Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CHAPTER III: INFORMATION AND COMMUNICATION TECHNOLOGY<br />
are dictated by the perceived vulnerability, threat likelihood and ensu<strong>in</strong>g cost due<br />
to a realized threat (Anderson and Moore 2006) 90 . The latter comb<strong>in</strong>es immediate<br />
costs attributed to revenue loss, asset damage, settlement costs, legal exposure,<br />
productivity losses, as well as <strong>in</strong>tangible costs related to market perception and<br />
customer churn. Moreover, expenditure on protection measures also becomes<br />
correlated to the will<strong>in</strong>gness of end users to accept a service surcharge for a given<br />
level of protection. This is usually expressed <strong>in</strong> service level agreements (SLAs)<br />
between the provider and the subscriber, whereby the degree of protection afforded<br />
(e.g., availability, encryption level etc.) varies accord<strong>in</strong>g to service classi<strong>fi</strong>cation. 91<br />
Worse still, most CII owners are ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g a prudent view on additional<br />
expenditures due to the free spend<strong>in</strong>g (e.g., on <strong>in</strong>flated third-generation mobile<br />
license auctions) of the 1990s that precipitated <strong>in</strong>to the burst<strong>in</strong>g of the dot-com<br />
bubble and the eclipse of telecom boom <strong>in</strong> early part of this decade 92 .<br />
On the other hand, CIIP objectives speci<strong>fi</strong>cally target high-impact events<br />
(e.g., targeted DDoS attacks on Estonia, Hurricane Gudrun <strong>in</strong> southern Sweden<br />
etc.) that result from low-probability, uncerta<strong>in</strong>, unexpected or even unknown<br />
threats. Unfortunately, the true level of risk associated with such threats may be<br />
dif<strong>fi</strong>cult to discern, mak<strong>in</strong>g the argument for supplementary security <strong>in</strong>vestments<br />
for CIIP unjusti<strong>fi</strong>able us<strong>in</strong>g traditional threat-based cost-bene<strong>fi</strong>t analysis and risk<br />
assessment methodologies. These methods usually prioritize security measures<br />
aga<strong>in</strong>st high-probability known threats with a potential cause medium or highimpact<br />
disruptions. Unfortunately, by rely<strong>in</strong>g on hard <strong>in</strong>telligence and reactive<br />
responses to previously seen attacks, this threat-based approach leaves a large<br />
security gap exploitable by surprise attacks. Alternatively, by bas<strong>in</strong>g security<br />
<strong>in</strong>vestment decisions on the vulnerability-based approach, it is possible to ignore<br />
the threat probability <strong>in</strong> the analysis, thus clearly highlight<strong>in</strong>g the potential<br />
bene<strong>fi</strong>ts of CIIP <strong>in</strong>vestments (Rauscher et al 2006). Consider Figure 29, which<br />
illustrates the cost versus security level relationship under the vulnerability-based<br />
approach. The highest level of security <strong>in</strong>vestment justi<strong>fi</strong>able for protection<br />
aga<strong>in</strong>st known threats is reached at an optimum po<strong>in</strong>t that guarantees maximum<br />
returns on the <strong>in</strong>vestment. However, this <strong>in</strong>vestment is lower than that required for<br />
protection aga<strong>in</strong>st unknown threats, thus creat<strong>in</strong>g a CIIP <strong>in</strong>vestment gap, which <strong>in</strong><br />
turn translates <strong>in</strong>to a high-risk security gap with a potential to cause great f<strong>in</strong>ancial<br />
loss when breached (see Figure 29).<br />
90 See, for example, Sherwood et al. (2005).<br />
91 See, for example, Fawaz et al. (2004). They propose a plat<strong>in</strong>um, gold, silver and bronze service<br />
classi<strong>fi</strong>cation, where for <strong>in</strong>stance, service recovery time is