Guide to Disaster-Resilient Communication Networks (Computer Communications and Networks)

Preface
Acknowledgements
Contents
1 Fundamentals of Communication Networks Resilience to Disasters  and Massive Disruptions
	1.1 Introduction
	1.2 Examples of Disasters and Massive Disruptions: Impact on Communication Networks
		1.2.1 Natural Disasters
		1.2.2 Massive Disruptions by Adverse Weather Conditions
		1.2.3 Technology-Related Massive Failures
		1.2.4 Massive Failures Due to Malicious Human Activities
	1.3 QoS (Quality of Service) and QoR2 (Quality of Remediation/Recovery) in Networked Systems
		1.3.1 Disaster-Related Challenges
		1.3.2 A Strategy for Network Resilience: D2R2+DR
	1.4 Measures and Models to Evaluate Disaster-Resilience of Communication Networks
	1.5 Techniques for Design/Update of Disaster-Resilient Systems
	1.6 Algorithms and Schemes for Resilient Systems
	1.7 Advanced Topics in Resilient Communication Systems
		1.7.1 SDN and NFV
		1.7.2 5G and Critical Infrastructure
		1.7.3 Vehicular Communications
		1.7.4 Human Factors
	1.8 Conclusions
	References
Part I Measures and Models for the Analysis and Evaluation of Disaster-Resilient Communication Networks
2 Functional Metrics to Evaluate Network Vulnerability to Disasters
	2.1 Introduction
	2.2 Metrics for Functional Evaluations
		2.2.1 Objective Metrics
		2.2.2 Subjective Metrics
	2.3 Case Study
		2.3.1 Evaluation Setup
		2.3.2 Use Case: Adaptive Video Streaming
	2.4 Conclusions
	References
3 Vulnerability Evaluation of Networks to Multiple Failures Based on Critical Nodes and Links
	3.1 Introduction
	3.2 Critical Node Detection (CND)
		3.2.1 Exact Methods for CND
		3.2.2 Centrality-Based Heuristics for CND
	3.3 Critical Link Detection (CLD)
		3.3.1 Exact Methods for CLD
		3.3.2 Centrality-Based Heuristics for CLD
	3.4 Computational Results
		3.4.1 Problem Instances
		3.4.2 Analysis of CND Results
		3.4.3 Analysis of CLD Results
	3.5 Conclusions
	References
4 How to Model and Enumerate Geographically Correlated Failure Events in Communication Networks
	4.1 Introduction
	4.2 Notions Related to Vulnerable Regions
	4.3 Calculating Lists of SRLGs
		4.3.1 General Practices for SRLG Enumeration
		4.3.2 Precise Polynomial Algorithms Enumerating SRLGs
		4.3.3 Approximate Polynomial Algorithms Listing SRLGs
		4.3.4 More SRLG Enumerating Approaches
	4.4 Calculating Lists of PSRLGs
		4.4.1 Computing Lists of FPs and CFPs
		4.4.2 Probabilistic Modelling of the Worst Place of a Disaster
		4.4.3 On Two-Stage PSRLGs and Denomination Issues
	4.5 Advanced: SRLG Lists Obtained from PSRLG Lists
	4.6 A Mind Map of the Chapter
	4.7 Conclusions
	References
5 Comparing Destructive Strategies  for Attacking Networks
	5.1 Introduction
		5.1.1 Representing the Network Topology by a Graph
		5.1.2 Adjacency and Weighted Adjacency Matrices
		5.1.3 Laplacian Matrix
		5.1.4 Walks, Paths and Shortest Paths
	5.2 Robustness of Networks
	5.3 Metrics Used for Robustness Analysis
		5.3.1 Centrality Metrics
		5.3.2 Structural Metrics
	5.4 Case Studies
		5.4.1 Data of Three Types of Real-World Infrastructures
		5.4.2 The Effect of Node Attacks on the Relative Size of the Largest Connected Component
		5.4.3 Comparing the Attack Strategies in Real-World Networks
		5.4.4 The Impact of Attacking Links: An Example
	5.5 Conclusions
	References
6 Modelling of Software Failures
	6.1 Introduction
	6.2 Risks Associated with Software Failures in 5G
	6.3 The Software Failure Process
		6.3.1 Faults, Errors and Failures
		6.3.2 Failure Modes and Semantics
		6.3.3 The Input/Output Model of Software Failing
		6.3.4 Moore/Mealy Model of Continuously Operating Software
		6.3.5 Coinciding Software Failures
	6.4 Modelling of Handling Software Failures within an SDN Controller
		6.4.1 Short Review of Controller Models Including Software Failing
		6.4.2 Modelling of Failure Dynamics in SDN Controller Platforms
		6.4.3 Dependability Evaluation of SDN Controller
	6.5 Predictive Modelling of Software Defects in SDN Controllers
		6.5.1 Dependability Assurance with SRGM
		6.5.2 An Empirical Case Study of Reliability Growth in SDN Controllers
		6.5.3 Discussion
	6.6 Conclusions
	References
Part II Techniques for Design and Update of Disaster-Resilient Systems
7 Improving the Survivability of Carrier Networks to Large-Scale Disasters
	7.1 Introduction
	7.2 Analysis of Disaster Risk in Carrier Networks
	7.3 Disaster-Aware Submarine Fibre-Optic Cable Deployment
	7.4 Selection of Robust Nodes to Improve the Connectivity Impact of Multiple Node Failures
		7.4.1 RNS Exact Method
		7.4.2 RNS Heuristic Method
		7.4.3 Numerical Results
	7.5 Topology Design/Upgrade of Optical Networks Resilient to Multiple Node Failures
		7.5.1 Multi-Start Greedy Randomized Method
		7.5.2 Numerical Results
	7.6 Conclusions
	References
8 Security-Aware Carrier Network Planning
	8.1 Introduction
	8.2 Overview of Optical Technologies in Carrier Networks
	8.3 Introduction to Modelling and Optimization of Carrier Optical Networks
		8.3.1 Routing and Wavelength Assignment in WDM Networks
		8.3.2 Routing and Spectrum Allocation in EONs
		8.3.3 Routing, Space and Spectrum Allocation in SS-FONs
	8.4 RWA Algorithms Against Jamming Attacks
	8.5 Device Placement to Monitor Jamming Attacks
	8.6 Multi-Period Network Planning Against Jamming Attacks
	8.7 Network Planning Against Eavesdropping Attacks
	8.8 Conclusions
	References
9 Secure and Resilient Communications  in the Industrial Internet
	9.1 Introduction
		9.1.1 Introduction to Industrial Internet of Things—IIoT
		9.1.2 Challenges in IIoT
	9.2 Security of IIoT
		9.2.1 Security Issues in IIoT
		9.2.2 Security Practices as Goals of IIoT
		9.2.3 Possible Mechanism to Secure IIoT Communications
	9.3 Identity-Defined Networking
		9.3.1 Introduction to IDN
		9.3.2 Expected Benefits of IDN
		9.3.3 Challenges in IDN
	9.4 Software-Defined VPLS (SoftVPLS)
		9.4.1 Introduction to VPLS
		9.4.2 Software-Defined VPLS (SoftVPLS) Architecture
		9.4.3 Expected Benefits of SoftVPLS Architecture
		9.4.4 Challenges in SoftVPLS
	9.5 Discussion
	9.6 Conclusions
	References
10 Reliable Control and Data Planes for Softwarized Networks
	10.1 Introduction
	10.2 Reliable Data Plane
		10.2.1 Survivable Virtual Network Embedding for Content Connectivity
		10.2.2 Programmable Data Planes for Resilient Software-Defined Networks
	10.3 Reliable Control Plane
		10.3.1 Resilient Controller Placement Strategies
		10.3.2 Disaster-Resilient Control Plane Design
		10.3.3 Securing the Control Channel of SDNs
	10.4 Conclusions
	References
11 Emergency Networks for Post-Disaster Scenarios
	11.1 Introduction
	11.2 Post-Disaster Scenarios Characterization and Emerging Communication Requirements
		11.2.1 Social Media for Disaster Communications
		11.2.2 Situational Awareness
		11.2.3 Complex Crises: Recovery and Reconstruction
		11.2.4 Disruption of Vehicular Traffic
		11.2.5 Management of Medical Emergencies
		11.2.6 Post-Disaster Service and Communication Requirements
	11.3 State of the Art on Post-Disaster Emergency Networks
	11.4 Post-Disaster Emergency Networks
		11.4.1 Floating Content Support to Disaster Relief and Situational Awareness
		11.4.2 Information-Centric Networking and Delay-Tolerant Networking
		11.4.3 Edge Computing Solutions for Post-Disaster Emergency Networks
		11.4.4 Information Resilience Task Scheduling
		11.4.5 Middleware Solutions for Emergency Networks
	11.5 Conclusions
	References
12 Quality-Driven Schemes Enhancing Resilience of Wireless Networks under Weather Disruptions
	12.1 Introduction
	12.2 Background—Meaning and Position of Quality
		12.2.1 Classification of Different Quality Aspects
		12.2.2 Interrelation between Different Quality Aspects
	12.3 Vulnerability of Wireless Systems to Different Environmental Conditions
		12.3.1 Free-Space Optical Communication System
		12.3.2 Wireless Sensor Networks
		12.3.3 Modular Positioning System
	12.4 Quality-Driven Techniques to Improve Resilience
		12.4.1 Alert to React and Prevent Service Performance Degradation in FSO Communication
		12.4.2 Rerouting Mechanism in WSN
		12.4.3 Modification of Localization System
	12.5 Conclusions
	References
13 Free Space Optics System Reliability in the Presence of Weather-Induced Disruptions
	13.1 Introduction to FSO Communications
	13.2 Weather Effects Influencing FSO Communications: Fog and Turbulence
		13.2.1 Atmospheric Turbulence
		13.2.2 Mie Scattering Effect Including Fog and Clouds
		13.2.3 Availability of FSO Systems in Terms of Fog  and Turbulence Atmospheric Conditions
	13.3 Mitigation Techniques for Increasing FSO Communication Availability
	13.4 Emerging FSO Communication Scenarios Applying Mitigation Techniques for Weather-Induced Disruptions
		13.4.1 Deep Space FSO Communications Link Based on SNSPD Receiver Unit
		13.4.2 Car-to-Car Communication Scenario
	13.5 Conclusions
	References
14 Alert-Based Network Reconfiguration and Data Evacuation
	14.1 Introduction to Alert-Based Reconfiguration Concepts
	14.2 Alert-Based Data Evacuation for Large-Scale Disasters in Data Centre Networks
		14.2.1 Motivation and Problem Statement
		14.2.2 Methodology
		14.2.3 Illustrative Numerical Examples
	14.3 Alert-Based Virtual Machine Migration in Data Centre Networks
		14.3.1 Motivation and Problem Statement
		14.3.2 Methodology
		14.3.3 Case Study and Numerical Results
	14.4 Post-Disaster Data Evacuation from Isolated Data Centres Through Low Earth Orbit Satellite Networks
