infrastructures more heavily rely on cyber technology and are exposed to greater cyber risks. In response, effective risk management first requires a fundamental understanding of which assets are critical.
Today, countries struggle with efforts to identify these critical assets making it difficult to accurately assess risks and allocate scarce resources to protect those assets of the greatest criticality and risk.
Currently, there is not a clearly defined best practice methodology for identifying critical infrastructure. Through this research we have found that it is infeasible to even atte pt to esta lish a o e size fits all ethod fo doi g so. I stead, e e o e d that critical asset identification be viewed as an objective-based decision process, where decision makers can establish tailored methodology for identifying assets based on specific objectives.
iii
The major contributions of this research are: 1) A complete, reproducible, documented, and defensible decision system (CIAid) that can be used to develop a critical infrastructure asset identification methodology by following an objective framework, 2) A methodology comparison function that leverages Technique For Order
Preference by Similarity to Ideal Solution (TOPSIS) multi-criteria decision making methodology to compare alternative methods where user constraints will not support adoption of the originally recommended CIAid methodology, 3) An aviation case study inclusive of aviation criteria analysis, expert survey validation, a sample aviation asset dataset, and an example tiered critical aviation asset list, 4) A process for selecting and applying TOPSIS to a critical infrastructure problem.
Using the CIAid tool, the Department of Homeland Security and comparable international organizations can use their own unique objectives to create customized critical infrastructure asset identification methodologies. Within the aviation sector, this research can also be used to strengthen the identification and protection of critical aviation assets.
iv
DEDICATION
In loving memory of my dearest little cousin. Thank you for being my light. You are everything. Long live Chikosolu Ughanze.
August 1994 – April 2015
v
ACKNOWLEDGEMENTS
This journey has been an exciting rollercoaster of stimulating challenges, joyful discoveries, and insightful failures. I did not walk this path alone, and truly appreciate the support I have received from so many friends, family, colleagues, and associates.
First, I would like to thank my parents and Uncle Matt for motivating me to reach beyond the stars and be the best that I can be. Thanks mommy for being my number one cheerleader and prayer warrior along the way. Thanks to my wonderful siblings
Chika, Nk, and Obi for being my best friends and inspiring me every day. Thank you to my amazing cousins, uncles, and aunts. I wish I could name each and every one of you from Australia to Houston. You all mean the world to me and I appreciate you. Gech,
Tema, Bree, Tranette, Brax, CJ, Ian, and many other countless epic friends, thank you for being here for me.
I am also blessed with a wonderful team at work. Thanks to all of my colleagues and professional network for your unending support and participation in surveys, discussions, paper editing, and more. A special thanks to Mary Hickey, Dan McSweeney,
Sergei Vasilevsky, Faye Francy, and Patrick Mana for spending time to review and validate my research. Thanks to Andrea Webster for connecting me to so many helpful resources.
Endless thanks to my esteemed committee for challenging and preparing me to execute and deliver on my research goals. A special thanks to Dr. Chow for believing in me when I expressed interest in beginning this journey, and thanks to both Dr. Chow
vi and Dr. White for spending countless hours guiding me through the entire process. I