Traditional IT cyber-security risk management methods are based on the evaluation of risks calculated as the likelihood of cyber-security incidents occurring. However, these probabilities are usually estimations or guesses based on past experience and incomplete data. Incorrect estimations can lead to errors in the evaluation of risks that can ultimately affect the protection of the system. This issue is also transferred to methods used in Industrial Control Systems (ICSs), as they are mainly adaptations of such traditional approaches. Additionally, conventional methods fail to adequately address the increasing threat environment and the highly interdependent critical nature of ICSs, while proposed methods by the research community are as yet far from providing a solution. The importance of securely managing ICS infrastructures is growing, as they are systems embedded in critical national infrastructure (e.g. city traffic lights controls) and thus a potentially attractive target for organized cyber-criminals and terrorists. In this Chapter we present a novel approach that combines Stafford Beer's Viable System Model (VSM) with Game Theory in order to develop a risk management process that addresses the above issues. The model we develop provides a holistic, cost-efficient cyber-security solution that takes into account interdependencies of critical components as well as the potential impact of different attack strategies.
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
Tel.: +1 703 830 6300
Fax: +1 703 830 2300 firstname.lastname@example.org
(Corporate matters and books only) IOS Press c/o Accucoms US, Inc.
For North America Sales and Customer Service
West Point Commons
Lansdale PA 19446
Tel.: +1 866 855 8967
Fax: +1 215 660 5042 email@example.com