| dc.description.abstract | This research studies the change of information security risks during the transition toIntegrated Operations (an operation extensively utilize advanced information communicationtechnology to connect offshore facilities and onshore control centers and even vendors.) inNorsk Hydro, a Norwegian oil and gas company. The specific case for this study is a pilotplatform in transition to Integrated Operations, Brage: twenty traditional work processes areto be replaced by new work processes. The operators on the Brage platform have to build uprelevant new knowledge to work effectively with new work processes. The new workprocesses, new knowledge and their interrelationship all affect information security risks.The management of Norsk Hydro is concerned with the problem of the increasinginformation security risks, which might cause incidents with severe consequences. We lookfor policies that support a successful (smooth and fast) operation transition.System dynamics is adopted in this research to model the causal structure (mechanism) ofthe operation transition. We chose system dynamics because operation transition is a processrich in feedback, delays, nonlinearity and tradeoffs. All these features are captured by systemdynamics models. Moreover, system dynamics models can be used to simulate variousscenarios. The analyses of these scenarios can lead to insights on policy rules. Wespecifically investigate policies concerning transition speed, resource allocation during thetransition to Integrated Operations and investment rules in incident response capability.Since historical time series data about incidents and information security risks are scarce, weuse following model-based interventions to elicit structural information from our client andexperts:May 2005 First group model-building workshop Problem articulationSep 2005 Second group model-building workshop Model conceptualizationDec 2005 Model-based interview Model formulationYear 2006 Series of model-based meetings Model refinementNov 2008 Model-based interview Model validationThe Brage model was developed and validated through these model-based interventions. Theanalyses of various simulation results lead to the following policy insights: 1. Transition speed. The operation transition should be designed with a speed that allowsthe operators not only to get familiar with new work processes, but also to build up thedetailed knowledge supporting these work processes. The relevance of such knowledge,which is mostly tacit, is sometimes underrated. If the operators only know what to do,but not how to do it effectively, the benefit of the new technology (embedded in the newwork processes) will not be fully realized, and the platform will be more vulnerable toinformation security threats.2. Resource allocation. Resources (operators’ time) are needed to learn new work processesand to acquire related knowledge. Generally, the operators will first put their time intoachieving the production target. Investment on learning activities will not be prioritizedif these activities hinder reaching the production target, even if the operators know thisshort-term performance drop is the cost for obtaining long-term higher performance.Nevertheless strategic decision should never be influenced by operative goals and highlevel managements should be responsible to make decisions on whether focusing onlong-term profits and accept short-term performance drop as a trade-off.3. Investment in incident response capability. The management in Norsk Hydro is aware ofthe increasing information security risks changing from unconnected platforms tointegrated ones. However, investment in incident response capability to handleincreasing incidents is not made proactively. Only if the frequency of incidents hasincreased or severe incidents has occurred or the incident cost have been proved high,will the management decide to invest more on incident response capability. The Bragemodel simulations illustrate that these reactive decision rules will trap the managementinto ignoring the early signs of increasing information security risks, and causeunderinvestment, which results in inadequate incident response capability, andsubsequently leads to severe consequence. Proactive decision rules work effectively inreducing severity of incidents.This work helps our client in two ways. First, the model-based communication helps themanagement in Norsk Hydro clarify the problem it is facing and understand the underlyingmechanism causing the problem. There is an increased insight into the relevance of newknowledge acquisition. Second, the Brage model offers the management a tool to investigatethe long-term operation results under different policies, thus, helping improve themanagement decision process. This work contributes to the information security literature in three ways. First, previousresearch in information security is mostly on risk assessment methodology and informationsecurity management checklist. The dynamics of information security risks during theoperation transition period has not been well studied before. In this fast changing society,this aspect of changing information security risks is of importance. Second, we introduce adynamic view with the long-term perspective of information security. Although incidentshappen in random manner, the underlying mechanism that leads to such incidents oftenexists for a period. Understanding such mechanism is the key to prevent incidents. Last, butnot least, we demonstrate how formal modeling and simulation can facilitate the building oftheories on information security management. Information security management involvesnot only “hard” aspects, such as work processes and technology, but also “soft” aspects, suchas people’s awareness, people’s perception, and the cultural environment, - and all of whichchange over time. These soft aspects are sometimes the major factors affecting informationsecurity.This work also contributes to the system dynamics literature by adding examples of howmodel-based interventions are used to identify problems, conceptualize and validate models.The activities of group model-building workshops and model validation interviews arecarefully documented and reflected. It is an important step towards the accumulation ofknowledge in model-based intervention. | en_US |
