Introduction

The maintenance of vital societal functions and the supply of essential services by critical infrastructures under pressing conditions and without major failure is of utmost importance to our society. However, critical infrastructures are vulnerable to a multitude of stresses. Lessons from disasters like large-scale power outages (Anderson et al., 2007; Busby et al., 2021), terrorist attacks (Santos, 2006), cyber-attacks (Ghafur et al., 2019) and the still ongoing covid-19 pandemic (Goel, Saunoris, and Goel, 2021) have shown that disruption of infrastructure-based services can directly or indirectly affect other critical infrastructures through a complicated web of interdependencies; not only affecting the national and global economy, but also our national security (Lewis et al., 2013). The situation is exacerbated not only by mitigating the impacts of climate change, but also by the proliferation of digital technologies that continue to add complexity to our critical infrastructures as well as novel hybrid threats (Cullen and Reichborn-Kjennerud, 2017; Giannopoulos, Smith, and Theocharidou, 2021). Understanding the fragility induced by multiple interdependencies and improving the resilience of critical infrastructures therefore becomes a matter of urgency and a priority for national security (Chang, 2009; Helbing, 2013; Oughton et al., 2018; Rinaldi, et al., 2001; Vespignani, 2010). At the 2021 Brussels Summit, NATO Member States therefore agreed to enhance their resilience and to “develop a proposal to establish, assess, review and monitor resilience objectives to guide nationally-developed resilience goals and implementation plans” (NATO, 2021a). However, NATO Allies do not provide any guidance on how to do so in the Summit Communiqué, which merely states that it “will be up to each individual ally to determine how to establish and meet national resilience goals and implementation plans” (NATO, 2021a).

Critical infrastructures undergo constant interaction and exchange with their economic, social and natural environments. In addition, in free market economies, there is no single entity in control of the system. Critical infrastructures are therefore often characterised as complex sociotechnical systems (Oughton et al., 2018). Despite this insight since the seminal work by Rinaldi et al. (2001), conventional critical infrastructure protection strategies where risks are analysed, evaluated and treated individually as e.g. implied by the ISO 31000 standard, are still used. With increasing interconnectedness between critical infrastructure sectors following digital transformation and electrification, such strategies may lead to siloed risk management and are at the risk of becoming insufficient (Helbing, 2013). The situation is exacerbated by the historically fragmented governance of critical infrastructures spanning several government departments (Oughton et al., 2018). Future strategies to strengthen the capability of critical infrastructures to cope with disruptions should therefore build on the principles of resilience and adaptation (Hollnagel, Woods, and Leveson, 2006; Schulman, 2022; Woods, 2020).

Following Oughton et al. (2018), we argue that the implementation of resilience and adaptation strategies for critical infrastructures at the national level is hampered by the low availability of easy-to-use frameworks building upon complexity theory-based system-of-systems approaches. Furthermore, as argued by Dolan (2018), with the absence of a shared strategic vision of the desired outcomes that infrastructure is expected to enable (purpose), it is not possible to fully evaluate system performance gaps or assess infrastructure needs. There is therefore a need for long-term, system-scale and cross-sector approaches to critical infrastructures resilience and planning efforts (Otto et al., 2016).

Cognitive work analysis (CWA) is a well-suited framework for the analysis, design and evaluation of complex sociotechnical systems (Naikar, 2013; Vicente, 1999). In particular, CWA defines the work demands for such systems in terms of constraints on actors, thus placing limits on behaviour (Naikar, 2013). Despite such limits, there are still many degrees of freedom for action in complex sociotechnical systems; in fact more than can be prescribed a priori. CWA therefore promotes designing for adaptation where actors within the system are allowed to adapt their behaviour as they find appropriate without violating the system’s constraints (Naikar, 2013). CWA is thus formative in the sense that it reveals how work can be done in a system. This is important because it is not feasible to prescribe, describe and risk assess all possibilities for action that are available in complex sociotechnical systems, especially when dealing with unforeseen events.

In this study, we propose CWA, in particular the work domain analysis (WDA) phase of CWA, as an approach to support critical infrastructure public policy decision-making at the national level. The novelty of this approach is that it will aid decision-makers with the development of more coherent and effective infrastructure planning and resilience policies through a system-of-systems approach that is grounded in theory for complex sociotechnical systems. In particular, the proposed approach will aid decision-making related to the overall purposes of the critical infrastructure system, the values and priority measures that are used to assess the system’s progress towards the functional purposes, as well as formulation of infrastructure needs that are necessary to achieve the functional purposes. The proposed approach complements and can be used in conjunction with other proposed approaches for infrastructure public policy decision-making (Dolan, 2018; Oughton et al., 2018). To demonstrate the broad applicability of the framework, both civilian and defence-related critical infrastructure use cases will be exemplified.

