A "Cost-Benefit Analysis" Approach Brought Europe's Busiest Airport To A Hault. Is Your Cybersecurity Built On "Cost-Benefit Analysis"?

 

(image taken from https://www.express.co.uk/news/uk/1543817/Heathrow-emergency-Flight-diverted-British-Airways-plane-Dubai-London-police-latest-upda )

Oopsie! The "cost-benefit analysis" mindset strikes again.

On 21 March 2025, a power station in Hyde North, which serves Heathrow Airport, failed. This failure caused the airport to cease operations until back-up systems could be manually checked and brought online. This process took about 18 hours. Many kudos are due the engineers and first responders who accomplished this task.

As The New York Times put it a few days later:

"A gleaming new data center sits less than half a mile from the electric substation where a fire plunged Heathrow Airport into darkness last week. The data center’s own power was also cut that day. But no one who relied on it would have noticed, thanks to a bank of batteries and backup generators designed to kick in instantly.

Meanwhile it took officials at Europe’s busiest airport close to 18 hours to bring its terminals and runways back into operation, causing global travel delays and underscoring the vulnerability of Britain’s infrastructure."

The Times further notes:

" 'The data center industry is relatively young. They are more attuned to the cost of a catastrophic failure,' said Simon Gallagher, the managing director at UK Networks Services, which advises clients on the resilience of their electricity networks. He said most of the world’s airports — including Heathrow — have not been willing to make the big investments necessary to build total backup systems."

Why not and what does this have to do with cybersecurity?

" '[It] could cost as much as $100 million and would likely take years to put in place. So far, most airports have chosen not to make the investment. It comes down to a cost-benefit analysis,' Mr. Gallagher said. 'At the minute, there seems to be an assumption that it would cost too much.' ”

An actuarial study is a cost-benefit analysis. Sitting around scratching one's chin & speculating about whether you can get by through kicking the can down the road is not a cost-benefit analysis. It is a cost-of-goods analysis.

Cybersecurity is more difficult than managing a power station. There could be a server farm or a server room, and there is a network, and there are peripherals. The risks could be traceable to factors beyond your expectations (climate change, rats chewing cables, Artificial Intelligence bots, etc.) especially as you focus on growing the business versus insulating the business. 

Creating and executing your plan is expensive but it must be done. Not to spend too much time on airports (not an area of professional expertise for Pythia Cyber) but the parallels to cybersecurity risk management planning are telling. Here is a paragraph from another story in the Times on how airport managers create risk management plans, and why:

"Power outages at airports are more common than many officials would like. A 2023 Government Accountability Office report identified 321 outages that lasted at least five minutes at two dozen U.S. airports from 2015 to 2022. Airports and other infrastructure, such as the electric grid itself, are also increasingly under threat by natural disasters, many of which are linked to climate change. The number of storms and other weather events that caused at least $1 billion in damage has steadily risen in recent decades, from five in 2000 to 27 last year, according to the National Centers for Environmental Information, a part of the U.S. Commerce Department."

Your insurance professional, who actually specializes in cost-benefit analysis, can help you realize the monetary implications of the current risks you have. But that person is not going to work with you to mitigate your risk. That's what we do at Pythia Cyber.

Ask us how we can help you mitigate cybersecurity risk so that your business doesn't become the next flaming power substation.