11. Funding
Critical infrastructure requires financial, human and physical resources that should be identified in the strategy or policy. The resources can be derived from government, development partners or Private Public Partnership (PPP).
Critical infrastructure owners and operators need to make significant investments in their security and adopt cybersecurity best practices. As these measures may not immediately yield measurable benefits, the private sector may be justifiably concerned about the return on security investments. The government may therefore implement standards and practises to incentivise private sector owners and operators to fulfil their individual cybersecurity responsibilities, commensurate with the risk they face and that justify the costs of investment in cybersecurity.
Resource: Incentives for the CI owners and operators
The US Executive Order 13636: Improving Critical Infrastructure Cybersecurity, Incentives Study Analytic Report defines an incentive as a cost or benefit that motivates a decision or action by critical infrastructure asset owners and operators to adopt the Cybersecurity Framework under development by NIST. These include market-based incentives such as insurance. However, to hasten the pace of the necessary improvement in cybersecurity, government action can provide additional impetus to the market. In the US, incentives contained in legislation, policy, and other sources include expedited grants, information sharing, insurance, new regulation/legislation, prioritised technical assistance, procurement considerations, public recognition, subsidies, and tax incentives.