		14.4.1 Motivation and Problem Statement
		14.4.2 Methodology
		14.4.3 Illustrative Numerical Example
	14.5 Alert-Based Reconfiguration of Virtual Software-Defined Networks
		14.5.1 Flexibility of Hypervisor Placement Approaches
	14.6 Flexibility of Connection Recovery Approaches
		14.6.1 Reactivity of Protection and Restoration Approaches
		14.6.2 Adaptivity of Protection Structures to Failures
	14.7 Conclusions
	References
15 Resilient Techniques Against Disruptions of Volatile Cloud Resources
	15.1 Introduction
	15.2 Volatile Cloud Resources
		15.2.1 Google Preemptible Instances
		15.2.2 Microsoft Low-Priority Instances
		15.2.3 Amazon Spot Instances
	15.3 Volatile Cloud Resources' Life Cycle and Their Performance Behaviour
		15.3.1 Volatile Cloud Resources' Terminology
		15.3.2 Cloud Volatile Resources' Life Cycle
	15.4 Cloud Volatile Resource Disruptions
		15.4.1 (Un)fulfilment of Volatile Cloud Resources
		15.4.2 Considerable Waiting Time for Volatile Cloud Resources' Fulfilment
		15.4.3 Cloud Volatile Resources Can Be Lost at Any Time
		15.4.4 Publicly Available Information About Cloud Volatile Resources
	15.5 Fault Tolerance Approaches for Volatile Cloud Resources
		15.5.1 Checkpointing
		15.5.2 Alternate Resource
		15.5.3 Task Retry
		15.5.4 Task and Data Replication
	15.6 Resilient Techniques to Mitigate the Risk and to Overcome Disruptions of Volatile Cloud Resources
		15.6.1 Reactive Resilient Techniques for Time-Insensitive Applications
		15.6.2 Bidding Strategies to Alleviate Disruptions of Volatile Cloud Resources (Low-Bid-Price)
		15.6.3 Resilient Techniques that Use Checkpointing
		15.6.4 Hybrid Resilience Techniques
	15.7 Tools to Simulate the Behaviour of Volatile Cloud Resources
	15.8 Conclusions
	References
16 Structural Methods to Improve the Robustness of Anycast Communications to Large-Scale Failures
	16.1 Introduction
	16.2 Robustness of Anycast Services to Natural Disasters
	16.3 SDN Robustness to Malicious Node Attacks
		16.3.1 Enumeration of CPP Solutions
		16.3.2 Evaluation of CPP Solutions
	16.4 Robustness of CDNs to Malicious Link Cut Attacks
		16.4.1 CDN Robustness Evaluation to Link Cut Attacks
		16.4.2 CDN Upgrade Methods
		16.4.3 CDN Replica Placement Method
	16.5 Conclusions
	References
Part III Algorithms and Schemes for Resilient Systems
17 Fundamental Schemes to Determine Disjoint Paths for Multiple Failure Scenarios
	17.1 Introduction
	17.2 Algorithms for Disjoint Routing
	17.3 SRLG-Disjoint Routing
	17.4 Shortest Path Algorithms
		17.4.1 Dijkstra's Algorithm
		17.4.2 Modified Dijkstra's Algorithm
	17.5 Suurballe's and Bhandari's Algorithm
		17.5.1 Suurballe's Algorithm
		17.5.2 Bhandari's Algorithm
		17.5.3 k-Bhandari's Algorithm
	17.6 Establishing a Set of k Disjoint Paths for a Multi-Cost Network Scenario
	17.7 Minimum-Cost Path Pairs with Common Arcs and Nodes
		17.7.1 Tunable Availability-Aware Routing
		17.7.2 Min-Cost Arc-Disjoint Path Pairs with Common Nodes
	17.8 Conclusions
	References
18 Taxonomy of Schemes for Resilient Routing
	18.1 Introduction
	18.2 Taxonomy of Schemes of Resource Reservation for Resilient Routing
	18.3 Resilient Routing Schemes for IP Networks
		18.3.1 IP Fast ReRoute Framework (IPFRR)
		18.3.2 Multi-Path Routing (MPR)
		18.3.3 Other Schemes
	18.4 Resilience of Multi-Domain Networks
	18.5 Resilience of Multi-Layer Networks
	18.6 Conclusions
	References
19 Disaster-Resilient Routing Schemes for Regional Failures
	19.1 An Introduction to Geographically Diverse Routing
	19.2 Disaster-Risk Aware Schemes of Provisioning of Communication Paths
	19.3 Schemes of Risk-Aware Reprovisioning of Connections
	19.4 Geodiverse Routing in Optical Networks
		19.4.1 Notation
		19.4.2 Minimum-Cost Geodiverse Routing
		19.4.3 Geodiverse Routing with Availability Constraints
		19.4.4 On the Complexity of Finding D-Geodiverse Paths
		19.4.5 SRLG-Disjoint and Geodiverse Routing—Some Considerations on Benefit and Practical Effort
	19.5 Conclusions
	References
20 Resilient SDN-Based Routing Against Rain Disruptions for Wireless Networks
	20.1 Impact of Rain on Wireless Networks
