Risk analysis beyond vulnerability and resilience - characterizing the defensibility of critical systems
Vicki Bier, Alexander Gutfraind

TL;DR
This paper introduces a new index called defensibility to better assess and compare the security of critical systems, emphasizing cost-effective investments to reduce damage from attacks.
Contribution
It defines and quantifies defensibility as a novel, dimensionless measure that accounts for attack and defense factors, filling gaps left by traditional indices.
Findings
Defensibility depends on asset valuations and threat nature.
Analytical results support the importance of defensibility in security planning.
The index is applicable across various critical infrastructure systems.
Abstract
A common problem in risk analysis is to characterize the overall security of a system of valuable assets (e.g., government buildings or communication hubs), and to suggest measures to mitigate any hazards or security threats. Currently, analysts typically rely on a combination of indices, such as resilience, robustness, redundancy, security, and vulnerability. However, these indices are not by themselves sufficient as a guide to action; for example, while it is possible to develop policies to decrease vulnerability, such policies may not always be cost-effective. Motivated by this gap, we propose a new index, defensibility. A system is considered defensible to the extent that a modest investment can significantly reduce the damage from an attack or disruption. To compare systems whose performance is not readily commensurable (e.g., the electrical grid vs. the water-distribution network,…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsInfrastructure Resilience and Vulnerability Analysis · Risk and Safety Analysis · Supply Chain Resilience and Risk Management
