General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

Users may download and print one copy of any publication from the public portal for the purpose of private study or research.

You may not further distribute the material or use it for any profit-making activity or commercial gain

You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.

Downloaded from orbit.dtu.dk on: Jul 09, 2020

A systems approach to cyber-risk management

Sepúlveda Estay, Daniel Alberto; Khan, Omera

Published in:Operations Management

Publication date:2016

Document VersionPublisher's PDF, also known as Version of record

Link back to DTU Orbit

Citation (APA):Sepúlveda Estay, D. A., & Khan, O. (2016). A systems approach to cyber-risk management. OperationsManagement, 42(1), 18-21.

Number 1 2016www.iomnet.org.ukV42

Getting the most out of your membershipVolunteering with IOM – see page 6

Cyber-risk managementResilience, reaction, recovery

1front_cover.qxp_Layout 1 09/03/2016 16:24 Page 1

A systems approach to cyber-riskmanagement

18

Companies do nothave the resourcesto analyse everypotential failurethat faces thesupply chain

more comprehensive way of looking at cyber-risksin supply chains is required, particularly when

considering the increasing complexity of logisticsnetworks and their exposure to unexpected disruptions.This article explores why current risk assessmentmethods are insufficient, and provides an analogy forunderstanding the dynamic effects in a company.

Increased complexity in supply chains is exposingorganisations to new risks. Many of these risks originatefrom the increasing dependence on informationtechnology (IT) by competitive logistics networks.Organisations are being damaged by the resultingdisruption of operations, as well as loss of companydata, intellectual property and organisational value.Studies have shown costs at over $550 billion annually.1

These disruptions are challenging the way we organiseour operational activities, as well as the way we managerelationships with our partners. It also signifies that thetransparent and rapid access to logistics resourcesenabled by IT is also a platform used by intruders fortheir own benefit.

The diversity of potential disruptions means thattraditional risks assessment tools are impractical.Companies do not have the resources to analyse everypotential failure, and to update the assessments as newrisks appear, or existing risks change.

Our research at the Technical University of Denmark(DTU) is leading us to challenge the traditional riskanalysis used in complex supply chains. Improvementscan be achieved by moving from a static analysis, basedon analysing reliability of components, to a dynamicanalysis, based on control of vulnerabilities in theorganisation – see Figure 1.

Although this novel approach requires a change in theway these risks are understood, it can create acomprehensive way of understanding the supply chainstructure, and for improving supply chain reaction andrecovery (resilience) when an unexpected cyberattackoccurs.

Shortcomings in current approachesThe Federal Aviation Administration in the USA recentlyidentified more than 100 methods for assessing risks2,several of which are traditionally used in logisticsnetworks. These methods are largely based on thepremise that an undesirable event is caused by a chainof other preceding events. These methods are based onthe assumption that these events can be decomposed,and that this decomposition allows for the independentanalysis of each component, which does not influencethe outcome. The process is known as analyticreduction. These analyses view this undesirable eventand go backwards through the events that led to it, untilthe event that is considered the originator of the chain(the so-called root cause), is identified. This is the caseof methods such as Failure Mode and Effect Analysis(FMEA) or Failure Mode and Criticality Analysis(FMECA), and are also known as backward-lookinganalyses. If instead an analysis is made to reveal all thepossible chains of events in which something can gowrong, methods such as Failure Tree Analysis (FTA) areused. These are known as forward-looking analysismethods. Several other forward-looking methods arealso widely used, such as Hazard and OperabilityAnalysis (HAZOP) and Event Tree Analysis (ETA).

All of these methods follow the chain-of-failure-eventcausality model, which can be best represented through

A

Daniel Sepúlveda and Omera Khan FCILT

9cyberrisk_Layout 1 09/03/2016 16:29 Page 1

The diversity of potential disruptions means thattraditional risks assessment tools are impractical.Companies do not have the resources to analyse everypotential failure, and to update the assessments asnew risks appear, or existing risks change.

Operations Managementwww.iomnet.org.uk

Number 12016

the analogy of a row of falling dominoes. There is aninitial domino, labelled the root cause, that represents asingle event. It could be a human error or a componentfailure. This error then propagates through the system,leading to other component failures and eventuallymaking the last domino fall, where the problem isexperienced – see Figure 2.

This family of methods have been widely used sincetheir invention in the 1950s. They are popular due totheir relative simplicity, and are effective in systems withtechnical components, as well as in simple systemsinvolving both technical components and people, theso-called sociotechnical systems. A traditional way ofquantifying cyber-risks would be to identify all the waysa logistics network could fail (reliability analysis) or besubject to cyberattack. This is best done in closeinteraction with an experienced team from differentparts of the supply chain under analysis. The team willthen agree on the likelihood of occurrence for each ofthese possible failures (probability), and an approximateamount of money lost if these failures were to occur(severity). Impact would then be probability x severityfor each of these failures. By multiplying these twofactors, a ranking of failures can be obtained, the eventswith highest impact can be identified and actions can beconcentrated on elimination or mitigation of these risks.

