I agree with your point about the inability for government regulation to be able to keep up with the pace of change. It seems difficult for government just to coordinate on the overlapping jurisdictions between federal, state, local, and tribal. I agree with your point that the market solution requires an adequate understanding of risk and then disclosure of the risk. For publicly traded companies, there is the concept of the independent financial audit. Yet after the failures of independent financial audit with Enron and other spectacular financial failures -- the quality of independent financial audit under Sarbanes-Oxley was called into question. These audit failures were after years of development of accounting principles and overview of various accounting committees. I am not questioning the value of such oversight, just that the market is not as efficient as hoped. If financial risk can be hidden (which is possibly more detectable with a money trial), I can only assume that threat risk can be manipulated.
With any of our choices, we are trying to promote awareness and behavior. I am never sure which of our choices is most likely for a person to act for the behavior of the greater good instead of their own self interest. The economist Milton Friedman ascribed unanimity as "the political principle that underlies the market mechanism....There is only one social responsibility of business-- to use its resources and engage in activities designed to increase its profits so long as it stays within the rules of the game, which is to say, engages in open and free competition without deception or fraud." (Friedman 1970, p. 6). If I apply Friedman's concepts, it would seem that businesses would mitigate risks with an economic impact of severe consequence and high probability. Risks of lower consequences and probabilities could be an unnecessary expenditure of shareholder wealth. Yet, social responsibility might require the mitigation of far more risk than just high consequence and probability, especially for others that are impacted by degradation of the service. With the development of the risk management framework, there is a high dependence on adequate classification of risk for severity and probability. I am not not sure how far market forces alone drive us to a common understanding of risk, a willingness to disclose risk, and then adequately prepare for risk. I feel that we miss the point about resiliency when we don't look at the economic environment as a whole.
I agree that there are network effects that cause businesses to sub-optimize their risk reduction strategy relative to the general social good. The relief for that effect is transparency and competition. Why? Because customers can also take part in the risk reduction. Going back to my example, I found that Time-Warner Cable (TWC) did not think it worthwhile to have power back up for their telephone service. This was contrary to their assertions when they sold me the service. First of all, laws enforcing transparency would have helped me make a different/better decision. Second, as a consumer, I am now making plans to shift my local telephone service back to twisted pair from AT&T. If that system suffers an outage, but not TWC, I still have communications back up. I can Skype for telephone, if necessary, and my cell system is also a back up. By truly understanding my own risks, I build the redundancy myself. My complaint about much of the provisioning of critical infrastructure is that we are overly dependent on a regulated utlity model. The lack of choice, combined with slow response times of government bureaucracy, combine to limit end user participation in risk reduction. Ultimately, there is no utopia, no perfect solution, but competition and transparency come as close as we can get.I also liked seeing that I wasn't the only member of the federal work force familiar with Friedman.
Reference: Friedman, Milton. (September 13, 1970). "The Social Responsibility of Business is to Increase its Profits." The New York Times Magazine. New York, NY.