Critical Infrastructure: Threat, Risks, Security, Resilience and Investment Prioritisation

Critical infrastructure requires management of threats, hazards, risk and security. The big question for governments, operators, shareholders, boards, management and practitioners is... to what degree and why?

That is, blind application of security and/or risk management is likely NOT to optimise resources, maximise utility and result in wastage. Notwithstanding protecting the wrong thing in the wrong way, at an unnecessary cost.

Therefore, pre-management of security and risk needs to be considered in a more objective, formulaic manner.

Moreover, security and risk management must be routinely revised, updated and considered to ensure past assumptions have not been carried over to current threats, concepts and investments.

This is particularly relevant where infrastructure, and physical structures are ageing.

From an economic perspective, researchers and academics advocate consider the cost of action and inaction as it applied to the management of risk.

Ironically, this approach comes with considerable concealed risk, distributed risk/s, bias and over confidence in 'the formula'. This is not uncommon with pure quantitive risk assessments, but it does offer a start point for consideration.

More importantly, it introduces the 'cost of failure' as it relates to both security and risk management.

"The cost of a security failure is the combined cost of the primary and secondary costs.?This cost is rarely less than 10 times the primary cost, and with high value capital equipment, may be as much as 20 times.?"

?(Smith and Brooks, 2013)

In other words, the cost of doing nothing when it comes to the protection and defence of critical infrastructure may be exponentially 'cheaper' than doing nothing, by a multiple of 10 to 20... at least.

In particular, broader, more realistic factors such as opportunity cost, disruption cost, loss of income/utility and replacement/disruption/continuity costs associated with single or sustained impact to one or more infrastructure assets and resources.

Source: ?Smith, C. and Brooks, D. (2013)?Security Science: the theory and practice of security, Elsevier

Both risk and security management now become part of the consideration of value, investment and prioritisation, in stead of just the asset and utility. In other words, security and risk management factors add/subtract value, therefore must be implicitly included in matter analysed and assessed as part of all enterprise security risk management strategies.

"For security to provide cost-effective strategies, security costs in general should be less than the combined primary and secondary costs, including all overheads such as plant, utility costs (apportioned to departments), staff, and hardware costs.?"

?(Smith and Brooks, 2013)

However, the concept of security as a pure expenditure is both contentious and problematic. That is, a complete absence of security because it presents as too expensive is rarely accepted or endorsed by courts, shareholders, communities and the public post negative event or breach.

Cybersecurity events over the past 3 years will attest to this flawed investment notion.

Moreover, pure algorithmic, descriptive statistics or formulaic considerations of security (including game theory) conceal the reality that analysts rarely know all the measurable and observable actions of others or can accurately predict the future.

In short, distilling complex human behaviour and choices of threat/bad actors into a mathematical calculation is not only inherently inaccurate, there is considerable dangers and risks in making sweeping security/risk decisions and investments (or lack there of) based purely on a knowingly limited maths equation.

In sum, critical infrastructure necessitates investment in both risk and security management practices.

However, greater objectivity, empirical rigour and seemingly formulaic approaches are required, supported by both practical and scientific influences.

In other words, risk and security investment, measures and practices are not the subjective decisions of individuals, management, organisations or governments but the result of analytic rigour, detailed analysis and commensurate with value, threat, vulnerability and very, very specific risk and security calculations.

Tony Ridley, MSc CSyP MSyI M.ISRM

Security, Risk and Management Sciences

Reference

Smith, C. and Brooks, D. (2013)?Security Science: the theory and practice of security, Elsevier