Methods

Work Domain Analysis

The CWA framework consists of five phases: work domain analysis (WDA), control task analysis, strategies analysis, social organisation and cooperation analysis and worker competencies analysis (Naikar, 2013; Vicente, 1999). Only the WDA phase has been applied in this work. In the WDA phase, the functional structure of the system is described by identifying the purposes, values and priorities, functions, processes and object-related constraints of the work domain. As such, the WDA describe the fundamental reasons and resources for the different actors’ behaviour within the work domain (Naikar, 2013).

The WDA consists of an abstraction hierarchy analysis and a part-whole decomposition. Together, the abstraction hierarchy and the part-whole description form the abstraction-decomposition space (ADS) for which the system constraints apply. Since WDA is event-independent, the identified system constraints, e.g. the identified values and priorities, are applicable to many different situations, including unanticipated events.

The abstraction dimension of the WDA spans the set of concepts for describing the functional structure of the system (Naikar, 2013; Vicente, 1999). This is done by employing the abstraction hierarchy method which uses means-ends links to show relationships between nodes across different levels of abstraction. Linked nodes above a node under consideration (the ‘what’) describe ‘why’ that node is required, while linked nodes below the node describe ‘how’ the node is achieved. In the context of this study, a node can e.g. be a critical infrastructure system or an infrastructure asset. By applying the how-what-why triad four times, an abstraction hierarchy for identification of critical entities providing essential services for maintaining vital societal functions can be developed as illustrated in Figure 1.

Figure 1.

Five-level abstraction hierarchy with the how-what-why triad illustrated.

https://securityanddefence.pl/f/fulltexts/146789/SDQ-39-00178-g001_min.jpg

The abstraction hierarchy proposed in this work is a modification of the usual five-level abstraction hierarchy (Vicente, 1999), and consists of the following conceptual levels:

  1. Functional purposes – The overall purposes of the system;

  2. Values and priority measures – The values that are assessed and used to measure the system’s progress towards the functional purposes;

  3. Purpose-related functions – The generalised functions of the system that are necessary to achieve the functional purposes;

  4. Infrastructure-related processes – The functional capabilities of the system’s assets that enable the purpose-related functions;

  5. Assets – The system’s assets that undertake the infrastructure-related processes;

Here, the original term ‘physical objects’ has been replaced by ‘assets,’ which is considered to be more appropriate for describing infrastructures. This abstraction hierarchy is therefore consistent with the definition of infrastructure suggested by Oughton et al. (2018), i.e. “the coordinated operation and management of a group of physical assets to perform a range of processes, thereby providing infrastructure services to users”.

It is important to note that the representations at the different levels of abstraction should be categories and not specific instances of a category. Furthermore, the means-ends relationships should be structural and not action means-ends relations (Naikar, 2013; Vicente, 1999). Consequently, nouns rather than verbs should be used to describe the different functions and objects in the work domain.

The decomposition dimension of the WDA provides levels of granularity for describing the functional purpose of the system (Naikar, 2013; Vicente, 1999). The levels of decomposition are connected by so-called part-whole relations; i.e., nodes at lower levels are functional parts of those at higher levels. For the purpose of this work and given the objectives of the proposed European Union (EU) COM(2020) 829 directive (European Commission, 2020), the following levels of decomposition are found expedient for describing vital societal functions:

  1. Whole system;

  2. Sectors;

  3. Sub-sectors;

  4. Types of entities.

The fourth level, types of entities, describes the types of public or private entities that provide the assets, and will aid the identification of critical entities in accordance with Article 5 of the proposed EU COM(2020) 829 directive (European Commission, 2020).

Selection of Use Cases

To illustrate the usability and the different aspects of the proposed framework, several critical infrastructure use cases were selected. EU critical infrastructures, as described in the proposed EU COM(2020) 829 directive (European Commission, 2020), were selected as the main use case in this study. This use case is considered relevant for many country-specific applications of the framework. In addition, Norway and the United Kingdom (UK) were included as use cases for the discussion of qualitative and quantitative values and priority measures, respectively, while NATO’s seven baseline requirements (NATO, 2021b) were used to illustrate the use of the framework for defence-related use cases. UK was selected out of relevance for the discussion of quantitative values and priority measures, while Norway was selected out of convenience.

