INNOVATIVE APPROACHES TO CRITICAL INFRASTRUCTURE MANAGEMENT BY SOFTWARE SUPPORT

: (Arial 8) This paper focuses on the use of process management tools and Business Continuity Management to ensure the security, integrity and functionality of critical infrastructure. This problematics is the part of the project of the Security Research of the Czech Republic No. VI20152018039. The project is based on the complex approach to the sustainability of critical infrastructure concerning securing continuity of processes for entities and objects of the critical infrastructure in the crisis and emergency planning system of public administration in the Czech Republic. All respective processes are modelled by means of software tools that support BPMN 2.0 standard. Critical Infrastructure (CI) processes are incorporated into CI process map to enable passing on quick and goal-directed critical event information transfer to decision centre. This information is assessed by the SW algorithm that provides reasonable response to critical event.


PREVIEW (Arial 10)
Business Continuity Management (BCM) is the process of developing and maintaining a plan in order to ensure business continuity in case of a disruption of its activity.BCM involves the plan development, which is based on business impact analysis, plan implementation and its periodic improvements to identify new threats, risks and circumstances (Bird, 2011).BCM represents a holistic approach to business protection, seeking to ensure that missioncritical functions -from HR to manufacturingcontinue to operate during and after an unforeseen event.Some authors address the differences between Disaster Recovery management (DRM) and BCM.The main difference between these two concepts is that BCM is designed to operate more preventively while DRM is rather focused on the treatment and mitigation of existing disasters.DRM is a short-term management practice that provides assurance that a critical business process will survive a disaster.The basic assumption is that a business can decrease business continuity risk (expressed by the probability that the organization terminates its operation after an accident) by the transition from DRM to BCM.Effective BCM initiative provides assurance that a company will continue to create value for its stakeholders even if it experiences a major incident that would ordinarily threaten its existence (Calderon and Dishovska, 2005).The most important part of BCM is the Critical Infrastructure (CI) protection.Nowadays the protection of CI is ranked among meaningful security phenomena.CI is subject to crisis management at both national and international level.The basic terminology of critical infrastructure that has been developed over past two decades primarily arises from the European Council Directive 2008/114/EC (hereinafter only the "Directive") and from the Czech Republic Act No. 240/2000 Coll. 3 (all legal regulations mentioned in this paper are based upon the legal system of the Czech Republic.The definition stated in the Directive sees critical infrastructure as "an asset, system or part thereof, located in Member States, which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result.")Similarly, CI is understood to be the set of assets which is conditional for smooth and effective running society and economy.US legislation codified CI systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

RESEARCH AND DEVELOPMENT METHODS USED
A participant-observation approach, which comes under ethnography concept umbrella, was chosen as a method of choice (Kawulich, 2005).According to DeWalt and DeWalt (2002) "Participant observation is the process enabling researches to learn about the activities of the people under study in the natural settings through observing and participating in those activities.Moreover 7 semi-structured interviews were conducted with regional crises managers who were held responsible for BCM.Each interview lasted approximately 1 hour, coding being based on specific words frequency.For reviewed data that relate to mostly BCM, the content analysis was applied.The content analysis is the research technique used for objective, systematic and quantitative description of the obvious content of the communication (Berelson, 1971, p. 18).Content analysis is the longest-used method of text analysis within the framework of social research (Titscher, 2000, p. 55).In addition, process analysis as well as process modelling techniques were used for the accomplishment of functional and operable process maps that were then subjected to programming.
By means of the combination of "What if? Risk analysis with the checklist (WI-CL) the final structure of process models was achieved.
Crisis documentation that was a guarantee of systemic approach to brainstorming became the starting point for analysis elaboration.With respect to securing transparency, analysed problematics was broken down into several partial sub-processes.For the process design the language BPMN version 2.0 was used (BPMN, 2012).Business Process Model and Notation (BPMN) is the set of principles and rules that serves to graphic illustration (modelling) of company processes.The organization OMG (Object Management Group) deals with the development of BPMN.
OMG issued official version of BMPN 2.0 in January 2011 and currently it is supported by important IT firms.The BMPN standard was also applied with regard to the support of processes automation (so called workflow management and XML transferable format).Companies should start with embedding BCM within organization processes and then plunge deeper into organization structure and implement BCM in details.Companies should be aware of the appropriateness of the adoption of BCM in the organization, structure of BCM that is going to be implemented and finally program sponsors.A great deal of attention should be drawn to analysis stage where critical business areas (also called "showstoppers") must be identified.These areas must be then provided with sufficient protection (Sunday Time Post, 2015).Development and operating BCM usually comprises four stages that cannot be ranked in succession but some feedbacks among stages is a common practice.These stages represent (Popa, 2011):

