A Risk-Assessment Model for Cyber Attacks on Information Systems

Industrial process-plants are an integral part of a nation’s economy and critical infrastructure. The information systems used by automated industrial plants are enticing targets of cyber attacks. However, the financial damages resulting from these cyber attacks are difficult to estimate since the resultant losses are not as tangible as physical losses. In this paper, we propose a mathematical model for determining the financial losses resulting from cyber attacks on a computer-based information system used in industrial plants. Limited work has been published to systematically explore the types of possible cyber attacks and their financial impact on the process. The primary objective of this research is to propose a risk-assessment model to assess the impact of cyber attacks on a plant that runs fully or partially by control systems such as supervisory control and data acquisition (SCADA). Managers could use the model for cost/benefit analysis of security software and hardware acquisition. We also illustrate this model’s use on a SCADA system using a case. The proposed model could be applied to different industries and organizations with minor modifications to reflect the specifics of that industry or organization.