Proceedings of the
35th European Safety and Reliability Conference (ESREL2025) and
the 33rd Society for Risk Analysis Europe Conference (SRA-E 2025)
15 – 19 June 2025, Stavanger, Norway
Towards the Operationalization of Mission-Centric Frameworks for Cyber Security Risk Management in the Defence Sector
1Strategic Analyses and Joint Systems Division, Norwegian Defence Research Establishment (FFI), Norway.
2Mission Critical Cyber Security, Defence Research and Development Canada (DRDC), Canada.
ABSTRACT
Information and communication technology (ICT) has long been envisioned as a potential force multiplier in military operations. Cyber has even been recognized as a full-fledged domain of operations alongside air, ground, space and maritime. Armed forces that are not able to embrace this change and readily leverage new ICT technology to achieve information and operational superiority, might be at great disadvantage in future conflicts. At the same time, it is critical that the increased operational effect that new technology might bring, does not come at the cost of unacceptable security and safety risks. To support these complex cost-benefit assessments, various mission-centric frameworks for cyber security have been proposed over the last two decades. They all seek to give guidance and tools for eliciting security requirements based on the risk of losing mission critical capabilities through ICT compromises. This is in contrast with a more classical ICT-centric approach, oftentimes in the form of strict compliance-based checklists. Still, although the underlying principles guiding mission-centric frameworks seem to be well-understood and accepted, there seem to be some fundamental hurdles toward making them operational. We shed light on challenges and how to overcome some of them based on the experiences of the Norwegian and Canadian military research institutions with developing such frameworks. Key findings were: To identify and assess the criticality of ICT systems for mission success, it is necessary to model the relationship between military missions and the technical functions enabled by ICT systems in an way appropriate for specific national needs. A crucial success factor is to establish a partnership with the Armed Forces and engaging key stakeholders throughout the process. Operationalization requires collection and structuring of large amounts of data; hence a flexible supporting tool is needed.
Keywords: Cyber security, Mission-centric risk assessments, Cyber mission assurance, Military operations.
