Home > Research > Publications & Outputs > Analysis of affordance, time and adaptation in ...

Electronic data

  • RA_00366_2015_R2_accepted_version

    Rights statement: This is the peer reviewed version of the following article: Busby, J. S., Green, B. and Hutchison, D. (2017), Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk. Risk Analysis, 37: 1298–1314. doi:10.1111/risa.12681 which has been published in final form at http://onlinelibrary.wiley.com/doi/10.1111/risa.12681/abstract This article may be used for non-commercial purposes in accordance With Wiley Terms and Conditions for self-archiving.

    Accepted author manuscript, 270 KB, PDF document

    Available under license: CC BY-NC: Creative Commons Attribution-NonCommercial 4.0 International License

Links

Text available via DOI:

View graph of relations

Analysis of affordance, time and adaptation in the assessment of industrial control system cybersecurity risk

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Published
<mark>Journal publication date</mark>07/2017
<mark>Journal</mark>Risk Analysis
Issue number7
Volume37
Number of pages17
Pages (from-to)1298-1314
Publication StatusPublished
Early online date17/01/17
<mark>Original language</mark>English

Abstract

Industrial control systems increasingly use standard communication protocols and are increasingly connected to public networks—creating substantial cybersecurity risks, especially when used in critical infrastructures such as electricity and water distribution systems. Methods of assessing risk in such systems have recognized for some time the way in which the strategies of potential adversaries and risk managers interact in defining the risk to which such systems are exposed. But it is also important to consider the adaptations of the systems’ operators and other legitimate users to risk controls, adaptations that often appear to undermine these controls, or shift the risk from one part of a system to another. Unlike the case with adversarial risk analysis, the adaptations of system users are typically orthogonal to the objective of minimizing or maximizing risk in the system. We argue that this need to analyze potential adaptations to risk controls is true for risk problems more generally, and we develop a framework for incorporating such adaptations into an assessment process. The method is based on the principle of affordances, and we show how this can be incorporated in an iterative procedure based on raising the minimum period of risk materialization above some threshold. We apply the method in a case study of a small European utility provider and discuss the observations arising from this.

Bibliographic note

This is the peer reviewed version of the following article: Busby, J. S., Green, B. and Hutchison, D. (2017), Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk. Risk Analysis, 37: 1298–1314. doi:10.1111/risa.12681 which has been published in final form at http://onlinelibrary.wiley.com/doi/10.1111/risa.12681/abstract This article may be used for non-commercial purposes in accordance With Wiley Terms and Conditions for self-archiving.