Mitigating disasters, how to help take the right decision?
PHOENIX aims at dealing with crisis events, critical situations where time is of the essence. In order to assist decision makers in making the right choices, we employ multiple criteria methods to model the impact of decisions in a wide range of situations, and chose the best reaction.
From natural catastrophes to pandemics, from cyberattacks to resources shortages, crisis events are a day-to-day threat. In such situations, where time and resource management are often of the essence, protocols are often in places to mitigate the damage as much as possible. Nonetheless, there are always grounds for improvement in reacting quicker, better and more efficiently.
Two key steps to react appropriately are:
- to be able to assess the damage
- to be able to predict the global effect of triggering a certain reaction protocol
In turn, this allows to select an optimal set of such protocols, which limits the global impact of the crisis as best we can. Often, it is not useful, or even possible, to trigger the entire set of protocols at once. These might indeed have a cost in resources which needs to fit in a given budget. For example, let us consider a fire station which has a limited numbers of trucks ; this number might not be sufficient to treat all areas affected by a forest fire at once. Any truck must thus be carefully allocated. Moreover, some protocols might cause undesirable effects that would in fact worsen the situation if not used properly. This would be the case where a medical treatment with serious side effects might be very risky to attempt on a vulnerable patient. In turns, a weaker, but safer treatment is more suitable.
In such safety-critical situations (e.g. medicine, air traffic management or natural catastrophes handling), it is often necessary that a human validate and take the final decision. The computing tools used must thus be decision aiding systems, and not decision making ones. In turn, this means that they need to be trustable to a human operator. By “trustable”, we mean that they have to be:
- Domain-constrained (i.e. to have a behavior that follows or is consistant with formal rules defined by a field expert)
- Interpretable (i.e. that a human operator can understand how the decision was taken)
In Multiple Criteria Decision Aiding, these models are built hand-in-hand with a field expert. A method, used in PHOENIX is the MACBETH methodology, which generates hierarchical decision models based on the Choquet integral, a function which allows to represent rich decision strategies from situations expressed through meaningful criteria. These models are very easily understandable by an expert, and can easily incorporate many constraints given by a user (in particular, monotonicity, or preferential interaction types). These methodologies are implemented in THALES’s MYRIAD software.
We stated that the situations must be assessed upon meaningful criteria (a.k.a. high-level features in machine learning), in order to be handled by the models. In practice, in crisis management, the criteria may be chosen among those given by the United Nations office for Disaster Risk Rreduction, which defines a disaster as “a serious disruption of the functioning of a community or a society at any scale due to hazardous events interacting with conditions of exposure, vulnerability and capacity, leading to one or more of the following: human, material, economic and environmental losses and impacts”.
It is often hard to evaluate the holistic effect of a massive crisis involving several theaters. It is much more tractable to have experts evaluate the individual impact of atomic aspects of the situation. For instance, in the case of an attack on an EPES, the impact of the failure of each independent sub-system should be assessed individually. Then, the global impact of the attack on a given criterion can be computed as an aggregation (for instance, summation, averaging…) of all the local impacts on said criterion. This assessment on atomic sub-systems allows for a much finer analysis of the criticity of the situation.
In the same way, cascading effects must be taken into account ; one system’s failure might lead to an other system becoming vulnerable. In the case of a cyberattack, while a firewall failure does not have in itself any dire impact, it allows the attacker to access much more sensitive systems whose corruption will be much more critical. Knowing these propagation rules is thus necessary for anticipating the future states of the system, and reacting appropriately.
When possible, both the evaluation and the propagation rules must be assessed by experts a priori, in order to ease a quick and efficient response.
In the same way, the mitigation protocols’ cost and consequences need also to be evaluated a priori by the experts. This evaluation is done on the same criteria as the attacks/failures that are to be mitigated. This way, we can include them into the representation of a given situation, and estimate the global impact of the crisis given that we trigger or not a certain set of protocols.
Once we have such a criteria-based representation of a real or projected situation, the MYRIAD model can predict the global impact of the crisis, taking into account different sets of mitigation protocols. In turn, optimization methods can be used to find the best set of protocols, that is, the one that yields the best outcome for the crisis currently being dealt with. Prediction is important to prevent cascading effects, and stop the attacks from reaching points where the infrastructure is the most vulnerable.
Explanations can then be derived, as the hierarchical Choquet integral based models have the perk of being highly interpretable. That is, the comparison between to alternative reactive measures can be explained using an extension of the Shapley values especially adapted for such models. Such indices give the contribution of each intelligible criterion in the final impact assessment yielded by the model. In a more off-line manner, a model can easily be controlled, validated or updated by field experts, following the constant evolution of threats and knowledge.
The PHOENIX project aims at dealing efficiently with cyber-physical attacks on European EPES. Such attacks obviously lead to crisis situations, where security operators in the pilots sites can use the aforementioned methods to react efficiently to the ongoing threats.
References
Building a Multiple Criteria Decision Making model for PHOENIX with MACBETH – PHOENIX – H2020