Risk Modeling of Interdependent Complex Systems of Systems: Theory and Practice

The emergence of the complexity characterizing our systems of systems (SoS) requires a reevaluation of the way we model, assess, manage, communicate, and analyze the risk thereto. Current models for risk analysis of emergent complex SoS are insufficient because too often they rely on the same risk functions and models used for single systems. These models commonly fail to incorporate the complexity derived from the networks of interdependencies and interconnectedness (I–I) characterizing SoS. There is a need to reevaluate currently practiced risk analysis to respond to this reality by examining, and thus comprehending, what makes emergent SoS complex. The key to evaluating the risk to SoS lies in understanding the genesis of characterizing I–I of systems manifested through shared states and other essential entities within and among the systems that constitute SoS. The term “essential entities” includes shared decisions, resources, functions, policies, decisionmakers, stakeholders, organizational setups, and others. This undertaking can be accomplished by building on state‐space theory, which is fundamental to systems engineering and process control. This article presents a theoretical and analytical framework for modeling the risk to SoS with two case studies performed with the MITRE Corporation and demonstrates the pivotal contributions made by shared states and other essential entities to modeling and analysis of the risk to complex SoS. A third case study highlights the multifarious representations of SoS, which require harmonizing the risk analysis process currently applied to single systems when applied to complex SoS.     

Resilience of Cyber Systems with Over‐ and Underregulation

Recent cyber attacks provide evidence of increased threats to our critical systems and infrastructure. A common reaction to a new threat is to harden the system by adding new rules and regulations. As federal and state governments request new procedures to follow, each of their organizations implements their own cyber defense strategies. This unintentionally increases time and effort that employees spend on training and policy implementation and decreases the time and latitude to perform critical job functions, thus raising overall levels of stress. People's performance under stress, coupled with an overabundance of information, results in even more vulnerabilities for adversaries to exploit. In this article, we embed a simple regulatory model that accounts for cybersecurity human factors and an organization's regulatory environment in a model of a corporate cyber network under attack. The resulting model demonstrates the effect of under‐ and overregulation on an organization's resilience with respect to insider threats. Currently, there is a tendency to use ad‐hoc approaches to account for human factors rather than to incorporate them into cyber resilience modeling. It is clear that using a systematic approach utilizing behavioral science, which already exists in cyber resilience assessment, would provide a more holistic view for decisionmakers.     

Systemic Valuation of Strategic Preparedness Through Application of the Inoperability Input-Output Model with Lessons Learned from Hurricane Katrina

The U.S. Department of Homeland Security (DHS) has mandated all regions to "carefully weigh the benefit of each homeland security endeavor and only allocate resources where the benefit of reducing risk is worth the amount of additional cost" (DHS, 2006, p. 64). This mandate illuminates the need to develop methods for systemic valuation of preparedness measures that support strategic decision making. This article proposes an analysis method that naturally emerges from the structure of the inoperability input-output model (IIM) through which various regional- and sector-specific impact analyses can be cost-effectively integrated for natural and man-made disasters. The IIM is described extensively in a companion paper (Lian et al., 2007). Its reliance on data classifications structured by the U.S. Census Bureau and its extensive accounting of economic interdependencies enables us to decompose a risk analysis activity, perform independent assessments, and properly integrate the assessment for a systemic valuation of risk and risk management activity. In this article, we account for and assess some of the major impacts of Hurricanes Katrina and Rita to demonstrate this use of the IIM and illustrate hypothetical, reduced impacts resulting from various strategic preparedness decisions. Our results indicate the capability of the IIM to guide the decision-making processes involved in developing a preparedness strategy.     

