Quantifying Decision Making in the Critical Infrastructure

摘要

In this paper, we examine ways to better position senior leaders to make critical decisions to protect and defend their information assets against cyber-attacks. There has been, for obvious reasons, consistent pressure for engagement and cooperation between governments, the private sector, and other stakeholders. However, historically, there has been mistrust and lack of collaboration between the three communities largely because of concerns of the fallout from information sharing and concerns that the government might impose more regulations on the commercial sector. In the context of our discussion, information assets are divided into two categories based on relevant technologies, i.e., information technologies (IT) and operational technologies (OT). The IT side is focused on the Internet Protocol (IP) systems. The OT side, on the other hand, is focused onindustrial control systems (ICS) that have a significant impact on the way critical environments enable us to acquire and sustain desired qualities of life. The OT side is the one in which a discussion of weapons of mass destruction (WMD) might have merit. For a collapse or failure of some of the sectors designated as critical infrastructure could have catastrophic and long-term impact on essential services and functionality that are critical to our survival. Nowhere is the importance of collaboration between the public, private, and government sectors more important than in the critical infrastructure (CI). Though a large amount of the critical infrastructure is owned by the private sector, it is considered by the Department of Homeland Security (DHS) to be essential in the nation's national economic and physical security, national public health or safety, or any combination thereof (Critical Infrastructure, 2015). The Internet has become a game changer, in thatit has become an 'equalizer' of sorts due to its adoption by many governments, especially the industrialized nations, as the world has transitioned to a global economy. The transformative changes that we see illustrate how technology and the Internet have brought greater convenience and functionality to the three communities (public, private, and government) and the adverse impact they can have on the critical infrastructure. Historically, the concern has been for attacks from nation states that generally had a large military and a heavily stockpiled resource-base (including huge cash amounts). The asymmetry within the cyber domain has created an unexpected balance that has now brought a new wave of committed players, including as non-nation states to a level of influence that requires them to be reckoned with and no longer ignored. As a result, senior leadership is much more cautious in its approach to decision making because of the potential consequences. This is especially true because cyber assets, though so valuable can be also so vulnerable. In this study, we will discuss a method that moves decision making from a 'gut', experience or insight-based, qualitative approach to a more data-centric, quantifiable approach. This approach supports more certainty of senior leaders in the major decisions on how to optimize the performance and security of the critical infrastructure through targeted and more accurately placed cyber investments.