Mitigating Information security risks during the Transition to Integrated Operations: Models & Data
MetadataShow full item record
This research studies the change of information security risks during the transition to Integrated Operations (an operation extensively utilize advanced information communication technology to connect offshore facilities and onshore control centers and even vendors.) in Norsk Hydro, a Norwegian oil and gas company. The specific case for this study is a pilot platform in transition to Integrated Operations, Brage: twenty traditional work processes are to be replaced by new work processes. The operators on the Brage platform have to build up relevant new knowledge to work effectively with new work processes. The new work processes, new knowledge and their interrelationship all affect information security risks. The management of Norsk Hydro is concerned with the problem of the increasing information security risks, which might cause incidents with severe consequences. We look for policies that support a successful (smooth and fast) operation transition. System dynamics is adopted in this research to model the causal structure (mechanism) of the operation transition. We chose system dynamics because operation transition is a process rich in feedback, delays, nonlinearity and tradeoffs. All these features are captured by system dynamics models. Moreover, system dynamics models can be used to simulate various scenarios. The analyses of these scenarios can lead to insights on policy rules. We specifically investigate policies concerning transition speed, resource allocation during the transition to Integrated Operations and investment rules in incident response capability. Since historical time series data about incidents and information security risks are scarce, we use following model-based interventions to elicit structural information from our client and experts: May 2005 First group model-building workshop Problem articulation Sep 2005 Second group model-building workshop Model conceptualization Dec 2005 Model-based interview Model formulation Year 2006 Series of model-based meetings Model refinement Nov 2008 Model-based interview Model validation The Brage model was developed and validated through these model-based interventions. The analyses of various simulation results lead to the following policy insights: 1. Transition speed. The operation transition should be designed with a speed that allows the operators not only to get familiar with new work processes, but also to build up the detailed knowledge supporting these work processes. The relevance of such knowledge, which is mostly tacit, is sometimes underrated. If the operators only know what to do, but not how to do it effectively, the benefit of the new technology (embedded in the new work processes) will not be fully realized, and the platform will be more vulnerable to information security threats. 2. Resource allocation. Resources (operators’ time) are needed to learn new work processes and to acquire related knowledge. Generally, the operators will first put their time into achieving the production target. Investment on learning activities will not be prioritized if these activities hinder reaching the production target, even if the operators know this short-term performance drop is the cost for obtaining long-term higher performance. Nevertheless strategic decision should never be influenced by operative goals and high level managements should be responsible to make decisions on whether focusing on long-term profits and accept short-term performance drop as a trade-off. 3. Investment in incident response capability. The management in Norsk Hydro is aware of the increasing information security risks changing from unconnected platforms to integrated ones. However, investment in incident response capability to handle increasing incidents is not made proactively. Only if the frequency of incidents has increased or severe incidents has occurred or the incident cost have been proved high, will the management decide to invest more on incident response capability. The Brage model simulations illustrate that these reactive decision rules will trap the management into ignoring the early signs of increasing information security risks, and cause underinvestment, which results in inadequate incident response capability, and subsequently leads to severe consequence. Proactive decision rules work effectively in reducing severity of incidents. This work helps our client in two ways. First, the model-based communication helps the management in Norsk Hydro clarify the problem it is facing and understand the underlying mechanism causing the problem. There is an increased insight into the relevance of new knowledge acquisition. Second, the Brage model offers the management a tool to investigate the long-term operation results under different policies, thus, helping improve the management decision process. This work contributes to the information security literature in three ways. First, previous research in information security is mostly on risk assessment methodology and information security management checklist. The dynamics of information security risks during the operation transition period has not been well studied before. In this fast changing society, this aspect of changing information security risks is of importance. Second, we introduce a dynamic view with the long-term perspective of information security. Although incidents happen in random manner, the underlying mechanism that leads to such incidents often exists for a period. Understanding such mechanism is the key to prevent incidents. Last, but not least, we demonstrate how formal modeling and simulation can facilitate the building of theories on information security management. Information security management involves not only “hard” aspects, such as work processes and technology, but also “soft” aspects, such as people’s awareness, people’s perception, and the cultural environment, - and all of which change over time. These soft aspects are sometimes the major factors affecting information security. This work also contributes to the system dynamics literature by adding examples of how model-based interventions are used to identify problems, conceptualize and validate models. The activities of group model-building workshops and model validation interviews are carefully documented and reflected. It is an important step towards the accumulation of knowledge in model-based intervention.