The article considers the problem of optimizing expenses on information security in the context of critical infrastructure facilities (CIFs). The purpose of the study is to identify and justify those components of IT security, the reduction of funding for which leads to a disproportionate increase in risks and potential catastrophic consequences. An analysis of expert assessments of specialists in the field of IT infrastructure and comprehensive security, as well as existing scientific approaches to cyber risk management, was conducted. As a result of the study, three fundamental areas were identified that cannot be saved on: human capital and expertise; proactive threat detection and incident response systems; as well as data integrity and disaster recovery technologies. The practical significance of the work lies in the formation of a scientifically based approach for decision makers when planning budgets for cybersecurity, which helps minimize the risks of man-made and economic disasters associated with cyber attacks on CIFs.
The digital transformation has led to a deep integration of information technology into management systems for critical facilities, including energy, transport, water supply, and the financial sector. This integration, while bringing significant efficiency benefits, simultaneously creates new threat vectors. A cyberattack on the QUO can entail not only direct financial losses, but also large-scale social, economic and even humanitarian consequences. With constant pressure on organizations’ budgets, it is tempting to optimize costs, including for IT security. However, as practice shows, such savings often turn out to be imaginary and lead to a multiple increase in damage in the future. The relevance of this topic is due to the increasing number and complexity of cyber attacks on industrial and government infrastructure. The purpose of this article is to identify and scientifically substantiate those aspects of IT security, savings on which pose an unacceptable risk to critical facilities, based on an analysis of expert positions in this field.
Human capital as the basis of the security system
Modern cybersecurity systems are a complex set of technological and organizational measures. The effectiveness of this complex directly depends on the qualifications of the personnel who design, implement and operate it. Saving on payroll, training, and retaining highly qualified IT security professionals is one of the most dangerous ways to reduce costs.
IT infrastructure specialists claim that a competent security analyst or engineer is able to prevent an incident that will not be detected even by the most advanced automated systems. This is due to the fact that attackers are constantly improving their methods, and only a person with deep knowledge and experience is able to recognize atypical anomalies and complex, multi–stage attacks (APT – Advanced Persistent Threats). As Bruce Schneier notes, security technologies are constantly in an arms race with intruders, and in this race, human intelligence remains the decisive factor [1]. Downsizing or hiring low-skilled employees leads to a “sagging” of the entire protection system. The cost of eliminating the consequences of one serious incident caused by a lack of expertise may exceed the annual salary fund of the entire security department.
Proactive protection and incident management
The second area where savings are unacceptable is the transition from a reactive protection model to a proactive one. Traditional approaches based on penetration prevention (for example, using firewalls and antiviruses) are insufficient today. The “Assume Breach” paradigm has become the standard for the QUO. This means that the organization must have the means not only to prevent, but also to detect and respond to an incident that has already occurred as quickly as possible.
These tools include SIEM (Security Information and Event Management), EDR/XDR (Endpoint/Extended Detection and Response), and SOC – Security Operations Center services. These technologies require significant investments in acquisition, implementation, and support. Saving on them means that an organization may not know about the presence of an attacker on its network for months. During this time, he will be able to study the infrastructure, gain a foothold in it and cause maximum damage. According to Richard Beitlich, continuous network security monitoring is the only reliable way to detect complex threats that bypass perimeter defenses [3]. In addition, regular penetration testing (pentests) and security audits conducted by independent experts are an integral part of proactive protection. Avoiding these procedures for reasons of economy creates a false sense of security.
Table 1: “Proactive and reactive cybersecurity models”
| The reactive model (Saving on monitoring) | Proactive model (Investments in monitoring) |
| Stage 1: Attack An attacker penetrates the network, bypassing the basic protection. | Stage 1: Prevention<br>Constant vulnerability scanning and pentests to eliminate weaknesses. |
| Stage 2: Fixing The attacker has been in the system unnoticed for weeks or months. | Stage 2: Detection<br>SIEM/XDR systems detect abnormal activity in the first hours or minutes. |
| Stage 3: Damage Stealing or encrypting data, stopping critical processes. | Stage 3: Response The SOC center isolates the threat before significant damage is caused. |
| Stage 4: Reaction Emergency, chaotic response after the consequences are detected. | Stage 4: Analysis<br>Investigation of the incident to improve protection and prevent repeat attacks. |
| Result:High cost of recovery Long downtime Reputational damage | Result: Minimal impact on business processes Low incident cost Maintaining trust |
Data integrity and disaster recovery
The third untouchable component is Backup and Disaster Recovery systems. In the era of ransomware, which purposefully encrypts not only work data, but also its backups, the approach to backups should be multi-layered. Savings on high-quality backup solutions, for example, abandoning geographically distributed storage or using immutable storage, can lead to the complete and irretrievable loss of critical data.
For the QUO, downtime measured in hours can lead to the collapse of entire industries or regions. Therefore, the Disaster Recovery Plan should be not just a formal document, but a mechanism that actually works and is regularly tested. This means investing in a backup infrastructure (DR site), which can be expensive. However, as incident response specialists point out, having a proven recovery plan is the determining factor that distinguishes an organization that can survive a serious cyberattack from one that will cease to exist [2]. The cost of downtime and rebuilding from scratch is incommensurable with the cost of maintaining a backup site ready for operation.
Synthesis of components within the framework of a risk-based approach
The three aspects presented–people, proactive detection, and recovery–are not isolated items of expenditure. They form a single, interconnected system. Qualified specialists will not be able to work effectively without modern monitoring tools. The most advanced technologies are useless without proper operation. And a data recovery system makes no sense if the incident was not detected and localized in time.
Thus, the approach to budgeting of the IT security QUO should be based not on the principle of “cut everything that is possible”, but on the risk management model described in standards such as NIST cybersecurity in [4]. Security costs should not be considered as costs, but as investments in the continuity and sustainability of the facility. The decision to save money in one of the above areas should be made with full awareness of exactly what risk the organization is taking on and what the consequences of its implementation may be. For critical infrastructure, the cost of such risk is usually unacceptable.
The analysis of the opinions of experts and scientific approaches to ensuring the security of the CVO allows us to draw an unambiguous conclusion: there are a number of aspects of IT security, savings on which lead to a catastrophic decrease in the overall level of security. These aspects include:
- Human capital: investments in attracting, training and retaining highly qualified specialists.
- Proactive protection: implementation and support of modern monitoring, threat detection and incident response systems, as well as regular audits.
- Business continuity: creation and testing of reliable, multi-level backup systems and disaster recovery plans.
- Reducing funding for these areas is a strategic mistake that creates the illusion of short-term benefits, but in the long run practically guarantees the occurrence of serious incidents with unpredictable damage. Managers of critical facilities need to consider the costs of these three components not as costs, but as basic investments in stability and security, which are a prerequisite for functioning in a modern digital environment.
List of literature:
- Schneier B. Data and Goliath: Hidden battles to collect your data and control your world. – W. W. Norton & Company, 2016. – 448 p.
- Lutgens J., Pepe M., Mandia K. Incident response and computer forensics. – 3rd ed. – McGraw-Hill Education, 2014. – 736 p.
- Beitlich R. Network Security monitoring practice: Understanding incident detection and response. – Starch–free press, 2013. 376 p.
- Ross, R., Pillitteri, V., Graubart, R., Bodo, D., McQuaid, R. Developing cyber-resilient Systems: an Engineering Approach to System Security (NIST Special Publication 800-160, volume 2). – National Institute of Standards and Technologies, 2019. 229 p.