IDEAS home Printed from https://ideas.repec.org/a/wly/riskan/v37y2017i7p1298-1314.html
   My bibliography  Save this article

Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk

Author

Listed:
  • J. S. Busby
  • B. Green
  • D. Hutchison

Abstract

Industrial control systems increasingly use standard communication protocols and are increasingly connected to public networks—creating substantial cybersecurity risks, especially when used in critical infrastructures such as electricity and water distribution systems. Methods of assessing risk in such systems have recognized for some time the way in which the strategies of potential adversaries and risk managers interact in defining the risk to which such systems are exposed. But it is also important to consider the adaptations of the systems’ operators and other legitimate users to risk controls, adaptations that often appear to undermine these controls, or shift the risk from one part of a system to another. Unlike the case with adversarial risk analysis, the adaptations of system users are typically orthogonal to the objective of minimizing or maximizing risk in the system. We argue that this need to analyze potential adaptations to risk controls is true for risk problems more generally, and we develop a framework for incorporating such adaptations into an assessment process. The method is based on the principle of affordances, and we show how this can be incorporated in an iterative procedure based on raising the minimum period of risk materialization above some threshold. We apply the method in a case study of a small European utility provider and discuss the observations arising from this.

Suggested Citation

  • J. S. Busby & B. Green & D. Hutchison, 2017. "Analysis of Affordance, Time, and Adaptation in the Assessment of Industrial Control System Cybersecurity Risk," Risk Analysis, John Wiley & Sons, vol. 37(7), pages 1298-1314, July.
    • Handle: RePEc:wly:riskan:v:37:y:2017:i:7:p:1298-1314
    DOI: 10.1111/risa.12681
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/risa.12681
    Download Restriction: no
    File URL: https://libkey.io/10.1111/risa.12681?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Gerald G. Brown & Louis Anthony (Tony) Cox, Jr., 2011. "How Probabilistic Risk Assessment Can Mislead Terrorism Risk Analysts," Risk Analysis, John Wiley & Sons, vol. 31(2), pages 196-204, February.
    2. Yan, Zhenyu & Haimes, Yacov Y., 2010. "Cross-classified hierarchical Bayesian models for risk-based analysis of complex systems under sparse data," Reliability Engineering and System Safety, Elsevier, vol. 95(7), pages 764-776.
    3. Vicki M. Bier, 2007. "Choosing What to Protect," Risk Analysis, John Wiley & Sons, vol. 27(3), pages 607-620, June.
    4. John E. Kobza & Sheldon H. Jacobson, 1996. "Addressing the Dependency Problem in Access Security System Architecture Design," Risk Analysis, John Wiley & Sons, vol. 16(6), pages 801-812, December.
    5. Casey Rothschild & Laura McLay & Seth Guikema, 2012. "Adversarial Risk Analysis with Incomplete Information: A Level‐k Approach," Risk Analysis, John Wiley & Sons, vol. 32(7), pages 1219-1231, July.
    6. J. S. Busby & S. A. Bennett, 2007. "Loss of Defensive Capacity in Protective Operations: The Implications of the Überlingen and Linate Disasters," Journal of Risk Research, Taylor & Francis Journals, vol. 10(1), pages 3-27, January.
    7. Stephanie E. Chang & Timothy McDaniels & Jana Fox & Rajan Dhariwal & Holly Longstaff, 2014. "Toward Disaster‐Resilient Cities: Characterizing Resilience of Infrastructure Systems with Expert Judgments," Risk Analysis, John Wiley & Sons, vol. 34(3), pages 416-434, March.
    8. Samrat Chatterjee & Stephen C. Hora & Heather Rosoff, 2015. "Portfolio Analysis of Layered Security Measures," Risk Analysis, John Wiley & Sons, vol. 35(3), pages 459-475, March.
    9. Kim Kaivanto, 2014. "The Effect of Decentralized Behavioral Decision Making on System‐Level Risk," Risk Analysis, John Wiley & Sons, vol. 34(12), pages 2121-2142, December.
    10. Matthew H. Henry & Yacov Y. Haimes, 2009. "A Comprehensive Network Security Risk Model for Process Control Networks," Risk Analysis, John Wiley & Sons, vol. 29(2), pages 223-248, February.
    11. J.S. Busby & R.E. Alcock & B.H. MacGillivray, 2012. "Types of risk transformation: a case study," Journal of Risk Research, Taylor & Francis Journals, vol. 15(1), pages 67-84, January.
    12. Jason Merrick & Gregory S. Parnell, 2011. "A Comparative Analysis of PRA and Intelligent Adversary Methods for Counterterrorism Risk Management," Risk Analysis, John Wiley & Sons, vol. 31(9), pages 1488-1510, September.
    13. William L. McGill & Bilal M. Ayyub & Mark Kaminskiy, 2007. "Risk Analysis for Critical Asset Protection," Risk Analysis, John Wiley & Sons, vol. 27(5), pages 1265-1281, October.
    14. Raghvendra V. Cowlagi & Joseph H. Saleh, 2013. "Coordinability and Consistency in Accident Causation and Prevention: Formal System Theoretic Concepts for Safety in Multilevel Systems," Risk Analysis, John Wiley & Sons, vol. 33(3), pages 420-433, March.
    15. Abdollah Shafieezadeh & Eun J. Cha & Bruce R. Ellingwood, 2015. "A Decision Framework for Managing Risk to Airports from Terrorist Attack," Risk Analysis, John Wiley & Sons, vol. 35(2), pages 292-306, February.
    16. Adam Rose & Gbadebo Oladosu & Shu‐Yi Liao, 2007. "Business Interruption Impacts of a Terrorist Attack on the Electric Power System of Los Angeles: Customer Resilience to a Total Blackout," Risk Analysis, John Wiley & Sons, vol. 27(3), pages 513-531, June.
    17. Pasman, H.J. & Knegtering, B. & Rogers, W.J., 2013. "A holistic approach to control process safety risks: Possible ways forward," Reliability Engineering and System Safety, Elsevier, vol. 117(C), pages 21-29.
    18. M.‐Elisabeth Paté‐Cornell & Peter J. Regan, 1998. "Dynamic Risk Management Systems: Hybrid Architecture and Offshore Platform Illustration," Risk Analysis, John Wiley & Sons, vol. 18(4), pages 485-496, August.
    19. Stefän Einarsson & Marvin Rausand, 1998. "An Approach to Vulnerability Analysis of Complex Industrial Systems," Risk Analysis, John Wiley & Sons, vol. 18(5), pages 535-546, October.
    20. Ginger Davis & Alfredo Garcia & Weide Zhang, 2009. "Empirical Analysis of the Effects of Cyber Security Incidents," Risk Analysis, John Wiley & Sons, vol. 29(9), pages 1304-1316, September.
    21. Geoffrey Heal & Howard Kunreuther, 2007. "Modeling Interdependent Risks," Risk Analysis, John Wiley & Sons, vol. 27(3), pages 621-634, June.
    22. Achint Rastogi & Hossam A. Gabbar, 2013. "Fuzzy‐Logic‐Based Safety Verification Framework for Nuclear Power Plants," Risk Analysis, John Wiley & Sons, vol. 33(6), pages 1128-1145, June.
    23. Henry, Matthew H. & Layer, Ryan M. & Zaret, David R., 2010. "Coupled Petri nets for computer network risk analysis," International Journal of Critical Infrastructure Protection, Elsevier, vol. 3(2), pages 67-75.
    24. Nan, Cen & Eusgeld, Irene & Kröger, Wolfgang, 2013. "Analyzing vulnerabilities between SCADA system and SUC due to interdependencies," Reliability Engineering and System Safety, Elsevier, vol. 113(C), pages 76-93.
    25. Garthwaite, Paul H. & Kadane, Joseph B. & O'Hagan, Anthony, 2005. "Statistical Methods for Eliciting Probability Distributions," Journal of the American Statistical Association, American Statistical Association, vol. 100, pages 680-701, June.
    26. Insua, Insua Rios & Rios, Jesus & Banks, David, 2009. "Adversarial Risk Analysis," Journal of the American Statistical Association, American Statistical Association, vol. 104(486), pages 841-854.
    27. Jun Long & Baruch Fischhoff, 2000. "Setting Risk Priorities: A Formal Model," Risk Analysis, John Wiley & Sons, vol. 20(3), pages 339-352, June.
    28. Emily M. Zechman, 2011. "Agent‐Based Modeling to Simulate Contamination Events and Evaluate Threat Management Strategies in Water Distribution Systems," Risk Analysis, John Wiley & Sons, vol. 31(5), pages 758-772, May.
    29. Podofillini, L. & Dang, V.N., 2012. "Conventional and dynamic safety analysis: Comparison on a chemical batch reactor," Reliability Engineering and System Safety, Elsevier, vol. 106(C), pages 146-159.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Wei Wang & Francesco Di Maio & Enrico Zio, 2019. "Adversarial Risk Analysis to Allocate Optimal Defense Resources for Protecting Cyber–Physical Systems from Cyber Attacks," Risk Analysis, John Wiley & Sons, vol. 39(12), pages 2766-2785, December.
    2. Natalie M. Scala & Allison C. Reilly & Paul L. Goethals & Michel Cukier, 2019. "Risk and the Five Hard Problems of Cybersecurity," Risk Analysis, John Wiley & Sons, vol. 39(10), pages 2119-2126, October.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Luca Allodi & Fabio Massacci, 2017. "Security Events and Vulnerability Data for Cybersecurity Risk Estimation," Risk Analysis, John Wiley & Sons, vol. 37(8), pages 1606-1627, August.
    2. Mohammad E. Nikoofal & Mehmet Gümüs, 2015. "On the value of terrorist’s private information in a government’s defensive resource allocation problem," IISE Transactions, Taylor & Francis Journals, vol. 47(6), pages 533-555, June.
    3. Christoph Werner & Tim Bedford & John Quigley, 2018. "Sequential Refined Partitioning for Probabilistic Dependence Assessment," Risk Analysis, John Wiley & Sons, vol. 38(12), pages 2683-2702, December.
    4. Dogucan Mazicioglu & Jason R. W. Merrick, 2018. "Behavioral Modeling of Adversaries with Multiple Objectives in Counterterrorism," Risk Analysis, John Wiley & Sons, vol. 38(5), pages 962-977, May.
    5. Natalie M. Scala & Allison C. Reilly & Paul L. Goethals & Michel Cukier, 2019. "Risk and the Five Hard Problems of Cybersecurity," Risk Analysis, John Wiley & Sons, vol. 39(10), pages 2119-2126, October.
    6. Gabriel Kuper & Fabio Massacci & Woohyun Shim & Julian Williams, 2020. "Who Should Pay for Interdependent Risk? Policy Implications for Security Interdependence Among Airports," Risk Analysis, John Wiley & Sons, vol. 40(5), pages 1001-1019, May.
    7. William M. Kroshl & Shahram Sarkani & Thomas A Mazzuchi, 2015. "Efficient Allocation of Resources for Defense of Spatially Distributed Networks Using Agent‐Based Simulation," Risk Analysis, John Wiley & Sons, vol. 35(9), pages 1690-1705, September.
    8. David L. Alderson & Gerald G. Brown & W. Matthew Carlyle, 2015. "Operational Models of Infrastructure Resilience," Risk Analysis, John Wiley & Sons, vol. 35(4), pages 562-586, April.
    9. E. S. Levine, 2012. "Estimating Conditional Probabilities of Terrorist Attacks: Modeling Adversaries with Uncertain Value Tradeoffs," Risk Analysis, John Wiley & Sons, vol. 32(2), pages 294-303, February.
    10. Stefan Rass & Sandra König & Stefan Schauer, 2017. "Defending Against Advanced Persistent Threats Using Game-Theory," PLOS ONE, Public Library of Science, vol. 12(1), pages 1-43, January.
    11. M. Elisabeth Paté-Cornell, 2012. "Games, Risks, and Analytics: Several Illustrative Cases Involving National Security and Management Situations," Decision Analysis, INFORMS, vol. 9(2), pages 186-203, June.
    12. R. Piccinelli & G. Sansavini & R. Lucchetti & E. Zio, 2017. "A General Framework for the Assessment of Power System Vulnerability to Malicious Attacks," Risk Analysis, John Wiley & Sons, vol. 37(11), pages 2182-2190, November.
    13. Wang, Jia & Ni, Shunjiang & Shen, Shifei & Li, Shuying, 2019. "Empirical study of crowd dynamic in public gathering places during a terrorist attack event," Physica A: Statistical Mechanics and its Applications, Elsevier, vol. 523(C), pages 1-9.
    14. Michael Macgregor Perry & Hadi El-Amine, 2021. "Computational Efficiency in Multivariate Adversarial Risk Analysis Models," Papers 2110.12572, arXiv.org.
    15. Michael Greenberg & Charles Haas & Anthony Cox & Karen Lowrie & Katherine McComas & Warner North, 2012. "Ten Most Important Accomplishments in Risk Analysis, 1980–2010," Risk Analysis, John Wiley & Sons, vol. 32(5), pages 771-781, May.
    16. David Rios Insua & David Banks & Jesus Rios, 2016. "Modeling Opponents in Adversarial Risk Analysis," Risk Analysis, John Wiley & Sons, vol. 36(4), pages 742-755, April.
    17. Juan Carlos Sevillano & David Rios Insua & Jesus Rios, 2012. "Adversarial Risk Analysis: The Somali Pirates Case," Decision Analysis, INFORMS, vol. 9(2), pages 86-95, June.
    18. Misuri, Alessio & Khakzad, Nima & Reniers, Genserik & Cozzani, Valerio, 2019. "A Bayesian network methodology for optimal security management of critical infrastructures," Reliability Engineering and System Safety, Elsevier, vol. 191(C).
    19. Linn Svegrup & Jonas Johansson & Henrik Hassel, 2019. "Integration of Critical Infrastructure and Societal Consequence Models: Impact on Swedish Power System Mitigation Decisions," Risk Analysis, John Wiley & Sons, vol. 39(9), pages 1970-1996, September.
    20. Vineet M. Payyappalli & Jun Zhuang & Victor Richmond R. Jose, 2017. "Deterrence and Risk Preferences in Sequential Attacker–Defender Games with Continuous Efforts," Risk Analysis, John Wiley & Sons, vol. 37(11), pages 2229-2245, November.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:wly:riskan:v:37:y:2017:i:7:p:1298-1314. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: https://doi.org/10.1111/(ISSN)1539-6924 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.