	20.2 Mitigation of the Rain Impact
		20.2.1 Detection of Rain Events
		20.2.2 Distributed Routing Approaches
		20.2.3 Centralized Routing Approaches
	20.3 Software-Defined Networking (SDN)-Based Routing
		20.3.1 Cost of Adaptation
		20.3.2 Optimization Model for Computing the Adaptation Cost
		20.3.3 Total Data Loss Minimization
	20.4 Numerical Results
	20.5 Conclusions
	References
21 Optimization of Wireless Networks for Resilience to Adverse Weather Conditions
	21.1 Introduction
	21.2 Modelling Weather Conditions and Their Impact on Link Capacity
		21.2.1 Weather States and Link States
		21.2.2 Modelling of FSO Links
		21.2.3 Modelling of Radio Links
	21.3 Characteristics of Paris Metropolitan Area Network (PMAN)
	21.4 Robust Optimization of FSO Networks
		21.4.1 Notation
		21.4.2 Optimization Problem for FT
		21.4.3 Optimization Problem for the Affine Version of FT
		21.4.4 An Alternative for Weather Condition Modelling
		21.4.5 Solution Algorithm of AFTOP for a Given State Polytope
		21.4.6 Comments
	21.5 Robust Optimization of WMN
		21.5.1 Basic Optimization Model with Controlled MCS
		21.5.2 Solution Algorithm
	21.6 Numerical Studies of Paris Metropolitan Area Network
		21.6.1 Numerical Results for FSO
		21.6.2 Numerical Results for WMN
	21.7 Conclusions
	References
22 Enhancing Availability for Critical Services
	22.1 The Spine Concept as an Approach to Increase Critical Services Resilience to Disasters
	22.2 Enhancing End-to-End Service Availability with the General Dedicated Protection and Spine
		22.2.1 Motivation
		22.2.2 FRADIR—Disaster-Resilient Transport Networks
		22.2.3 The Effectiveness of FRADIR
	22.3 Network Upgrade for Geodiverse Routing with Availability Constraints
		22.3.1 Additional Notation
		22.3.2 A Heuristic Approach
		22.3.3 Selecting the Edge to Upgrade
		22.3.4 Computational Results
	22.4 Exploring the Spine Concept in Disaster-Prone Areas
		22.4.1 Problem Definition
		22.4.2 The Weighted Euclidean Shortest Path Problem
		22.4.3 The Weighted Euclidean Shortest Tree Between Three Terminal Nodes
		22.4.4 Euclidean Steiner Tree Heuristic
		22.4.5 Experimental Results
	22.5 Conclusions
	References
23 Detection of Attacks and Attack-Survivable Routing in Carrier Networks
	23.1 Introduction
	23.2 Security Diagnostics and Situational Awareness Capabilities of Optical Networks
		23.2.1 Impairments/Attacks and Sensing/Localization Techniques
		23.2.2 Active Network Probing and Enforcement
		23.2.3 Wavelength Reconfiguration with Cognitive Detection of Congestion or Failure
		23.2.4 Cognitive Network State Sensing
	23.3 Attack Syndromes and Security Monitoring Probe Design
		23.3.1 Connection Routing to Boost Security Diagnostic Capabilities
	23.4 Attack-Aware Dedicated Path Protection
	23.5 Conclusions
	References
24 Routing in Post-Disaster Scenarios
	24.1 Introduction
	24.2 Resilient Event Notification
		24.2.1 Fault Model
		24.2.2 Literature on Fault-Tolerance in Event Notification
		24.2.3 Novel Approaches
	24.3 Resilient Unicast Communications
		24.3.1 Spatial Redundancy via Floating Breadcrumbs
		24.3.2 Natural Disaster Management System Based on Location-Aware Distributed Sensor Networks
		24.3.3 Analysing Path Geodiversity and Improving Routing Performance in Optical Networks
		24.3.4 Capacity Constrained Routing Algorithm for Evacuation Planning
		24.3.5 Weather Disruption-Tolerant Self-Optimizing Millimetre Mesh Networks
	24.4 UAV Support to Network Resilience
	24.5 User Association in Emergency Networks
	24.6 Conclusions
	References
Part IV Advanced Topics in Resilient Communication Systems
25 Resilient SDN, CDN and ICN Technology and Solutions
	25.1 Risk-Based Management of Security in SDNs
		25.1.1 Challenges to Security Introduced by SDN
		25.1.2 Security Enhancements Using SDN
		25.1.3 Attack Methods and Mitigation Techniques
	25.2 Protection in Content Delivery Networks (CDNs)
		25.2.1 Protection of Origin Server
		25.2.2 How to Improve CDN Reliability?
	25.3 Information-Centric Networking
		25.3.1 Resilience in Information-Centric Networking
		25.3.2 Resilience in Service-Centric Networking
