“So if Mr Blue Head here clicks the link...” Risk Thinking in Cyber Security Decision Making

Shreeve, Ben; Hallett, Joseph; Edwards, Matthew; Anthonysamy, Pauline; Frey, Sylvain; Rashid, Awais

doi:10.1145/3419101

Cited by 6 publications

(5 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Risk management: Between calculation and anticipation. Understanding risk management in critical infrastructures is a multifaceted issue of both qualitative and quantitative nature (Shreeve et al 2020). Despite the rise of rule-based and probabilistic risk methodologies, for example, attack trees, attribute-based algorithms (Tatam et al, 2021), security risk is 'incalculable' since there are limits of what could be inferred from scientific data (Amoore, 2014: 424).…”

Section: Theoretical Frameworkmentioning

confidence: 99%

“…Previous risk studies embedded in the critical infrastructure context highlighted that risk assessments are collaborative processes, rather than a matter of following a formal methodology (Frey et al, 2019;Shreeve et al, 2020). In doing so, they challenge the trope of 'security expertise' being solely a technical and individual matter.…”

Section: Theoretical Frameworkmentioning

confidence: 99%

“…weaknesses in computer systems) are thought about most commonly, and assets (i.e. equipment, documents, employees) least often, leading to an over-reliance on vulnerabilities-centred threat assessments (Shreeve et al 2020). Moreover, risk thinking is 'front-loaded,' as practitioners tend to think about risk in the beginning of the decision-making process, rather than systematically throughout the lifecycle of OT systems (Shreeve et al, 2020).…”

Section: Theoretical Frameworkmentioning

confidence: 99%

“…equipment, documents, employees) least often, leading to an over-reliance on vulnerabilities-centred threat assessments (Shreeve et al 2020). Moreover, risk thinking is 'front-loaded,' as practitioners tend to think about risk in the beginning of the decision-making process, rather than systematically throughout the lifecycle of OT systems (Shreeve et al, 2020). Meanwhile, as threats in cybersecurity evolve over time, risk management ought to be iterative and regularly updated (Ani et al, 2016;Frey et al, 2019).…”

Section: Theoretical Frameworkmentioning

confidence: 99%

See 3 more Smart Citations

When the future meets the past: Can safety and cyber security coexist in modern critical infrastructures?

2022

Self Cite

View full text Add to dashboard Cite

Big data technologies are entering the world of ageing computer systems running critical infrastructures. These innovations promise to afford rapid Internet connectivity, remote operations or predictive maintenance. As legacy critical infrastructures were traditionally disconnected from the Internet, the prospect of their modernisation necessitates an inquiry into cyber security and how it intersects with traditional engineering requirements like safety, reliability or resilience. Looking at how the adoption of big data technologies in critical infrastructures shapes understandings of risk management, we focus on a specific case study from the cyber security governance: the EU Network and Information Systems Security Directive. We argue that the implementation of Network and Information Systems Security Directive is the first step in the integration of safety and security through novel risk management practices. Therefore, it is the move towards legitimising the modernisation of critical infrastructures. But we also show that security risk management practices cannot be directly transplanted from the safety realm, as cyber security is grounded in anticipation of the future adversarial behaviours rather than the history of equipment failure rates. Our analysis offers several postulates for the emerging research agenda on big data in complex engineering systems. Building on the conceptualisations of safety and security grounded in the materialist literature across Science and Technology Studies and Organisational Sociology, we call for a better understanding of the ‘making of’ technologies, standardisation processes and engineering knowledge in a quest to build safe and secure critical infrastructures.

show abstract

Section: Theoretical Frameworkmentioning

confidence: 99%

Section: Theoretical Frameworkmentioning

confidence: 99%

Section: Theoretical Frameworkmentioning

confidence: 99%

Section: Theoretical Frameworkmentioning

confidence: 99%

See 2 more Smart Citations

When the future meets the past: Can safety and cyber security coexist in modern critical infrastructures?

2022

Self Cite

View full text Add to dashboard Cite

show abstract

“…Further expanding these concerns, researchers have examined how applicable the established concepts of safety, reliability, and resilience are to the quick growing cyber security realm [17]. Other investigations have been performed to clearly outline the need for "decision-making actors" to be security experts due to the complexity of risk decision making [24], and some focus on how the mathematics and politics of risk clash in the realm of cyber security [2]. Work has been done by [38] to establish a meaningful monetary metric behind a risk-based approach for network architecture security modeling and design.…”

Section: Introductionmentioning

confidence: 99%

A framework for evaluating security risk in system design

Wortman

Chandy

2022

Discov Internet Things

View full text Add to dashboard Cite

Design and development of ubiquitous computer network systems has become increasingly difficult as technology continues to grow. From the introduction of new technologies to the discovery of existing threats, weaknesses, and vulnerabilities there is a constantly changing landscape of potential risks and rewards. The cyber security community, and industry at large, is learning to account for these increasing threats by including protections and mitigations from the beginning of the design V process. However, issues still come from limitations in time for thoroughly exploring a potential design space and the knowledge base required to easily account for potential vulnerabilities in each. To address this problem we propose the G-T-S framework, which is an automated tool that allows a user to provide a set of inputs relating to the desired design space and returns a monetary security risk evaluation of each. This methodology first generates a series of potential designs, then dissects their contents to associate possible vulnerabilities to device elements, and finally evaluates the security risk poised to a central asset of importance. We exemplify the tools, provide methodologies for required background research, and discuss the results in evaluating a series of IoT Home models using the GTS framework. Through implementation of our framework we simplify the information an individual will require to begin the design process, lower the bar for entry to perform evaluating security risk, and present the risk as an easily understood monetary metric.

show abstract

Executive decision-makers: a scenario-based approach to assessing organizational cyber-risk perception

Parkin,

Kuhn,

Shaikh

2023

Journal of Cybersecurity

View full text Add to dashboard Cite

The executive leadership in corporate organizations is increasingly challenged with managing cyber-risks, as an important part of wider business risk management. Cyber-risks are complex, with the threat landscape evolving, including digital infrastructure issues such as trust in networked supply chains, and emerging technologies. Moreover, engaging organizational leadership to assess for risk management is also difficult. This paper reports on a scenario-driven, workshop-based study undertaken with executive leadership to assess for cybersecurity and cyber-risk perception related to preparation for, and response to, potential incidents. The study involves leadership members at a large public–private organization. Our approach utilizes scenarios, which are structured in their design to explore and analyse aspects of business risk, risk ownership, technological complexity, and uncertainty faced by an organizational leadership. The method offers a means to engage with leadership at real-world organizations, capturing capacity and insights to manage business risks due to cyberattacks.

show abstract

“So if Mr Blue Head here clicks the link...” Risk Thinking in Cyber Security Decision Making

Cited by 6 publications

References 36 publications

When the future meets the past: Can safety and cyber security coexist in modern critical infrastructures?

When the future meets the past: Can safety and cyber security coexist in modern critical infrastructures?

A framework for evaluating security risk in system design

Executive decision-makers: a scenario-based approach to assessing organizational cyber-risk perception

Contact Info

Product

Resources

About