The increasing threat of cyber-attacks against systemically important institutions and critical infrastructure continues to highlight the need to improve the defense and resilience of organizations. The US government focuses its defense strategy on applying a risk-based approach to optimize the allocation of scarce resources across federal networks and promotion of best practice for critical infrastructure. This paper discusses the framing national policy and the core methodological challenges facing practitioners who seek to implement such an approach. The paper defines three key areas of fundamental challenge: (1) defining tiers, categories, and severity measures of end effect, (2) linkage of devices to organizational processes, and finally (3) a mechanism for connecting organizations together to analyze emergent societal effects. This approach is broadly applied to an example of commercial airline operations identifying the interconnection between key functions in the production chain, which if disrupted lead to strategic effects in the critical infrastructure sector.
A revised version of this article will be published in the fourth volume of Cyber Security: A Peer-Reviewed Journal