Method for Risk Factory Metrics

The concepts for the Middleware Improved Technology (architecture, components, communication structure) which will be developed within the project IRRIIS have to be evaluated with respect to the IRRIIS scenarios and general objects. This evaluation will give important feedback to the development process.

A main objective of IRRIIS is to develop improved communication services between large complex critical infrastructures (LCCIs). The basic idea for suitable risk factor metrics is to assess risk level with MIT concepts and without MIT concepts (LCCIs with MIT versus without MIT)., i.e. the metrics will be relative. The absolute metrics is hardly possible to create.

The objectives of operators in LCCI sector and regulating aspects on EU and national-level set the frames (borders) for development of risk factor metrics, in other words they provide reasons for an assessment.

The risk management should include both reactive and proactive measures. The communication with MIT can also be seen as proactive measures and without MIT as reactive measures in the risk management when it is viewed from holistic perspective of LCCI.


  • The well-known Risk Metrics includes both Probability and Impact of risk
  • Probability and Impact can be assessed by numeric value, e.g. from 1 to 5, where 1 means low and 5 means high
  • Common way is to multiply Probability and Impact to get Risk Factor
Risk Factor = Probability * Impact
But this is insufficient for connected LCCI's
  • Critical Infrastructures are very complex with several layers, therefore it is needed to take into account Layer, too
  • Layers are as follows: Business, Service, Cyber and Physical
Overall Risk Factor = Layer Factor * Probability *Impact

Mr. Heimo Pentikäinen, VTT