		25.3.3 Security in Information- and Service-Centric Networking
	25.4 Multipath and Route Monitoring for Protecting Internet Communication
		25.4.1 Monitoring Communication Paths
		25.4.2 Multipath over the Internet
		25.4.3 Path Selection Strategies
	25.5 Conclusions
	References
26 Scalable and Collaborative Intrusion Detection and Prevention Systems Based on SDN and NFV
	26.1 Introduction
	26.2 Background—CIDS Architectures
	26.3 Review of Scalable and Collaborative IDSs
		26.3.1 Early CIDS Concepts
		26.3.2 Cloud-Based CIDS
	26.4 Comparison of SDNFV-Based IDPS
		26.4.1 SDNFV-Based IDPS
		26.4.2 SDN-Based Distributed Attack Notification
	26.5 Scalable and Collaborative IDPS Leveraging SDNFV—A Proposal
		26.5.1 Programmable Network Monitoring Techniques
		26.5.2 Scalable and Collaborative SDNFV-Based IDPS Model
	26.6 Conclusions
	References
27 Resilient NFV Technology and Solutions
	27.1 An Overview of the ETSI NFV Architecture Framework
	27.2 Dependability of NFV—Two Related Perspectives
	27.3 Dependability of Network Services
		27.3.1 Redundancy and Synchronization
		27.3.2 Failure Detection and Monitoring
		27.3.3 Interoperability of System Components
		27.3.4 Service Chains and VNF Placement Strategies
	27.4 NFV in Action
		27.4.1 Cloud Application Architectures
		27.4.2 VNF Use Cases
	27.5 NFV Resilience Against Disasters
		27.5.1 Zero-Touch Management
		27.5.2 VNF Placement, Service Chaining, Redundancy
	27.6 Conclusions
	References
28 Resilience of 5G Mobile Communication Systems to Massive Disruptions
	28.1 Challenges to Resilience of 5G Systems
	28.2 Dependability Assessment of 5G Networks
	28.3 Frequency Fallback Under Atmospheric Disruptions
	28.4 Backhaul Segment Interleaving
	28.5 Multi-Operator Protection
	28.6 Power-Aware Load Balancing for Energy Efficiency and Survivability
	28.7 Conclusions
	References
29 Design of Resilient Vehicle-to-Infrastructure Systems
	29.1 Introduction
	29.2 Challenges to Resilient Communications
	29.3 Planning the Roadside Infrastructure for Reliable Vehicular Communications
		29.3.1 Deployment of Gateways to Minimize the Average Hop Count for Internet-Related Traffic
		29.3.2 Deployment of RSUs Based on Road Traffic Intensity
		29.3.3 Determination of RSU Location Based on Vehicle Contact Time and Contact Probability
		29.3.4 Deployment of RSUs in Tunnels Based on Outage Probability
	29.4 Improving the Reliability of V2I Links
	29.5 Security of VANET Communications
	29.6 Conclusions
	References
30 Reliability Models for Multi-Objective Design Problems
	30.1 Introduction
	30.2 Model: Description and Properties
		30.2.1 Model Description
		30.2.2 Model Properties
		30.2.3 Mathematical Programming Model
		30.2.4 Example: Location–Allocation–Routing Model
	30.3 Reliable Location–Allocation–Routing Model(s)
		30.3.1 Overview
		30.3.2 Demand Protection Schemes
	30.4 Case Study
		30.4.1 Instances and Input Data
		30.4.2 Programming and Execution Environment
		30.4.3 Protection Versus Re-Routing
	30.5 Conclusions
	References
31 Analyzing Disaster-Induced Cascading Effects in Hybrid Critical Infrastructures: A Practical Approach
	31.1 Introduction
	31.2 Problem Description and Related Work
	31.3 Threat Propagation Between Cyber and Physical Domains
		31.3.1 Terminology
		31.3.2 Attack Scenario
	31.4 Dependency Model Amongst Assets
		31.4.1 Identification of Relevant Assets
		31.4.2 Classification of Assets
		31.4.3 Identification of Dependencies
	31.5 Dynamics Inside Assets
		31.5.1 Possible States
		31.5.2 Possible Alarms
		31.5.3 Transition Regime
		31.5.4 Forwarded Information
		31.5.5 Simulation
	31.6 Results of Analysis
		31.6.1 Statistical Analysis
		31.6.2 Visualization
	31.7 Considerations for Computer Networks and Large-Scale Disasters
	31.8 Conclusions
	References
32 Human and Organizational Issues for Resilient Communications
	32.1 Introduction
	32.2 Ethnographic Research
	32.3 Research Findings
	32.4 Analysis of Ethnographic and Interview Data: The `Mental Models' Used in Reasoning About Risk
	32.5 Conclusions
	References
Appendix  Summary of the Book
	References
Index