15:30 - 16:30
Room: Room #2
Parallel Sessions
Chair/s:
Jerry Busby
Organizational vulnerability and cybersecurity risk to industrial control systems: developing a systematic attentional framework
Alberto Zanutto 1, Sylvain Frey 1, Karolina Follis 3, Awais Rashid 1, Jerry Busby 2
1 School of Computing and Communications, Lancaster University, LA1 4WA, Lancaster, United Kingdom
2 Department of Management Science, Lancaster University, LA1 4YX, Lancaster, United Kingdom
3 Department of Politics, Philosophy and Religion, Lancaster University, LA1 4YL, Lancaster, United Kingdom

The risks arising from threats to the cybersecurity of industrial control systems (ICSs) are receiving increasing recognition. Most of the concern has been technical, dealing for example with the interpretation of network traffic and the detection of intrusions. Our concern is with the vulnerabilities that organizations create, and how signals of these vulnerabilities can be obtained in a systematic way. The study is based on a series of unstructured interviews with key informants, ranging from academics through consultants to security managers. These interviews were analysed qualitatively to identify the informants’ discursive models – the theories and representations of organizational vulnerability to ICS cyberattacks constructed in their responses. These were then used to identify specific signals of vulnerability, which were grouped into categories.

The results of this analysis indicated that the largest category of signals were ‘attentional’: they concerned biases, gaps and limitations in processes of organizational attention. These included, for example, a bias towards physical security and away from cybersecurity, and a bias towards denying insecurities to avoid embarrassment. An attempt was then made to identify the heuristics that produced such biases, and this showed how readily vulnerabilities in attention could be ascribed to simple, general rules that were functional in an organizational setting. The results also showed that the informants regarded organizational vulnerability as consisting of stable characteristics, not transient events. The focus should thus be on what is normal, in contrast to the typical technical focus on what is anomalous. This normality of vulnerability is similar to Vaughan’s ideas about ‘normalised deviance’, and suggests vulnerability often goes unnoticed.

We propose a framework for systematically directing an organization’s attention to its vulnerabilities, using the signals identified from the key informants’ interviews. Each of the signals individually constitutes what has been characterized in the literature as a ‘weak signal’, but in combination these signals are likely to be better indicators, both of the overall level of organizational vulnerability and of its profile: the relative levels of different kinds of vulnerability. We suggest that a formal signal detection theory approach could be adopted to deal with these signals, but that it is hard to describe the vulnerability problem as a binary classification, and therefore that a proportionate response framework would be more suitable. We also draw conclusions about the links between vulnerabilities in organizational attention to security and ideas about collective mindfulness in the High Reliability Organizations literature.


Reference:
Tu-S50-TT12-OC-001
Session:
Secure and resilient communities
Presenter/s:
Jerry Busby
Presentation type:
Oral Communication
Room:
Room #2
Chair/s:
Jerry Busby
Date:
Tuesday, June 20th
Time:
15:30 - 15:45
Session times:
15:30 - 16:30