Human Agency in Disaster Planning: A Systems Approach

Current approaches to risk management place insufficient emphasis on the system knowledge available to the assessor, particularly in respect of the dynamic behavior of the system under threat, the role of human agents (HAs), and the knowledge available to those agents. In this article, we address the second of these issues. We are concerned with a class of systems containing HAs playing a variety of roles as significant system elements—as decisionmakers, cognitive agents, or implementers—that is, human activity systems. Within this family of HAS, we focus on safety and mission‐critical systems, referring to this subclass as critical human activity systems (CHASs). Identification of the role and contribution of these human elements to a system is a nontrivial problem whether in an engineering context, or, as is the case here, in a wider social and public context. Frequently, they are treated as standing apart from the system in design or policy terms. Regardless of the process of policy definition followed, analysis of the risk and threats to such a CHAS requires a holistic approach, since the effect of undesirable, uninformed, or erroneous actions on the part of the human elements is both potentially significant to the system output and inextricably bound together with the nonhuman elements of the system. We present a procedure for identifying the potential threats and risks emerging from the roles and activity of those HAs, using the 2014 flooding in southwestern England and the Thames Valley as a contemporary example.     

Some Limitations of Qualitative Risk Rating Systems

Qualitative systems for rating animal antimicrobial risks using ordered categorical labels such as “high,”“medium,” and “low” can potentially simplify risk assessment input requirements used to inform risk management decisions. But do they improve decisions? This article compares the results of qualitative and quantitative risk assessment systems and establishes some theoretical limitations on the extent to which they are compatible. In general, qualitative risk rating systems satisfying conditions found in real‐world rating systems and guidance documents and proposed as reasonable make two types of errors: (1) Reversed rankings, i.e., assigning higher qualitative risk ratings to situations that have lower quantitative risks; and (2) Uninformative ratings, e.g., frequently assigning the most severe qualitative risk label (such as “high”) to situations with arbitrarily small quantitative risks and assigning the same ratings to risks that differ by many orders of magnitude. Therefore, despite their appealing consensus‐building properties, flexibility, and appearance of thoughtful process in input requirements, qualitative rating systems as currently proposed often do not provide sufficient information to discriminate accurately between quantitatively small and quantitatively large risks. The value of information (VOI) that they provide for improving risk management decisions can be zero if most risks are small but a few are large, since qualitative ratings may then be unable to confidently distinguish the large risks from the small. These limitations suggest that it is important to continue to develop and apply practical quantitative risk assessment methods, since qualitative ones are often unreliable.     

Systems‐Based Guiding Principles for Risk Modeling,Planning, Assessment,Management, and Communication

This article is grounded on the premise that the complex process of risk assessment, management, and communication, when applied to systems of systems, should be guided by universal systems‐based principles. It is written from the perspective of systems engineering with the hope and expectation that the principles introduced here will be supplemented and complemented by principles from the perspectives of other disciplines. Indeed, there is no claim that the following 10 guiding principles constitute a complete set; rather, the intent is to initiate a discussion on this important subject that will incrementally lead us to a more complete set of guiding principles. The 10 principles are as follows: First Principle: Holism is the common denominator that bridges risk analysis and systems engineering. Second Principle: The process of risk modeling, assessment, management, and communication must be systemic and integrated. Third Principle: Models and state variables are central to quantitative risk analysis. Fourth Principle: Multiple models are required to represent the essence of the multiple perspectives of complex systems of systems. Fifth Principle: Meta‐modeling and subsystems integration must be derived from the intrinsic states of the system of systems. Sixth Principle: Multiple conflicting and competing objectives are inherent in risk management. Seventh Principle: Risk analysis must account for epistemic and aleatory uncertainties. Eighth Principle: Risk analysis must account for risks of low probability with extreme consequences. Ninth Principle: The time frame is central to quantitative risk analysis. Tenth Principle: Risk analysis must be holistic, adaptive, incremental, and sustainable, and it must be supported with appropriate data collection, metrics with which to measure efficacious progress, and criteria on the basis of which to act. The relevance and efficacy of each guiding principle is demonstrated by applying it to the U.S. Federal Aviation Administration complex Next Generation (NextGen) system of systems.     