Our research is leading us to question severalassumptions about how new risks such as cyber-risks canbe managed, due to the increased occurrence ofdifferent types of cyberattacks with potentially harmfuleffects on supply chain performance. We have thussearched for new ways of understanding these risks, andthat has enabled us to develop practical proposals thatcould be useful to practitioners.

The traditional way of quantifying risks has severalshortcomings. One of them has already beenmentioned above. We will additionally analyse fourother shortcomings3: reliability vs safety, subjectivechoice, systemic effects and dynamic behaviour.

Reliability vs safetyBy focusing only on the performance of individual partsof the supply chain, there is the danger of confusingsafety with reliability, meaning that it is generallyassumed that if the components of the supply networkfunction well, then the supply network is safe. This beliefcrumbles when errors occur in supply networks, whereall components worked as expected, even sometimesbecause all components worked as expected. This canhappen particularly where some type of redundancy hasbeen built into the system, or where controllers (humanor automatic) do not understand adequately what

19

Proposed risk analysis changeFigure 1

Representation of the chain of failure as dominoesFigure 2

Dangers when feedback loops are notconsideredFigure 3

Control view of a processFigure 4

9cyberrisk_Layout 1 09/03/2016 16:29 Page 2

actually happens in the process. Redundancy can workwell in simple mechanical or electrical systems, but whenit is applied to decision networks, it can lead, forexample, to a double call, where two different peoplemake contradicting decisions: a major problem insituations where urgent action is needed. Additionally, ifthe control actions in the procedures do not representwhat should be done, a correctly functioning controlprocedure could lead to an unwanted disruption.

Subjective choice: who does the analysis?In traditional risk assessment methods, there is asubjective choice of the chain of events. The list ofpotential failures – the chain of events leading to thisfailure, as well as the relationships between the events inthe chain, right down to the root cause – is highlydependent on who is conducting the analysis. This canlead to several types of bias. If the participants are inmanagement positions, without thorough knowledge ofoperations, then some relevant operational sources ofaccidents will be absent from the list. Root causes maybe selected, just because they are politically acceptable,and other potential explanations may not be explored,because they could be an embarrassment for theorganisation. Many times this search also ends withsome type of operator error or lack of training. JensRasmussen, researcher, Risø (present DTU), mentionedin the 1980s that it is indeed very difficult to analysethrough a perceived human error, and therefore theanalysis stops there.

Systemic effects: look at the wider pictureOnly a very limited chain of events is taken into accountin these traditional methods, and factors not directlyincluded in a chain of events are excluded. Theexplanation usually considers the events thatimmediately led to the loss and systemic factors are notconsidered. Systemic factors can be the consequencesthe decision has in other parts of the organisation,affecting and counteracting the original decisionthrough feedback loops. This normally does not happenimmediately – see Figure 3. The systemic effects canalso include policy decisions in the company, leading tothe unwanted disruptions.

A proper understanding of the required behaviour andthe ability to withstand disruptions from cyberattacksand regain normal operating conditions (cyber-resilience)

is hidden in the traditional methods. The reaction by thecompany, when having to cope with a cyberattack, willnormally be a series of actions, using resources presentin the company. These actions will develop over time,and the stability of the operation will eventually berestored. This will not happen immediately and it willtake some time. This means that cyber-resilience is, infact, a dynamic behaviour of the supply chain, and assuch it requires a way to deal with these dynamics. Letus look at this more closely.

Dynamics: businesses vs carsDynamics can be better understood by comparing amanufacturing company subject to cyberattacks with acar on the road. A company manager would beequivalent to the car’s driver. Cyber-risks comingtowards this company can be represented as obstacleson the road coming towards the car. The car has severalcontrols that can be used by the driver to avoid theseobstacles, such as the steering wheel, the acceleratorand the brakes. In the same way, the company has alsosome controls that can be used by the manager to directthe company development, such as setting strategicobjectives, investment in training or incentive structurestowards collaboration with suppliers. The car has a massthat results in inertial effects. Due to the risk of a crash,it is not possible or convenient for the driver to changethe car’s direction suddenly, or accelerate, or stop thecar suddenly. These inertial effects are also one of thecharacteristics for real systems, known as dynamiceffects. The company has also inertial effects such as thenumber of employees, the total accounts payable or thenumber of electronic orders for products. This meansthat a manager cannot make sudden changes in thecontrols, in the case of risk of a cyberattack, withoutother consequences.

A driver avoids an obstacle in the road by using thecontrols – for example, activating the brakes at aforthcoming stop sign. A novice driver might attempt tobreak too late, thrusting him forward with a jolt: a notalways gentle reminder of the inertial effect of our ownmass in movement. In the case of the company, amanager, attempting to avoid the effects of acyberattack will use the controls at his or her disposal. A novice manager may attempt to change strategicobjectives too quickly or change the incentive structuresradically, thereby creating an organisational jolt.

