Real-time interdependencies should be ignored as too complex to
identify in advance.
When the consequences are sufficiently low, inadequate expertise is available, or maturity is inadequate for interdependency analysis, analysis of real-time interdependencies is likely to be infeasible. But failure to do this analysis should limit the risk acceptance threshold to low risk situations.
Real-time interdependencies should be identified in advance but
only to the borders of the facility or enterprise.
In cases where the consequences of failures don't extend beyond the facility or enterprise, the interdependency analysis can reasonably stop there. However, the enterprise may wish to extend its analysis further to further understand its risks.
Real-time interdependencies should be identified in advance as
far as they reasonably extend.
For high consequence situations, interdependencies should not be limited to the facility or enterprise, as they effect the rest of society. They should extend as far as they need to go until no identified interdependencies of significant consequence remain.
Interdependent failures should be mitigated in real-time as
part of the incident response process.
While it would be nice to never require real-time incident response to mitigate from failures in interdependent systems, as a practical matter, some amount of this is always likely to be required. However, as a primary mode of operation, it is really the last line of defense, and should not be the first line when consequences are high enough to justify alternatives.
Interdependent failures should be mitigated in advance by
adding redundancy and/or hardening interdependent systems.
Redundancy and hardening are particularly useful in cases where large classes of failure modes can be covered, but often leave common mode failures. Their use often relieves that need for real-time response, which allows reduced operational costs and sustained operations until repair can be undertaken.
Interdependent failures should be mitigated in advance through
failsafes and alternative operating modes.
Some interdependencies cannot be resolved by redundancy or hardening (e.g., common-mode failures, insider malicious acts, etc.). In these cases, coverage via failsafe modes and other alternative (often sub-optimal) modes often resolves the real-time issues.
Event sequences leading to potentially serious negative
consequences should be examined in detail for specific mitigation
When consequences are sufficiently high to warrant through examination of the situation, this approach is the more definitive approach. In essence, it combines the other approaches to employ an optimal strategy which takes into account all of the identifiable event sequences (or classes of them) and likely uses each when and where appropriate in a coordinated fashion.