Analysis of affordance, time and adaptation in the assessment of industrial control system cybersecurity risk

Busby, Jeremy Simon and Green, Benjamin and Hutchison, David (2017) Analysis of affordance, time and adaptation in the assessment of industrial control system cybersecurity risk. Risk Analysis, 37 (7). pp. 1298-1314. ISSN 0272-4332

[img]
Preview
PDF (RA_00366_2015_R2_accepted_version)
RA_00366_2015_R2_accepted_version.pdf - Accepted Version
Available under License Creative Commons Attribution-NonCommercial.

Download (276kB)

Abstract

Industrial control systems increasingly use standard communication protocols and are increasingly connected to public networks—creating substantial cybersecurity risks, especially when used in critical infrastructures such as electricity and water distribution systems. Methods of assessing risk in such systems have recognized for some time the way in which the strategies of potential adversaries and risk managers interact in defining the risk to which such systems are exposed. But it is also important to consider the adaptations of the systems’ operators and other legitimate users to risk controls, adaptations that often appear to undermine these controls, or shift the risk from one part of a system to another. Unlike the case with adversarial risk analysis, the adaptations of system users are typically orthogonal to the objective of minimizing or maximizing risk in the system. We argue that this need to analyze potential adaptations to risk controls is true for risk problems more generally, and we develop a framework for incorporating such adaptations into an assessment process. The method is based on the principle of affordances, and we show how this can be incorporated in an iterative procedure based on raising the minimum period of risk materialization above some threshold. We apply the method in a case study of a small European utility provider and discuss the observations arising from this.

Item Type:
Journal Article
Journal or Publication Title:
Risk Analysis
Additional Information:
This is the peer reviewed version of the following article: Busby, J. S., Green, B. and Hutchison, D. (2017), Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk. Risk Analysis, 37: 1298–1314. doi:10.1111/risa.12681 which has been published in final form at http://onlinelibrary.wiley.com/doi/10.1111/risa.12681/abstract This article may be used for non-commercial purposes in accordance With Wiley Terms and Conditions for self-archiving.
Uncontrolled Keywords:
/dk/atira/pure/subjectarea/asjc/2200/2213
Subjects:
ID Code:
80655
Deposited By:
Deposited On:
03 Aug 2016 10:04
Refereed?:
Yes
Published?:
Published
Last Modified:
27 Sep 2020 03:21