BUSINESS CONTINUITY MANAGEMENT IN THE LIGHT of CURRENT RESEARCH
Planning and establishing BCM system; Implementation and operation BCM system; Monitoring and analysing BCM; Maintaining and improving BCM system.Needless to accentuate the role of modern technologies that meaningfully enhance the achievement of acceptable Recovery Point Objective (RPO) or Recovery Time Objective (RTO).Positive impact of modern technologies on the achievement of better RPO or RTO figures was proven.No surprise that reaching similar RPO and RTO figures in the past would have required heavy investments.Finally, the key to successful BCM is the implementation and validation stage.The former aims at smooth putting BCM principles in practice, the latter corroborates the right and expected functionality of the BCM system.The dynamics of the current business should be reflected in Business Continuity Planning (BCP).This topic was addressed by Lam (2002) who presented eight-step BCP cycle.In addition, Verstraeti (2004) introduces a lean/agility maturity model where the corporate management needs to adapt the management of the business processes and underlying information systems tied with BCP to be able to react to change quickly and easily by hedging the risks.Lidstrőm et al. (2010), being aware of deficiencies of existing BCP tools, reacted to the significance of BCP and offered practically applicable methodology.According to Lidstrőm, this methodology is adaptable to any organization.This methodology called "capability maturity model" observes staircase principle where the company starts at the bottom of the staircase and moves stepwise upwards.Individual stairs represents individual events, which might cause crisis.A crisis is when an organization's critical processes are seriously affected or possibly if a very serious event affecting the organization has occurred.The model is mainly proposed to handle situations related to critical processes.Basically, the higher up in the staircase, the more serious situations can be handled without going into a crisis.The more measures takenthe more steps are climbed -and the organization is able to handle increasingly serious situations within the organization in a controlled manner without the need to invoke crisis management and start up the business continuity plan (Lidstrőm et al., 2010).Continuous BCP planning implies reduction of disruptions caused by disasters and security breaches to acceptable level by means of the combination of prevention and control means of recovery.BCP must pay respect to the specifics of the organization and culture (Maier et al., 2014).Continuous research in the field of BCM and BCP is oriented on the interconnection of these concepts with Integrated Management Systems (IMS) (Maier et al., 2014).BCM or BCP would thus play irreplaceable role within the framework of organization processes.

