A Pragmatic Capability-based Framework for National Security Risk Governance

The capabilities needed to protect national security and conduct crisis management in a comprehensive defense context depend on increasingly interconnected and complex ICT infrastructures and systems. As a consequence, ICT-security, hence protection of availability, integrity and confidentiality, is of crucial importance. Trends in risk and security research, as well as the Norwegian security legislation launched in 2019, put the mission outcomes as the key drivers for identifying security criteria and prioritizing security measures. Mission criticality should guide identification and prioritization of security measures to achieve an appropriate level of security for organizations performing activities and operating information systems and infrastructures of importance for national security. This paper suggests a pragmatic capability-based framework for national security risk governance, primarily aimed at the strategic level. Inspired by system theoretic approaches to risk and security, it creates a hierarchy and traceability from high-level security interests to the criticality of the ICT systems underpinning military capabilities. Although developed for defense applications, the mind-set and approach may be transferable to other types of organizations. We apply a simplified military capability as a case to develop and illustrate the framework: assertion of national sovereignty by air space surveillance, air space situational awareness and, if needed, combat airplane interception.

Keywords: National security, ICT, ICT-security, Capability, Risk, Risk governance.

Download PDF