Shared Leadership in Commercial Organizations: A Systematic Review of Definitions,Theoretical Frameworks and Organizational Outcomes

The importance of context has been well established in studies of leadership (Bryman, A. and Stephens, M. (1996). The importance of context: qualitative research and the study of leadership. Leadership Quarterly, 7, pp. 353–371; Pettigrew, A. and Whipp, R. (1991). Managing Change for Competitive Success. Oxford: Blackwell). However, recent reviews of shared leadership have tended to merge findings across commercial and non‐commercial settings, disregarding contextual differences in these distinctive domains. Acknowledging that the challenges of leadership may vary in different organizational contexts, this paper argues that a focused review of shared leadership in commercial organizations (COs) is needed. The authors thus systematically review findings from over twenty years of empirical research on the practice of shared leadership in commercial organizations, critically reviewing definitions, theoretical dispositions and measurement approaches adopted in the field, before evaluating the impact of shared leadership on performance in this context. Findings from commercial and non‐ commercial organizations are then compared, highlighting significant differences in the conceptualization of shared leadership in these distinct settings. Contributing to theory in this field, a framework is developed, mapping the landscape of current research in commercial contexts, revealing critical gaps in our present understanding of shared leadership processes. Consequently, a model summarizing a proposed research agenda for future studies is provided, highlighting the need for such research to focus on the interactions of individuals as they share in the leadership of their team.     

Assembly Systems with Sequential Supplier Decisions and Uncertain Demand

We consider multitier push assembly systems with sequential supplier decisions and a wholesale price contract. We show that both an Original Equipment Manufacturer (OEM)–Contract Manufacturer (CM) assembly and a modular assembly with sequential supplier decisions are mathematically equivalent to the corresponding traditional assembly. We determine that, in most cases, the first mover supplier realizes a higher profit than the second mover supplier but we also identify the sufficient conditions for the reverse to occur. We provide conditions under which the order quantity, the second mover profit, total supplier profits, and the assembler profit are either higher or lower for a multitier system with sequential suppliers compared to simultaneous suppliers. We conclude that the first mover is always better off in a three‐tier sequential system while she can be either better off or worse off in a four‐tier sequential system compared to the corresponding simultaneous systems. We also analyze the impact of information asymmetry on the supplier and assembler profits in a three‐tier sequential system. Finally, we determine the profit threshold for an independent manufacturer in a three‐tier system to become a CM in a four‐tier system and vice versa.     

Perspectives on Cybersecurity Information Sharing among Multiple Stakeholders Using a Decision‐Theoretic Approach

The government, private sectors, and others users of the Internet are increasingly faced with the risk of cyber incidents. Damage to computer systems and theft of sensitive data caused by cyber attacks have the potential to result in lasting harm to entities under attack, or to society as a whole. The effects of cyber attacks are not always obvious, and detecting them is not a simple proposition. As the U.S. federal government believes that information sharing on cybersecurity issues among organizations is essential to safety, security, and resilience, the importance of trusted information exchange has been emphasized to support public and private decision making by encouraging the creation of the Information Sharing and Analysis Center (ISAC). Through a decision‐theoretic approach, this article provides new perspectives on ISAC, and the advent of the new Information Sharing and Analysis Organizations (ISAOs), which are intended to provide similar benefits to organizations that cannot fit easily into the ISAC structure. To help understand the processes of information sharing against cyber threats, this article illustrates 15 representative information sharing structures between ISAC, government, and other participating entities, and provide discussions on the strategic interactions between different stakeholders. This article also identifies the costs of information sharing and information security borne by different parties in this public‐private partnership both before and after cyber attacks, as well as the two main benefits. This article provides perspectives on the mechanism of information sharing and some detailed cost–benefit analysis.     

