Identifying Critical Infrastructure in a World with Network Cybersecurity Risk

20 Pages Posted: 5 Aug 2021

See all articles by Christos Makridis

Christos Makridis

Stanford University; Columbia University - Columbia Business School

Deven R. Desai

Georgia Institute of Technology - Scheller College of Business

Multiple version iconThere are 2 versions of this paper

Date Written: August 2, 2021


Covid-19 has highlighted the fragility of supply chains in a range of critical infrastructure— food, medicines, health care, information technology, communications, and more. This paper focuses on an under-appreciated supply chain risk, network cybersecurity, that was present before the pandemic and which the pandemic brings into sharper focus. Between 2004 and 2016 the digital economy has grown nearly four times as fast as the rest of the economy according to the Bureau of Economic Analysis. The proliferation of digital services has created significant value and employment opportunities; it has also created a wide array of new cybersecurity vulnerabilities. Vulnerabilities of DVRs, CCTVs, voting machines, and municipal systems, leading to denial of service attacks and ransomware hold ups are known, but these examples miss a problem. Although these examples give the impression that only certain hardware and specific entities are affected, taking networked cybersecurity into account changes yields different conclusions. For example, given that enterprise software, which is common for work at home situations, is rapidly becoming a cybersecurity vulnerability, anyone connected by this software necessarily becomes a target too. Malicious cyber incidents, like data breaches, can have ripple effects across a network of businesses and sectors. Yet current definitions and regulations of Critical Infrastructure (CI) miss this point.

We argue that the network dimension of cybersecurity risk is an important, under-studied aspect of the problem. Legal definitions of CI and the voluntary nature of cybersecurity governance leave gaps in the classification of CI and how to identify cybersecurity risk, particularly in the professional services sector. In addition, the voluntary nature of cybersecurity governance demands risk-based and objective measures to aid in identifying when to take steps on improving cybersecurity, but exactly what such metrics are is, at best, evolving.

We address both these problems. By drawing on a new dataset, we develop metrics that measure productivity effects and that captures cybersecurity risk. This approach allows us to show that a major sector, professional services, is missed by current definitions of critical infrastructure, but could be captured if CI definitions accounted for networked cybersecurity risk. In addition, the approach aids voluntary participation in mitigating cybersecurity risk, because it provides a way for any firm or sector to identify and assess better the nature of its networked cybersecurity risk.

In short, these networked cybersecurity vulnerabilities can adversely affect aggregate growth and national security objectives because of connectivity across firms and sectors. This work seeks to provide a path forward for understanding, defining, and protecting networked cybersecurity.

Suggested Citation

Makridis, Christos and Desai, Deven R., Identifying Critical Infrastructure in a World with Network Cybersecurity Risk (August 2, 2021). Georgia Tech Scheller College of Business Research Paper No. 3898193, TPRC49: The 49th Research Conference on Communication, Information and Internet Policy, Available at SSRN: or

Christos Makridis (Contact Author)

Stanford University ( email )

Stanford, CA 94305
United States

Columbia University - Columbia Business School ( email )

3022 Broadway
New York, NY 10027
United States

Deven R. Desai

Georgia Institute of Technology - Scheller College of Business ( email )

800 West Peachtree St.
Atlanta, GA 30308
United States


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics