Allocating Security Resources to Protect Critical Infrastructure

Alan T. Murray and Tony H. Grubesic, "Critical Infrastructure Protection: The Vulnerability Conundrum," Telematics & Informatics, 29 (February 2012): 56­65 (full article behind paywall).

Abstract: Critical infrastructure and key resources (CIKR) refer to a broad array of assets which are essential to the everyday functionality of social, economic, political and cultural systems in the United States. The interruption of CIKR poses significant threats to the continuity of these systems and can result in property damage, human casualties and significant economic losses. In recent years, efforts to both identify and mitigate systemic vulnerabilities through federal, state, local and private infrastructure protection plans have improved the readiness of the United States for disruptive events and terrorist threats. However, strategies that focus on worst-case vulnerability reduction, while potentially effective, do not necessarily ensure the best allocation of protective resources. This vulnerability conundrum presents a significant challenge to advanced disaster planning efforts. The purpose of this paper is to highlight the conundrum in the context of CIKR.

Posted on January 2, 2012 at 12:33 PM • 9 Comments


Scrooge McDuckJanuary 2, 2012 5:04 PM

"... strategies that focus on worst-case vulnerability reduction, while potentially effective, do not necessarily ensure the best allocation of protective resources."

In many parts of the world, "critical infrastructure and key resources" are owned and operated by publicly-owned corporations. In such corporations, one must be prepared to show very clear, precise economic returns on resource allocation to executive-level decision-makers.

Sort of like showing me why I should spend my hard-earned $0.99 to rent the article for 24 hours or purchase it for $24.95 .

DavidJanuary 2, 2012 9:29 PM


I know--and Hulu did??? I can understand YouTube, but...

"Yes, Director--we have to monitor Hulu. We can't miss the latest episode mean you never know what kind of plot might come out of those crazy One Piece episodes!"

PeterJanuary 3, 2012 2:34 AM

What a funny definition. Are the authors aware that the world outside the US also has infrastructure?

NobodySpecialJanuary 3, 2012 10:46 AM

@peter - I'm still laughing at the:

"cultural systems IN the United States"

Sharkie the CatJanuary 3, 2012 3:05 PM

@Peter and NobodySpecial

I haven't paid to read the article. When I saw that definition, I presumed the authors were focused on problems in the US and were not trying to enumerate issues that don't affect that country.

Otherwise, you'd be deriding how "US-centric the article is..."

PeterJanuary 4, 2012 2:37 AM

@Sharkie, it's perfectly reasonable to give a broad definition of critical infrastructure and then say "For the purposes of this paper we restrict the scope to the USA".

NobodySpecialJanuary 4, 2012 10:22 AM

It's an interesting point though - who pays for this?

If a municipality had a new bridge built and the contractor included a $Bn in the quote for an airforce to protect it from enemy attack they would be laughed at.

Yet they are supposed to pay to protect a water treatment plant from enemy hackers.
While they are paying taxes for an airforce to protect it from much less likely fleets of enemy bombers.

anonJanuary 5, 2012 8:33 AM

the correct way to protect the water plant from enemy hackers is to not hook it up to the internet.

I have no idea why so many think everything has to be hooked to the internet. What's the benefit here? Those who operate the plant should be inside it, and able to fix problems when something goes wrong. If it needs remote monitoring, there are many ways to do that without the internet (they've been used for decades).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..