Results and Discussion

Abstraction-Decomposition Space Applied to Critical Infrastructure Systems

The ADS for describing critical infrastructure systems is summarised in Table 1. As argued by Vicente (1999), each cell in the ADS offers a complete but different representation of the same work domain. The top left cell in Table 1 represents the functional purposes of the whole system, while the bottom right cell describes the types of entities for all of the individual assets in the system. It is often not necessary to populate the whole table since the solution is often found along the diagonal of the ADS as indicated by the shaded cells in Table 1. Still, it can be useful to define specific values and priority measures, e.g. resilience criteria, for the identified sectors, sub-sectors and types of entities.

Table 1

Abstraction-decomposition space for critical infrastructure systems with five levels of abstraction and four levels of decomposition. The shaded cells illustrate the relationship between abstraction and decomposition levels for critical infrastructure systems.

DecompositionWhole systemSectorsSub-sectorsTypes of entities
Abstraction
Functional purposes
Values and priority measures
Purpose-related functions
Infrastructure-related processes
Assets

In the following, the use of the ADS will be exemplified and discussed with critical infrastructures in the UK and the EU as use cases. Examples from Norway and NATO will be leveraged as well. As a starting point for the discussion, the work domain (the whole system) is to be considered as an open sociotechnical system consisting of critical infrastructure systems that are to be identified. The work domain is therefore to be considered as a system of systems.

Functional Purposes

The first level of abstraction in the ADS describes the purposes that the system, i.e. the system of systems, serves in its environment. That is, the system exists because the environment has certain needs and the system can fulfil these needs. As argued by Dolan (2018), such a strategic need assessment requires a clearly articulated systemic vision comprising sector-, solution- and technology-neutral desired outcomes which is understood and accepted. This is important in a defence and security context. First, it will be difficult to protect a system if the functional purposes of the system are not fully understood and accepted. Secondly, any solution- or technology-biased purpose description will shape the decisions made for the subsequent abstraction levels. Poor decision-making can result in “lock-in” effects that put the infrastructure systems on long-term path-dependent trajectories that can be hard to break away from due to, e.g. the financial or technological hurdles involved (Oughton et al., 2018).

Depending upon how the needs are described, who is the reference object for the need and which constraints are provided, different models of a system can emerge. For example, the purpose of the system can be to safeguard the basic needs of the population in the society. Here, one may say it is the population in the society that frames the constraints for the work domain. A different functional purpose can be to maintain national security, national defence and the functioning of the state. In this case, the national security act would provide a constraint on the work domain. A third functional purpose could be to safeguard the nation as a democracy and a state based on the rule of law and universal respect for human rights in accordance with the nation’s constitution. In this case, the constitution provides the constraint. A fourth type of need could be to maintain vital societal functions or economic activities in the EU internal marked in accordance with Article 1 of the proposed EU COM(2020) 829 directive (European Commission, 2020); consequently, the constraint is given by the directive. A last example of a need is the need to resist armed attack as described by Article 3 in The North Atlantic Treaty. Here, it is the Treaty that provides the constraints on the work domain. Understanding the functional purposes of the system is therefore essential for applying the ADS.

Values and Priority Measures

The values and priority measures level of abstraction provides two types of criteria: The first is measures for how well the system is progressing towards its functional purposes, while the second is criteria for comparing, prioritising and directing resources to the various purpose-related functions so that the functional purposes of the work system are fulfilled. Examples of the first type at the national level could be sustainability measures or levels of services, while the second could be resilience criteria. Since the criteria at this level of abstraction are invariants or relatively stable properties of the work domain, they provide guidance for reasoning from first principles when the system is confronted with stressful, unanticipated events.

Values and priority measures at the national level (whole system) may be difficult to describe quantitatively; such criteria are therefore usually qualitative. Taking the Norwegian Act relating to national security as an example, the values and priority measures for the system as a whole could be described as protection of national security interests. Such interests are defined as “Norway’s sovereignty, territorial integrity and democratic system of government, and general political security interests related to a) the activities, security and freedom of action of the highest state bodies; b) defence, security and contingency preparedness; c) relations with other states and international organisations; d) economic stability and freedom of action; e) fundamental national functions and the basic security of the population” (Security Act, 2019). In the Norwegian security act, fundamental national functions are defined as “services, production and other types of activity which are of such importance that a complete or partial loss of the function would have consequences for the State’s ability to protect national security interests” (Security Act, 2019). For the proposed EU COM (2020) 829 directive, the values and priority measures could be described as ensure the provision of essential services for the maintenance of vital societal functions or economic activities in the EU internal marked (European Commission, 2020).