Risk Perception and Disaster Preparedness in Immigrants and Canadian‐Born Adults: Analysis of a National Survey on Similarities and Differences

Research has documented that immigrants tend to experience more negative consequences from natural disasters compared to native‐born individuals, although research on how immigrants perceive and respond to natural disaster risks is sparse. We investigated how risk perception and disaster preparedness for natural disasters in immigrants compared to Canadian‐born individuals as justifications for culturally‐adapted risk communication and management. To this end, we analyzed the ratings on natural disaster risk perception beliefs and preparedness behaviors from a nationally representative survey (N = 1,089). Factor analyses revealed three underlying psychological dimensions of risk perception: external responsibility for disaster management, self‐preparedness responsibility, and illusiveness of preparedness. Although immigrants and Canadian‐born individuals shared the three‐factor structure, there were differences in the salience of five risk perception beliefs. Despite these differences, immigrants and Canadian‐born individuals were similar in the level of risk perception dimensions and disaster preparedness. Regression analyses revealed self‐preparedness responsibility and external responsibility for disaster management positively predicted disaster preparedness whereas illusiveness of preparedness negatively predicted disaster preparedness in both groups. Our results showed that immigrants’ risk perception and disaster preparedness were comparable to their Canadian‐born counterparts. That is, immigrant status did not necessarily yield differences in risk perception and disaster preparedness. These social groups may benefit from a risk communication and management strategy that addresses these risk perception dimensions to increase disaster preparedness. Given the diversity of the immigrant population, the model remains to be tested by further population segmentation.     

State of the Art in Risk Analysis of Workforce Criticality Influencing Disaster Preparedness for Interdependent Systems

The objective of this article is to discuss a needed paradigm shift in disaster risk analysis to emphasize the role of the workforce in managing the recovery of interdependent infrastructure and economic systems. Much of the work that has been done on disaster risk analysis has focused primarily on preparedness and recovery strategies for disrupted infrastructure systems. The reliability of systems such as transportation, electric power, and telecommunications is crucial in sustaining business processes, supply chains, and regional livelihoods, as well as ensuring the availability of vital services in the aftermath of disasters. There has been a growing momentum in recognizing workforce criticality in the aftermath of disasters; nevertheless, significant gaps still remain in modeling, assessing, and managing workforce disruptions and their associated ripple effects to other interdependent systems. The workforce plays a pivotal role in ensuring that a disrupted region continues to function and subsequently recover from the adverse effects of disasters. With this in mind, this article presents a review of recent studies that have underscored the criticality of workforce sectors in formulating synergistic preparedness and recovery policies for interdependent infrastructure and regional economic systems.     

Toward Disaster‐Resilient Cities: Characterizing Resilience of Infrastructure Systems with Expert Judgments

Resilient infrastructure systems are essential for cities to withstand and rapidly recover from natural and human‐induced disasters, yet electric power, transportation, and other infrastructures are highly vulnerable and interdependent. New approaches for characterizing the resilience of sets of infrastructure systems are urgently needed, at community and regional scales. This article develops a practical approach for analysts to characterize a community's infrastructure vulnerability and resilience in disasters. It addresses key challenges of incomplete incentives, partial information, and few opportunities for learning. The approach is demonstrated for Metro Vancouver, Canada, in the context of earthquake and flood risk. The methodological approach is practical and focuses on potential disruptions to infrastructure services. In spirit, it resembles probability elicitation with multiple experts; however, it elicits disruption and recovery over time, rather than uncertainties regarding system function at a given point in time. It develops information on regional infrastructure risk and engages infrastructure organizations in the process. Information sharing, iteration, and learning among the participants provide the basis for more informed estimates of infrastructure system robustness and recovery that incorporate the potential for interdependent failures after an extreme event. Results demonstrate the vital importance of cross‐sectoral communication to develop shared understanding of regional infrastructure disruption in disasters. For Vancouver, specific results indicate that in a hypothetical M7.3 earthquake, virtually all infrastructures would suffer severe disruption of service in the immediate aftermath, with many experiencing moderate disruption two weeks afterward. Electric power, land transportation, and telecommunications are identified as core infrastructure sectors.     

