Analysis of affordance, time and adaptation in the assessment of industrial control system cybersecurity risk

Busby, Jeremy Simon and Green, Benjamin and Hutchison, David (2017) Analysis of affordance, time and adaptation in the assessment of industrial control system cybersecurity risk. Risk Analysis, 37 (7). pp. 1298-1314. ISSN 0272-4332

[thumbnail of RA_00366_2015_R2_accepted_version]
PDF (RA_00366_2015_R2_accepted_version)
RA_00366_2015_R2_accepted_version.pdf - Accepted Version
Available under License Creative Commons Attribution-NonCommercial.

Download (276kB)


Industrial control systems increasingly use standard communication protocols and are increasingly connected to public networks—creating substantial cybersecurity risks, especially when used in critical infrastructures such as electricity and water distribution systems. Methods of assessing risk in such systems have recognized for some time the way in which the strategies of potential adversaries and risk managers interact in defining the risk to which such systems are exposed. But it is also important to consider the adaptations of the systems’ operators and other legitimate users to risk controls, adaptations that often appear to undermine these controls, or shift the risk from one part of a system to another. Unlike the case with adversarial risk analysis, the adaptations of system users are typically orthogonal to the objective of minimizing or maximizing risk in the system. We argue that this need to analyze potential adaptations to risk controls is true for risk problems more generally, and we develop a framework for incorporating such adaptations into an assessment process. The method is based on the principle of affordances, and we show how this can be incorporated in an iterative procedure based on raising the minimum period of risk materialization above some threshold. We apply the method in a case study of a small European utility provider and discuss the observations arising from this.

Item Type:
Journal Article
Journal or Publication Title:
Risk Analysis
Additional Information:
This is the peer reviewed version of the following article: Busby, J. S., Green, B. and Hutchison, D. (2017), Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk. Risk Analysis, 37: 1298–1314. doi:10.1111/risa.12681 which has been published in final form at This article may be used for non-commercial purposes in accordance With Wiley Terms and Conditions for self-archiving.
Uncontrolled Keywords:
?? physiology (medical)safety, risk, reliability and quality ??
ID Code:
Deposited By:
Deposited On:
03 Aug 2016 10:04
Last Modified:
26 Apr 2024 02:08