Quantitative performance measures for infrastructure sectors are possible and have been taken by the UK National Infrastructure Commission (NIC) (National Infrastructure Commission, 2018). These performance measures provide clear guidance for how to assess and measure each infrastructure sector’s performance. For this purpose, Dolan et al. (2016) have proposed a conceptual approach for identifying outcome-oriented performance indicators for infrastructures, which has been applied by Carhart et al. (2016). However, because of infrastructure interdependencies, performance loss in one infrastructure sector may influence the performance of other infrastructure sectors. It is therefore necessary to define desired outcomes for the system as whole and not at a sector-by-sector level in order to define meaningful outcome-oriented performance indicators to evaluate cross-sectoral performance (Dolan et al., 2016). Indicators at the sectoral level may still be helpful to guide the development of such whole-system performance indicators.

For example, performance measures for critical infrastructure sectors can be used to quantify resilience (Bruneau et al., 2003). Although several definitions of resilience exist (Cereè, Rezgui, and Zhao, 2017; Curt and Tacnet, 2018; Haimes, 2009; Petersen et al., 2020; Wied, Oehmen, and Welo, 2020), most definitions are formulated around the system’s ability to reduce the chances of an undesired event and to maintain and recover its core functionality in case of disruption. By setting constraints on minimum system performance loss and recovery time before the service level is restored, risk-based resilience standards for critical infrastructure sectors can be put forward (FEMA, 2019; Poland, 2009). However, as discussed by Haimes (2009), such efforts should be contextualised to the risks to the system and their associated consequences. This calls for unified approaches to risk and resilience analysis and management (Aven, 2019). In addition, critical infrastructure sectors should undergo stress testing to evaluate whether they meet the resilience standards (Esposito et al., 2020).

Resilience standards as part of the values and priority measures for critical infrastructure systems at the national level should therefore be established on the basis of the national risk assessment. Here, it is important to take the scale of possible undesired disruptive events into consideration. Lessons from the Covid-19 pandemic have shown that the pace, duration and the geographic scale of a crisis, the interconnectedness of critical infrastructures and the associated cascading risks, and nation states’ capacity to prepare and respond are all important drivers for a crisis (Collins, Florin, and Renn, 2020). Thus, these are all important factors to take into consideration when establishing resilience standards. Furthermore, it is also important to take the vulnerabilities of critical infrastructure systems into consideration in the national risk assessment, since such vulnerabilities may translate into threat scenarios if they are exploited.

As argued by both the UK NIC (National Infrastructure Commission, 2020) and the proposed EU COM(2020) 829 directive (European Commission, 2020), resilience standards for critical infrastructure systems should be government’s responsibility and not the (usually) private entities providing the services. This is in agreement with the ADS proposed in this work since values and priority measures apply to the system as a whole. The UK NIC provides several reasons for this (National Infrastructure Commission, 2020): Firstly, the government will be involved when there are serious failures or risks are too high for private entities. Secondly, resilience is not properly valued on the market. Thirdly, because of interdependencies, failure to provide a service does not just affect the consumers of that particular service. Lastly, markets focus on those who can pay, while in a crisis the focus should be on those who are in need.

Purpose-Related Functions

As mentioned, purpose-related functions are functions that are necessary for fulfilling the functional purposes of the whole system. This requires coordination of the purpose-related functions in accordance with the values and priority measures. Furthermore, the functions are generalised functions to accommodate a wide variety of activities by the underlying levels of abstraction.

Purpose-related functions are typically decomposed into sectors where each sector would constitute a system. In the proposed EU COM(2020) 829 directive, the following ten sectors are identified (European Commission, 2020): (1) Energy; (2) Transport; (3) Banking; (4) Financial market infrastructures; (5) Health; (6) Drinking water; (7) Waste water; (8) Digital infrastructure; (9) Public administration; and (10) Space. These sectors can be translated into purpose-related functions by using nouns for describing the different objects of action, e.g. provision of energy, provision of transportation, provision of banking services, provision of financial market infrastructure services, provision of health services, provision of drinking water, provision of waste water services, provision of digital infrastructure services, provision of public administration services and provision of space-based services. In the context of this study, these purpose-related functions can be considered as vital societal functions because they provide essential services for the functional purposes of the EU internal market.

If we look at the functional purpose of maintaining civil preparedness in accordance with NATO’s seven baseline requirements, the following purpose-related functions can be described (NATO, 2021b): (1) Provision of critical government services; (2) Provision of energy supplies; (3) Management of uncontrolled movement of people; (4) Provision of food and water resources; (5) Management of mass casualties; (6) Provision of telecommunications; and (7) Provision of transportation. Several sectors can be involved in providing the purpose-related function. In order to deal with mass casualties for example, both rescue services and the health sector are required.

Infrastructure-Related Processes

The infrastructure-related processes level of abstraction describes the functional capabilities that enable the purpose-related functions in the work domain. Taking EU critical infrastructures (European Commission, 2020) as an example, the provision of electricity, district heating and cooling, oil, gas or hydrogen all contribute to the purpose-related function provision of energy. Likewise, air, rail, water and road transport services enable the function provision of transportation.

Assets

The last level of abstraction in the proposed ADS represents the assets that enable the higher-level processes and functions. Such assets can be both physical and non-physical assets. Taking the electricity sector as an example, assets for generation, transmission, distribution, storage and supply are needed in order to provide electricity. Infrastructures can therefore be represented as networks that are interconnected with the physical and non-physical assets, where the network representation models the infrastructure-related processes and the asset representation models the components that are required for providing the processes (Goldbeck, Angeloudis, and Ochieng, 2019; Oughton et al., 2018; Ouyang, 2014).

Interdependencies, object worlds and identification of critical entities

An infrastructure interdependency can be defined as a “bidirectional relationship between two infrastructures through which the state of each infrastructure influences or is correlated to the state of the other” (Rinaldi et al., 2001). Such interdependencies can be of many different types, see e.g. Ouyang (2014) for a review. Understanding the vulnerabilities induced by multiple interdependencies is generally considered one of the major challenges when it comes to improving infrastructure resilience (Chang, 2009). If the vulnerabilities can be exploited by an adversary, the vulnerabilities will translate into threat scenarios. Mapping of assets and their interdependency relations is therefore needed for risk management and improving infrastructure resilience.

The types of interdependencies proposed by e.g. Rinaldi et al. (2001), Zimmerman (2001) and Dudenhoeffer, Permann, and Manic (2006), see also Ouyang (2014) for a review, can be considered as caused-based interdependencies. Such dependencies could be of physical, informational, geospatial, procedural or societal types. In a recent study, Goldbeck et al. (2019) argued that effect-based classification of interdependencies is more important for modelling purposes, since interdependencies can yield similar effects despite having different causes. For this purpose, Goldbeck et al. (2019) proposed four types of effect-based dependency relations: (i) stochastic failure propagation, (ii) logic, (iii) asset utilisation and (iv) resource input dependencies. A framework for characterising infrastructure dependencies has also been proposed by Carhart and Rosenberg (2016).

This study proposes that ADS can be used as a tool to frame the mapping of interdependencies to different levels of abstraction and decomposition. Figure 2 shows a simple, yet illustrative example of how the ADS can be used to map interdependencies by using the dependency relations example provided by Rinaldi et al. (2001) for the electricity sub-sector that is a part of EU critical infrastructures (Table 2). As can be seen, the interdependencies are of both intra-sector and inter-sector types (Carhart and Rosenberg, 2016). Such interdependency mapping can inform policy and decision-making at the national level on risks across different infrastructure sectors as well as aid the identification of critical entities in accordance with the EU COM(2020) 829 directive (European Commission, 2020). It can also help inform entities to perform assessments of how their assets fit within and are affected by a broader web of interdependencies with other entities’ assets. Applying the ADS may therefore help to elucidate the structural complexity (Zio, 2016) of critical infrastructures at the national level.

Figure 2.

Simple, illustrative example of mapping of dependency relations (dashed arrows) for the electricity sub-sector using an abstraction hierarchy for EU critical infrastructures and an interdependency example provided by Rinaldi et al. (2001). The solid lines show the structural means-ends relationships.

https://securityanddefence.pl/f/fulltexts/146789/SDQ-39-00178-g002_min.jpg
Table 2

Abstraction-decomposition space for EU critical infrastructures using the electricity sub-sector as an example.