Unknown inertial effectsSome important differences come to light in thisanalogy, which we have defined as differences ofmanagement and differences of design. Driversnormally start driving (managing) the car from a restingposition, and with training the driver will graduallyexplore increasing levels of driving difficulty. In the caseof the company, the manager will usually be appointedto the role, with the company already ‘in movement’ at an undetermined speed. He will have a series ofcontrols. Some of them will be familiar from previousexperience, and some might be new controls,implemented by a predecessor.

There are different organisational masses, which themanager will not necessarily know about and will have to

20

A systems approach to cyber-risk management

Dynamics can bebetter understoodby comparing amanufacturingcompany subject tocyberattacks with acar on the road

9cyberrisk_Layout 1 09/03/2016 16:29 Page 3

discover by trial and error. Moreover, the manager willnot have experience with the inertial effects that theseavailable controls will have on the company. Finally, inthe same way drivers are taught in the driving schoolabout existing cars and driving conditions, managers aretrained in business schools about existing companiesand business conditions.

Another important and very relevant difference is one ofdesign. The car has a structure, developed andimproved over time by a team of specialists. Theyunderstand the effects this car structure has on the car’sbehaviour, with special attention to dynamic effects. Thestructure of a company will usually not have beendesigned, but rather replicated initially from otherworking models, maybe grown through acquisition ofother companies (inorganic growth) or through its ownexpansion (organic growth). Company structures aretherefore very likely to develop without any designconsiderations to its dynamics.

Control view of risksTaking the car analogy further, resilience, or the ability toreturn to normal operations after disruptions, can bethen understood as the ability of the company to adjustit course (its processes) by using its control structures – seeFigure 4. Resilience would then be reflected in how wellthis control structure works by:

• How well and timely sensors measure the currentprocess

• How well and timely we act on the process with ouractuators when there is something to be done

• How well and timely our supply chain can translatewhat it is sensing into what it has to do about it,through its controller

This is an ongoing activity, since the supply process isconstantly encountering different working conditionsthat have to be detected and be adapted to

Steps to implement the control viewSupply chain cyber-resilience through the control view ofcyber-risks can be achieved by the following generalsteps:

• Identify what the company will consider asundesirable disruptions to the supply chain – identifypotential accidents

• Identify the mix of conditions in the current supplynetwork that would lead to the undesirabledisruptions specified in the previous step – identifyhazards

• Define the boundaries of what is in control and out of the control of the company – identify supplysystem boundaries, controls and masses present inthe system

• Brainstorm about how each potential disruptionidentified in the first step could occur; this will lead to the identification of potential improved controls,which should be in place – for example, how theprocess is measured (sensors), organisationalstructures (actuators), or action plans for crisismanagement teams (controllers)

aniel Sepulveda, MSc. PhD Researcher atManagement Engineering at the Technical

University Denmark. (DTU). His current topic ofresearch is cyber-risk and security in the globalsupply chain, under the guidance of ProfessorOmera Khan. He has worked in supply chainmanagement for over 12 years in operational andstrategic positions and has experience withmultinational companies in five continents.

Email: dasep@dtu.dkmera Khan FCILT is Professor of OperationsManagement, Technical University of Denmark

(DTU) and is also Visiting Professor and ProgrammeDirector of the MSc in International Supply ChainManagement at Royal Holloway University ofLondon. In addition to leading a number of ongoingresearch projects, she works with organisations on arange of supply chain and logistics issues and isadvisor to many universities developing courses inlogistics, supply chain and operations management.

Email: okhan@dtu.dk

About the authors

D

O

References

1. ‘Netlosses: Estimating the global cost ofcybercrime’, www.mcafee.com/mx/resources/reports/rp-economic-impact-cybercrime2.pdf

2. Federal Aviation Administration (2008), ‘Systemsafety handbook’, retrieved 24th September2015, www.faa.gov/regulations_policies/handbooks_manuals/aviation/risk_management/ss_handbook/

3. Other shortcomings of the use of traditional riskassessment methods in supply networks, whichare not analysed in detail in this article, includeaspects such as: their excessive search for guiltand operator error, instead of understanding thestructure of the system that led to the disruption;assuming that two different events leading to adisruption will happen independently of eachother, when analysing how likely they are tohappen, merely for mathematical simplicity; orthe risk of hindsight bias – that is, the perceptionof the disruption as foreseeable when lookedafter the fact, changing the discussion to whatwas done wrong instead of the more fruitful oneof why it made sense for the operators to makethat decision at that time.

Operations Managementwww.iomnet.org.uk

Number 12016

21

9cyberrisk_Layout 1 09/03/2016 16:29 Page 4