**6. What's next?**

*Issues on Risk Analysis for Critical Infrastructure Protection*

in the adaptation of these methodologies are:

participating organizations.

tensions [54].

sharing and collaboration.

**5.2 Challenges to assess the cyber risk across CI/CII chains**

*each other*."

to assess this risk and define appropriate mitigating measures as is highlighted by the aforementioned Dutch supply chain RA pilot [39]: "*Providing insight into the cyber security risk within a supply chain requires a level of commitment of all organizations involved. It is paramount that in addition to the availability of adequate resources sufficient trust exists between organizations to share sensitive information among* 

In safeguarding CI and CII, cyber risk mitigation plays an important role. Cyber risk mitigation approaches comprise legal frameworks [13], the implementation of mostly non-CI/CII specific cyber security frameworks for ICT and OT [25, 29–32, 51], the sharing of cyber security information [52, 53], and a collaborative approach. The incentive for collaborative action to the cyber risk at the sector level and across service chains is clear. Resources are scarce and can be optimized by collaborating. Due to the interconnectedness of CI and CII, all organizations in a sector or service chain suffer when one weak link exists and fails, making a joint approach a necessity. Although many initiatives exist, the uptake of these initiatives is sometimes less than planned. Although there are methods available to assess the cyber risk across a CI chain, there exist challenges to apply those methods. Some of the factors that may prove a barrier

• *Different RA methodologies used by individual organizations:* Collaboration of RA across chains requires information sharing and discussions on the results of RA for the individual organizations. The sharing of information on the RA may be hampered when different methodologies are used. Although there are ways to overcome this, see e.g. [38], this requires some additional effort by the

• *Scarce resources:* Cyber security is a domain where expertise is still a scarce resource. When large scale incidents occur that would benefit from crossorganizational collaboration, many of the personnel needed will be taken-up

• *Difficulties in establishing effective public and private partnerships:* collaboration across the chain may require a close collaboration between public and private organizations, e.g. on information sharing on threats and vulnerabilities. While public-private partnerships (PPPs) are a popular form of collaboration in a number of states, in practice we see that they often lead to less than satisfactory results. Although the precise failure rate of PPPs in CIP is unknown, in the context of business-to-business partnerships failure rates of 30% up to 80% have been reported. This high failure rate may be based on tensions inherent to a PPP. Some balancing mechanisms are needed to overcome the inherent

• *Cross-border collaboration:* Most CI/CII operators use equipment of many different suppliers that originate worldwide. This may hamper information

• *Legal barriers:* Anti-trust legislation on the one hand, and Freedom of Information (FOI) legislation on the other hand may create barriers to collaborate and exchange information between organizations [53].

by high-priority activities within their own organizations.

**180**