DecompositionWhole systemSectorsSub-sectorsTypes of entities
Abstraction
Functional purposesMaintain vital societal functions or economic activities in the EU internal marked
Values and priority measuresEnsure provision of essential services
Purpose-related functionsProvision of energy
Infrastructure-related processesProvision of electricity
AssetsGeneration;
Transmission;
Distribution;
Storage;
Supply

Furthermore, as mentioned in the introduction, critical infrastructure systems in free market economies do not, in general, have a single entity in control of the system (Oughton et al., 2018). On the contrary, the control is often distributed amongst several stakeholders and where governmental authorities have limited regulatory control. In addition, governance at the national level is often fragmented across several government departments. The UK and other countries such as Australia and New Zealand have therefore taken steps to coordinate infrastructure policy across government (Oughton et al., 2018).

In the context of the ADS proposed in this work, stakeholders’ interests and decision-making will occur at different levels of abstraction and decomposition. Consequently, different stakeholders will have different but overlapping views of the same system (work domain). Such views can be considered as different object worlds (Naikar, Hopcroft, and Moylan, 2005). Because of the overlap and interdependencies between different stakeholders’ object worlds, changes or effects in one stakeholder’s object world can propagate to other object worlds (Naikar et al., 2005). Finding ways for the different stakeholders to collaborate effectively is therefore necessary for improving risk management. The ADS proposed in this work will help to elucidate and frame the object worlds of different stakeholders and decision-makers thus aiding the mapping of interdependencies and the coordination of policies across different infrastructure sectors.

Limitations

The limitations of this study pertain to the applicability of WDA in general and to critical infrastructure systems in particular. Although the usefulness of WDA has been demonstrated by many studies (Naikar, 2017), there is generally a lack of validation of such models (Rechard et al., 2015). Put simply, validation deals with building the right model (Rykiel, 1996). The lack of validation also applies to this work. We therefore do not have empirical evidence for whether the methodology for WDA will result in valid and reliable ADS models of critical infrastructure systems. This needs to be investigated further. Expert opinions (Naikar et al., 2005) and scenario mapping (Burns, Bryant, and Chalmers, 2001) could serve as useful methods for validating that a proposed ADS model captures all relevant domain constraints for the critical infrastructure system under study.

Conclusions

The objective of this work has been to propose a framework that will aid governments with the development of more coherent and effective infrastructure planning and resilience policies through a system-of-systems approach that is grounded in theory for complex sociotechnical systems. To this end, a novel abstraction-decomposition space (ADS) for critical infrastructure systems has been proposed on the basis of work domain analysis (WDA) (Naikar, 2013; Vicente, 1999).

The ADS consists of five levels of abstraction and four levels of decomposition. The framework is formative in the sense that it reveals how work can be done in the critical infrastructure system without violating the system’s constraints established through the WDA. By imposing constraints, the ADS promotes design for adaptation where actors within the system are allowed to adapt their behaviour as they find appropriate within the system’s constraints. This is important because it is not feasible to prescribe, describe and risk assess all possibilities for action that are available in complex sociotechnical systems such as critical infrastructures, especially when dealing with unforeseen events. Efforts to strengthen the capability of critical infrastructures to cope with disruptions should therefore build on the principles of resilience and adaptation (Hollnagel et al., 2006; Schulman, 2022; Woods, 2020).

In this work, we have argued that the implementation of resilience and adaptation strategies for critical infrastructures at the national level is hampered by the low availability of easy-to-use frameworks that build upon complexity theory-based system-of-systems approaches. Adding to this, the absence of a shared strategic vision of the desired outcomes that infrastructure is expected to enable will make it difficult to fully evaluate system performance gaps or assess future infrastructure needs (Dolan, 2018; Dolan et al., 2016).

By applying the ADS, it will aid decision-making related to the overall purposes of the critical infrastructure system, the values and priority measures that are used to assess the system’s progress towards the functional purposes, as well as formulation of infrastructure needs that are necessary to achieve the functional purposes. In addition, it will help to elucidate infrastructure interdependencies and aid the coordination of policies across different infrastructure sectors by framing the views (object worlds) of different stakeholders. This may help EU Member States and others to formulate better strategic objectives and priorities for enhancing the overall resilience of critical infrastructure systems. It may also assist governments with identification of essential services and the critical entities that deliver such services in accordance with the proposed EU COM(2020) 829 directive (European Commission, 2020).

Future research should focus on finding science-based, yet pragmatic and useful in practice, ways for establishing values and priority measures that encompass sustainability issues and resilience standards at the national level. Such criteria should be relatively stable properties of the critical infrastructure system to allow reasoning from first principles when the system is under stress due to unanticipated events, in particular black swan events.