Labour Market Flexibility,Human Resource Management and Corporate Performance

Labour market flexibility is often portrayed as a key to the competitive success of the UK and US economies. We surveyed several hundred firms in the UK, and using the resulting data (on over 200 manufacturing firms) this paper investigates the relationships between firms’ use of flexible work practices, human resource systems and industrial relations on the one hand, and corporate performance on the other hand. The results suggest that ‘low‐road’ practices – short‐term contracts, a lack of employer commitment to job security, low levels of training and low levels of human resource sophistication – are negatively correlated with corporate performance. In contrast, it is found that ‘high‐road’ work practices –‘high commitment’ organizations or ‘transformed’ workplaces – are positively correlated with good corporate performance. It is also found that human resource management practices are more likely to contribute to competitive success where they are introduced as a comprehensive package, or ‘bundle’ of practices. Significant interaction effects between human resource systems, trade unions and flexible work practices add further support to the bundling hypothesis.     

Refocusing the Focus Group: AIRing as a Basis for Effective Workplace Planning

Organizations commonly make use of focus groups for planning purposes while giving little thought to the dimensions on which those groups are formed. This paper argues that the dimensions of group formation have a significant effect on the ultimate success of any planning exercise. This is because in all organizations people necessarily self‐categorize as members of groups that shape the way they think and act at work. However, there is often a lack of fit between the way organizations categorize employees and the way those employees categorize themselves. To the extent that there is a lack of fit between imposed and self‐identified categories, we argue that organizations will fail to effectively harness group resources. Any planning strategy that makes use of groups should organize people in terms of identities that are most relevant to their work in order (a) to have an impact on the way people think and act and (b) to ensure that people have (and feel that they have) the opportunity to provide input that is relevant, useful and important for the organization. The paper discusses a technique, AIRing, that allows organizations to address this issue effectively. This is the first stage of the ASPIRe negotiation‐based planning model (Eggins et al., Social Identity at Work: Developing Theory for Organizational Practice, pp. 241–260, Philadelphia, PA: Taylor & Francis, 2003; Haslam et al., British Journal of Management, 14 (2003), pp. 357–369).     

Heuristic Coordination of Decentralized Inventory Systems Using Induced Backorder Costs

In this paper, we investigate a one‐warehouse multiple‐retailer system, where the inventory control decisions are coordinated using a near optimal induced backorder cost, β*. All installations use continuous review installation‐stock (R, Q) policies. The analysis builds on an approximation model where the stochastic warehouse delays are replaced by their correct averages. The contributions include insights as to how β* is influenced by system parameters, and the determination of simple closed form β* estimates. The latter offering a practical means to achieve coordinated control of large size systems.     

Explaining Anomalous High Performance in a Health Care Supply Chain*

An implicit assumption in distributing and coordinating work among independent organizations in a supply chain is that a focal organization can use financial or contractual mechanisms to enforce compliance among the other organizations in meeting desired performance objectives. Absent contractual agreement or financial gain, there is little incentive for independent organizations to coordinate their process improvement activities. In this study, we examine a health care supply chain in which the work is distributed among independent organizations. We use a detailed case study and an abductive reasoning approach to understand how and why the independent organizations choose to coordinate and collaborate in their work. Our study makes two contributions to the literature. First, we use well‐established lean principles to explain how independent organizations achieve superior performance despite highly uncertain and variable customer demand—a context considerably different from the origins of lean principles. Second, we forward relational coordination theory to explain why the organizations in this decentralized supply chain coordinate their work. Relational coordination includes the use of shared goals, shared knowledge, and mutual respect for one another's work as primary mechanisms to explain process improvement in the absence of any contractual incentives. Our study constitutes a first step in generating theory for work design and its improvement in decentralized supply chains.     

