6533b831fe1ef96bd1299126

RESEARCH PRODUCT

Managing Emerging Information Security Risks during Transitions to Integrated Operations

subject

description

Paper presented at the 2010 43rd Hawaii International Conference on System Sciences (HICSS). (c) 2010 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works. Paper also available from the publisher: http://dx.doi.org/10.1109/HICSS.2010.260 The Norwegian Oil and Gas Industry is adopting new information communication technology to connect its offshore platforms, onshore control centers and the suppliers. The management of the oil companies is generally aware of the increasing risks associated with the transition, but so far, investment in incident response (IR) capability has not been highly prioritized because of uncertainty related to risks and the present reactive mental model for security risk management. In this paper, we extend previous system dynamics models on operation transition and change of vulnerability, investigating the role of IR capability in controlling the severity of incidents. The model simulation shows that a reactive approach to security risk management might trap the organization in low IR capability and lead to severe incidents. With a long-term view, proactive investment in IR capability is of financial benefit.