DESCRIPTION OF THE SOLUTION
The aim of the research was to develop software application that would be conducive to ensuring operability and security of CI.The software was also supposed to increase the resistance of CI and the effectiveness of the user´s capability to ensure CI functionality not only with the respect to physical safety, but also to process safety.Specifically, the process safety shall be secured from the point of view of both material resources and economic and legislation factors.The paper deals with a new concept of Critical Infrastructure Protection Model that is based on a complex approach to the sustainability of critical infrastructure with respect to securing continuity of processes for entities and objects of the critical infrastructure in the crisis and emergency planning system of public administration in the Czech Republic.The model applies the decomposition of regional or local Critical Infrastructure system into requirable number of processes or subprocesses which are further split into sequential activities.The main delivery of the project is the software which can be easily adjusted and parametrized to the conditions of specific organization.The software (called WAKBCM) is thus applicable not only in the state, regional and municipal administration but also in industrial companies.WAKBCM system is a SW application which can be characterized as a dynamic process map.The diagram of processes and functional interface which enables initiation of process performance is a part of the dynamic process map.Within a running process and in dependence on its defined links, individual elements of the process are stepwise and sequentially put into effect.These elements include events, activities and decision gates.Initiation of the process represents creation of the token that is stepwise passed around the objects as the individual elements of the process are implemented.The implementation of the process is carried out on the basis of defined parameters which are created for the sake of process implementation, process results recording and last but not least the determination key reference parameters.Process map is depicted by means of interactive graphic interface.User´s environment within the interface is the effective tool of the administration of individual processes and their elements.The administration of elements enables unlimited definition of parameters and their characteristics that describe specific activity, event or the link of the process.By means of the setting of individual characteristic or values of these characteristics, it is possible to define actual needs of the subject that implements the process.Based on the elements of BMPN 2.0 language the library of process elements was created to simplify the definitions.Initial parameters and characteristics of these elements have been defined in advance so that the owner and user of the process may define only those values that are focused on actual performance and evaluation of the process.In addition to functions ensuring process performance, additional functions that enable to define user´s inquires or notifications are also implemented in the system.It is possible to process these inquiries by means of mobile phone applications WAKBCM which enables to initiate the operability of process elements by mobile IT devices.

PROCESS MAPS
Process maps represent specific process in a graphic form.It means sequential flow of events, statuses and activities.Graphic illustration of the process is very clear and it is conducive to correct understanding, setting and execution of the process.In the system WAKBCM the process map is composed of typified graphic objects -elements (BPMN 2.0 language) which are sub-processes, various types of gates,, various types of events (initial, intermediate and end), swimming tracks and sequential flows.Each element represents specific function that is expressed by a certain symbol within the framework of specific object.This characteristic significantly facilitates the orientation in process for both administrators and users of the process.The example of the process map that demonstrates the disruption of CI is shown in figure 1.

PARAMETERS OF PROCESS ELEMENTS
WAKBCM system enables to initiate and perform defined process.That is why individual elements of the process model contain the set of attributes and characteristic parameters.Categorization of parameters, attributes and characteristics according to types determines their significance.Input characteristics enabling process performance, result-based output characteristics or characteristics identifying reference values are properly differentiated within the framework of WAKBCM.
Parameters, attributes and characteristics are specific to each graphic object of the process model.They are defined with respect to its specific element function.Inseparable part of WAKBCM is the library of graphic objects -elements.The library includes supported graphic objects of the process modelling.Including basic definition of parameters and characteristics.This setting is the default setting of individual graphic objects for its use in the process model.Within the framework of the model it is possible to adjust the default setting of parameters and characteristics of the graphic object according to specific purpose of the element.

COMMUNICATION
WAKBCM system is the web application of client -server type that can be used in on-line mode without client installation.For the smooth operation of WAKBCM, it is sufficient to install internet browser on the client device.Communication interface that enables to simply define interactive inquiries addressed to process users is the inherent part in WAKBCM application.The inquiries are defined for specific elements of the process.It is concurrently possible for the process elements to set communication activities (inquiry, alert, notification).These activities will automatically address users by the defined inquiry or message.Mobile application WAKBCM, which is a part of WAKBCM, enables by a simple way to process defined interactive inquiries.E.g. tasks resulting from individual activities and the events of process maps elements.

SYSTEM OVERVIEWS
System overviews allow the users to gain access to process data by means of table reports.By means of overviews, it is possible to monitor and evaluate the course and statuses of individual elements and processes.The overviews are broken down into three groups: generic elements -the overview of type graphic objects, processes -the overview of registered processes, elements -the overview of elements of process models.Each group enables to gain the overview of a certain direction: basic, parameters, attributes and characteristics settings, time snap, results.

(Figure 1
Figure2shows detailed insight into public transport disruption that came into existence either by natural catastrophe or by terrorist attack.The scheme clearly describes decision-