Around the world, attacks against critical infrastructure have become increasingly common. More and more, these aggressions are carried out via mice and keyboards rather than bombs and missiles, such as with the 2021 ransomware attack on Colonial Pipeline. From a military strategy perspective, it’s easy to understand why, as cyberattacks against infrastructure can be executed remotely, cheaply, and with comparatively little risk, while having a debilitating effect across entire regions.
Just as the threats against infrastructure have evolved, so too must the strategies to defend them. Traditional approaches to cyber risk management (CRM) are ill-suited to address today’s rapidly evolving security challenges, which is why the sector must embrace a consequence-driven framework that emphasizes viewing cyber risks in the context of the potential impact on critical processes and assets.
How traditional approaches to CRM fall short
Traditional CRM frameworks were developed to address the challenges of a very different era. Historically, they were driven by qualitative methodologies that assign subjective scores to variables related to the likelihood and…