Examining Public Trust in Risk‐Managing Organizations After a Major Disaster

This research investigates the public's trust in risk‐managing organizations after suffering serious damage from a major disaster. It is natural for public trust to decrease in organizations responsible for mitigating the damage. However, what about trust in organizations that address hazards not directly related to the disaster? Based on the results of surveys conducted by a national institute, the Japanese government concluded, in a White Paper on Science and Technology, that the public's trust in scientists declined overall after the 2011 Tohoku Earthquake. Because scientists play a key role in risk assessment and risk management in most areas, one could predict that trust in risk‐managing organizations overall would decrease after a major disaster. The methodology of that survey, however, had limitations that prevented such conclusions. For this research, two surveys were conducted to measure the public's trust in risk‐managing organizations regarding various hazards, before and after the Tohoku Earthquake (n = 1,192 in 2008 and n = 1,138 in 2012). The results showed that trust decreased in risk‐managing organizations that deal with earthquakes and nuclear accidents, whereas trust levels related to many other hazards, especially in areas not touched by the Tohoku Earthquake, remained steady or even increased. These results reject the assertion that distrust rippled through all risk‐managing organizations. The implications of this research are discussed, with the observation that this result is not necessarily gratifying for risk managers because high trust sometimes reduces public preparedness for disasters.     

A Framework for Linking Cybersecurity Metrics to the Modeling of Macroeconomic Interdependencies

Hierarchical decision making is a multidimensional process involving management of multiple objectives (with associated metrics and tradeoffs in terms of costs, benefits, and risks), which span various levels of a large-scale system. The nation is a hierarchical system as it consists multiple classes of decisionmakers and stakeholders ranging from national policymakers to operators of specific critical infrastructure subsystems. Critical infrastructures (e.g., transportation, telecommunications, power, banking, etc.) are highly complex and interconnected. These interconnections take the form of flows of information, shared security, and physical flows of commodities, among others. In recent years, economic and infrastructure sectors have become increasingly dependent on networked information systems for efficient operations and timely delivery of products and services. In order to ensure the stability, sustainability, and operability of our critical economic and infrastructure sectors, it is imperative to understand their inherent physical and economic linkages, in addition to their cyber interdependencies. An interdependency model based on a transformation of the Leontief input-output (I-O) model can be used for modeling: (1) the steady-state economic effects triggered by a consumption shift in a given sector (or set of sectors); and (2) the resulting ripple effects to other sectors. The inoperability metric is calculated for each sector; this is achieved by converting the economic impact (typically in monetary units) into a percentage value relative to the size of the sector. Disruptive events such as terrorist attacks, natural disasters, and large-scale accidents have historically shown cascading effects on both consumption and production. Hence, a dynamic model extension is necessary to demonstrate the interplay between combined demand and supply effects. The result is a foundational framework for modeling cybersecurity scenarios for the oil and gas sector. A hypothetical case study examines a cyber attack that causes a 5-week shortfall in the crude oil supply in the Gulf Coast area.     

E‐Procurement Infusion and Operational Process Impacts in MRO Procurement: Complementary or Substitutive Effects?

The procurement of maintenance, repair, and operating (MRO) goods has remained a relatively understudied topic in the literature. Though vital cost efficiencies can be extracted from procurement processes through investments in e‐procurement systems, there is little empirical work that addresses how such systems should be deployed within organizations. In this study, we focus on the role of e‐procurement systems in MRO procurement and study two critical aspects of infusion. The first dimension captures the depth of e‐procurement use within the procurement function, while the second dimension depicts the breadth of use. We argue that these two dimensions of e‐procurement use, and their interaction, will be related to the performance of the MRO procurement process. Using survey data from 193 service organizations and structural equation modeling techniques, we show that the two infusion dimensions are significantly associated with improved process performance. Additionally, we show a substantial substitutive effect between the two use dimensions on performance. Our work has significant implications for managers who seek to gain efficiencies by the deployment of Internet‐based technologies within operational processes. Our conceptualization of e‐procurement infusion along two dimensions provides a more fine‐grained analysis of performance benefits accruing from the infusion of information technologies within organizations.