Security-by-Design in critical infrastructure

This explorative study investigates whether and how the Design Thinking approach can provide added value in the design of solutions for complex security problems. The researchers consulted vital organizations, scientists, technicians, advisors, regulators, ethical hackers and security officers, as well as a wide range of publications

The inventory shows that perfect technical security is not always possible. To design facilities in such a way that they function resiliently in practice, attention must also be paid to the organization of processes and the perspectives of people dealing with the system. This people-oriented appeal offers room for the use of Design Thinking in infrastructure security.

The main characteristics of Design Thinking in the cybersecurity context are:
1. Attention to and understanding of the perspective of the various parties involved;
2. The openness toward reformulating the original security problem;
3. Experimentally-informed solution development;
4. The intent towards continuous improvement of the security solutions found.

The goal-oriented Design Thinking approach follows different logic than the task-oriented policy and engineering approach that is used in ICT-systems design. Design Thinking places primacy with end users and the approach is therefore organized bottom-up. The approach can only be used in critical infrastructure security insofar as the cultural differences between the top-down (policy approach) and bottom-up processes can be bridged.

The research report is illustrated with 22 use cases from international infrastructure as well as examples from the Dutch critical infrastructure. These cases demonstrate that Design Thinking approaches are viable in practice. 

WODC rapport nr 3052

Journal publication:
Poot, H. de, M. McKim (2020). ‘Security by design in de vitale sector’. iBestuur online, 16 december 2020. Available from: