A cyber incident in a large, complex industrial control system can have serious consequences, and all security technologies have limitations. This means we can always be more secure, or less. How then, should we evaluate security funding requests for industrial sites? How do we know how much is enough?
Read more >
The abstract, qualitative models that most of us use for cyber threats are poorly understood by business decision-makers, and are not easily compared to risk models for threats such as earthquakes and flu pandemics. We could force-fit cyber risks into more conventional models by "making up" numbers for the probability of serious incidents, but "made up" numbers yield poor business decisions.
Most business leaders though, do understand cyber attack scenarios and their consequences, and find them much more useful than qualitative models or "made-up" probabilities. To communicate industrial cyber risks effectively, an assessment process should distill complex risk information into a small, representative set of high-consequence attack scenarios. Business decision-makers can then "draw a line" through the set, selecting which combinations of attacks, consequences and risks to accept, and which to mitigate or transfer.
Join us to explore using attack scenarios to communicate risks, consequences, and costs to business decision-makers.