The protection of critical infrastructures (CI) is a complex task, since it involves the assessment of both internal and external security risk. In the recent literature, methodologies have been proposed that can be used to identify organisation–wise security threats, or even first–order dependency risk (i.e., risk deriving from direct dependencies). However, there is a lack of work in the area of multi–order dependencies, i.e., assessing the cumulative effects of a single incident, on infrastructures that are connected indirectly. In this paper, we propose a method to identify and assess multi–order dependencies. Based on previous work, we utilise existing first–order dependency graphs, in order to assess the effect of a disruption to consequent infrastructures. In this way, it may be possible to identify and prevent security threats of very high impact from a macroscopic view, which would be hard to identify if we only examine first–order dependencies. We also present a scenario, which provides some evidence on the applicability of the proposed approach.
Keywords: critical infrastructure protection, risk assessment, criticality, multi–order dependencies, critical infrastructures, security risks, dependency graphs, security threats