Human Factors Challenges in Developing Cyber-Informed Risk Assessment for Critical Infrastructure

Abstract

Research efforts in the security of cyber physical systems often focus solely on technological aspects of security and ignore the human contributions to risk and resilience. However, ask any IT security admin what the greatest threat to their system is and they’ll quickly tell you, “the user.” While the threat of users is well established, humans are involved in the security of systems to a much larger degree. Humans interact with these systems at every stage of their lifecycle, from initial design to end-of-life: Humans design the components and structures of the physical system, they construct the facility, design the control logic, configure the networks and security controls, maintain the equipment, and operate the system. Ignoring the humans in the system means ignoring your largest source of risk. This paper describes the ways in which humans can contribute to risk using the electric grid as an example.

Katya Le Blanc—This work of authorship was prepared as an account of work sponsored by Idaho National Laboratory, an agency of the United States Government. Neither the United States Government, nor any agency thereof, nor any of their employees makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately-owned rights. Work supported through the INL Laboratory Directed Research& Development (LDRD) Program under DOE Idaho Operations Office Contract DE-AC07-05ID14517.