Do firms expect too much cyber threat data?

Critical infrastructure companies need to take several measures in order to mitigate the effects of cyber threats and to ensure cyber security. Companies need to examine themselves from two main perspectives, and not rely on threat information. The first is related to the objectives of the company and second is from a vulnerability assessment/evaluation arena. Critical infrastructure companies need to examine their systems looking for vulnerabilities, determine the consequences/impacts to the company's operations of a successful exploitation of the vulnerability, and determine the capabilities that are necessary to successfully exploit the vulnerability. Another area where critical infrastructure companies can gather information, used to convince managers to authorize the implementation of cybersecurity defenses, is to examine real-world industrial incidents and see if a purely cyber scenario resulting in the same consequences can be extrapolated.