Redefining Systemic Cybersecurity Risk in Interconnected Environments

Abstract

While the different entities that compose any socio-economic environment have always had a certain degree of interconnection, the evolving dynamics of cyberspace are intensifying their interdependence and shared reliance on the digital realm. This is giving rise to increasingly possible origins of systemic cybersecurity risk, potentially leading to scenarios where supply chains and essential services experience the rapid and widespread propagation of cascade events at unprecedented levels and velocities. If this interdependence is widely recognised and accepted (Section 2), the concept of systemic cybersecurity risk is still subjective and functional to the core mission of single components of a system (Sections 3 and 4), and this lack of common terminology prevents the community from adopting a shared posture to manage these risks. In this paper, we propose a workable and inclusive definition of systemic cybersecurity risk (Section 5). We then review relevant cybersecurity events arguing that while catastrophic episodes are still unseen, there are incidents that highlight systemic dynamics (Section 6). Finally, we review relevant diagnostic tools that have been developed to address systemic cybersecurity risks and discuss their limitation as well as opportunities for future research (Section 7). We conclude by highlighting that systemic cybersecurity risk is, by definition, a shared risk, thus developing a common understanding is the starting point to endorse coordinated mitigations at system level.