July 10, 2026

Absolute And Relative Risk Reduction

In brief

The article argues that OT cybersecurity investments should be evaluated by distinguishing between relative and absolute likelihood reduction. Using microsegmentation across Purdue levels 0–2 as an example, it explains that such a control may significantly reduce the chance that an attacker who has already breached OT can cause a high-consequence event. However, that impressive relative reduction can look far smaller in absolute terms once multiplied by the already low annual likelihood of an OT breach.

The author suggests this distinction should influence how organisations prioritise spending. Once the probability of an OT breach has been made very small through essential controls such as a strong OT/IT perimeter and removal of unrestricted internet access, it may be more effective to focus on reducing consequences rather than further reducing likelihood. Tools that speed recovery, such as backups and orchestration, have a clearer consequence-reduction role, while monitoring and detection may help mainly by supporting recovery and confirming eradication. The article concludes by calling for better data and more data-driven OT cyber risk management.

Source: Dale Peterson

Choose a topic: