RISK ANALYSIS METHODS FOR CYBER SECURITY

MICHEL CUKIER AND SUSMIT PANJWANI

University of Maryland, College Park, Maryland

1 INTRODUCTION

Executive Order 13010 defines the nation's critical infrastructure as “telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services (including medical, police, fire, and rescue), and continuity of government” [1]. Traditionally, the nation's critical infrastructure assets were considered independently from the information assets. However, the development of an information-based economy and the wide proliferation of the Internet have changed the way these critical infrastructure assets are accessed, maintained, and used. The critical infrastructures are now exposed to a different threat profile raised by the interdependence of information assets and critical infrastructure assets.

This is clearly illustrated in the Clinton Administration's Policy on Critical Infrastructure Protection (CIP). Presidential Decision Directives (PDD) 62 and 63, released on May 22, 1998 by President Clinton address the new and nontraditional “cyber-security” threats against critical infrastructure [2, 3]. PDD 63 is the key directive focusing on CIP from both the physical and cyber security perspective [3, 4].

On October 16, 2001, President Bush announced Executive Order 13231, entitled “Critical Infrastructure Protection in the Information Age” [5]. In this executive ...