Rights statement: This is the peer reviewed version of the following article: Busby, J. S., Green, B. and Hutchison, D. (2017), Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk. Risk Analysis, 37: 1298–1314. doi:10.1111/risa.12681 which has been published in final form at http://onlinelibrary.wiley.com/doi/10.1111/risa.12681/abstract This article may be used for non-commercial purposes in accordance With Wiley Terms and Conditions for self-archiving.
Accepted author manuscript, 270 KB, PDF document
Available under license: CC BY-NC: Creative Commons Attribution-NonCommercial 4.0 International License
Final published version
Research output: Contribution to Journal/Magazine › Journal article › peer-review
Research output: Contribution to Journal/Magazine › Journal article › peer-review
}
TY - JOUR
T1 - Analysis of affordance, time and adaptation in the assessment of industrial control system cybersecurity risk
AU - Busby, Jeremy Simon
AU - Green, Benjamin
AU - Hutchison, David
N1 - This is the peer reviewed version of the following article: Busby, J. S., Green, B. and Hutchison, D. (2017), Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk. Risk Analysis, 37: 1298–1314. doi:10.1111/risa.12681 which has been published in final form at http://onlinelibrary.wiley.com/doi/10.1111/risa.12681/abstract This article may be used for non-commercial purposes in accordance With Wiley Terms and Conditions for self-archiving.
PY - 2017/7
Y1 - 2017/7
N2 - Industrial control systems increasingly use standard communication protocols and are increasingly connected to public networks—creating substantial cybersecurity risks, especially when used in critical infrastructures such as electricity and water distribution systems. Methods of assessing risk in such systems have recognized for some time the way in which the strategies of potential adversaries and risk managers interact in defining the risk to which such systems are exposed. But it is also important to consider the adaptations of the systems’ operators and other legitimate users to risk controls, adaptations that often appear to undermine these controls, or shift the risk from one part of a system to another. Unlike the case with adversarial risk analysis, the adaptations of system users are typically orthogonal to the objective of minimizing or maximizing risk in the system. We argue that this need to analyze potential adaptations to risk controls is true for risk problems more generally, and we develop a framework for incorporating such adaptations into an assessment process. The method is based on the principle of affordances, and we show how this can be incorporated in an iterative procedure based on raising the minimum period of risk materialization above some threshold. We apply the method in a case study of a small European utility provider and discuss the observations arising from this.
AB - Industrial control systems increasingly use standard communication protocols and are increasingly connected to public networks—creating substantial cybersecurity risks, especially when used in critical infrastructures such as electricity and water distribution systems. Methods of assessing risk in such systems have recognized for some time the way in which the strategies of potential adversaries and risk managers interact in defining the risk to which such systems are exposed. But it is also important to consider the adaptations of the systems’ operators and other legitimate users to risk controls, adaptations that often appear to undermine these controls, or shift the risk from one part of a system to another. Unlike the case with adversarial risk analysis, the adaptations of system users are typically orthogonal to the objective of minimizing or maximizing risk in the system. We argue that this need to analyze potential adaptations to risk controls is true for risk problems more generally, and we develop a framework for incorporating such adaptations into an assessment process. The method is based on the principle of affordances, and we show how this can be incorporated in an iterative procedure based on raising the minimum period of risk materialization above some threshold. We apply the method in a case study of a small European utility provider and discuss the observations arising from this.
U2 - 10.1111/risa.12681
DO - 10.1111/risa.12681
M3 - Journal article
VL - 37
SP - 1298
EP - 1314
JO - Risk Analysis
JF - Risk Analysis
SN - 0272-4332
IS - 7
ER -