Abstract
Renewable energy systems need to be able to make frequent and rapid adjustments to address shifting solar and wind production. This requires increasingly sophisticated industrial control systems (ICS). But, that also increases the potential risks from cyber-attacks. Despite increasing attention to technical aspects (i.e., software and hardware) of cybersecurity, many professionals and scholars pay little or no attention to its organizational aspects, particularly to stakeholders’ perceptions of the status of cybersecurity within organizations. Given that cybersecurity decisions and policies are mainly made based on stakeholders’ perceived needs and security views, it is critical to measure such perceptions. In this paper, we introduce a methodology for analyzing differences in perceptions of cybersecurity among organizational stakeholders. To measure these perceptions, we first designed House of Security (HoS) as a framework that includes eight constructs of security: confidentiality, integrity, availability, technology resources, financial resources, business strategy, policy and procedures, and culture. We then developed a survey instrument to analyze stakeholders’ perceptions based on these eight constructs. In a pilot study, we used the survey with people in various functional areas and levels of management in two energy and ICS organizations, and conducted a gap analysis to uncover differences in cybersecurity perceptions. This paper introduces the HoS and describes the survey instrument, as well as some of the preliminary findings.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Since assessment and importance values are usually above 4, we show the range 3 to 7 on the graph.
- 2.
Since construct gaps are usually less than 2.0, we display gap values in multiples of 0.5 from 0 to 2.5.
References
Gharavi, H., Ghafurian, R.: Smart grid: the electric energy system of the future. IEEE (2011)
Liu, J., Xiao, Y., Li, S., Liang, W., Chen, C.P.: Cyber security and privacy issues in smart grids. IEEE Commun. Surv. Tutor. 14, 981–997 (2012)
Pearson, I.L.: Smart grid cyber security for Europe. Energy Policy 39, 5211–5218 (2011)
Boneh, D., Franklin, M.: Identity based encryption from the weil pairing. SIAM J. Comput. 32, 586–615 (2003)
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29, 198–208 (1983)
Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks for computers. Communications 21, 993–999 (1978)
Cheswick, W.R., Bellovin, S.M., Rubin, A.D.: Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Boston (2003)
Oppliger, R.: Internet security: firewalls and beyond. Assoc. Comput. Mach. 40, 92–103 (1977)
Zwicky, E., Cooper, S., Chapman, D., Ru, D.: Building Internet Firewalls. O’Reilly & Associates, Sebastopol (2000)
Furnell, S.: Cyber threats: what are the issues and who sets the agenda? In: SGIR Conference (2004)
Kephart, J., Sorkin, G., Chess, D., White, S.: Fighting Computer Viruses. Sci. Am. 277, 88–93 (1997)
McCumber, J.: Assessing and Managing Security Risk in IT Systems. Auerbach Publications, Boca Raton (2005)
Cronbach, L.J.: Coefficient alpha and the internal structure of tests. Psychometrika 16, 297–334 (1951)
Acknowledgement and Disclaimer
This research was conducted by the MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, also known as MIT-(IC)3. This material is based, in part, upon work supported by the Department of Energy under Award Number DE-OE0000780. We thank those who participated and provided the survey data. Early research was supported, in part, by Cisco Systems, Inc. through the MIT Center for Digital Business.
This report was prepared as an account of work sponsored, in part, by an agency of the US Government. Neither the US Government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. The views and opinions of authors expressed herein do not necessarily state or reflect those of the US Government or any agency thereof.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
-
A.
In my organization, I am a/an:
-
Executive (CEO, CFO, VP, etc.)
-
Functional or Line Manager
-
Professional (Consultant, Engineer, In-house Expert, etc.)
-
Other organizational member
-
-
B.
In my organization, I work in area of:
-
Information Technology (IT) Security
-
IT, but not Security
-
Operational Technology (OT) Security
-
OT, but not Security
-
General/Physical Security
-
Business Security Policy or Management
-
Other, i.e., not in Security, IT, or OT (e.g., Marketing, Accounting, HR, etc.), Please specify: ________
-
Assessment Scale:
-
1 = In my view, this security statement is true to a very SMALL extent in my organization.
-
7 = In my view, this security statement is true to a very LARGE extent in my organization.
Importance Scale:
-
1 = In my view, it is NOT at all Important that my organization address this security statement.
-
7 = In my view, it is VERY Important that my organization address this security statement.
-
1.
The organization’s business strategy sets direction for its cybersecurity practices.
-
2.
The organization has adequate safeguards against internal and external threats to its data and networks.
-
3.
In the organization, cybersecurity funds are appropriately distributed.
-
4.
In the organization, the IT group takes cybersecurity seriously.
-
5.
The organization’s data and networks are available to approved users.
-
6.
The organization has adequate policies for when and how data can be shared.
-
7.
The organization has adequate technology for supporting cybersecurity.
-
8.
People in the organization carefully follow good cybersecurity practices.
-
9.
The organization has a well-defined and communicated cybersecurity strategy.
-
10.
Cybersecurity is a funding priority in the organization.
-
11.
The organization uses its IT security resources effectively to improve cybersecurity.
-
12.
The organization has adequate policies about user identifications, passwords, and access privileges.
Assessment Scale:
-
1 = In my view, this security statement is true to a very SMALL extent in my organization.
-
7 = In my view, this security statement is true to a very LARGE extent in my organization.
Importance Scale:
-
1 = In my view, it is NOT at all Important that my organization address this security statement.
-
7 = In my view, it is VERY Important that my organization address this security statement.
-
13.
The organization adequately monitors its data and networks against possible attacks.
-
14.
Cybersecurity is a business agenda item for top executives in the organization.
-
15.
The organization has well-defined policies and procedures for cybersecurity.
-
16.
People in the organization can be trusted to engage in ethical practices with data and networks.
-
17.
The organization has procedures for detecting and punishing cybersecurity violations.
-
18.
In the organization, business managers help set the cybersecurity strategy.
-
19.
The organization makes good use of available funds for cybersecurity.
-
20.
The organization provides good access to data and networks to legitimate users.
-
21.
The organization has a rapid response team ready for action when cyber attacks occur.
-
22.
The organization protects its confidential corporate data.
-
23.
People in the organization are aware of good cybersecurity practices.
-
24.
The organization’s data and networks are usually available when needed.
-
C.
What is the biggest concern that you have about cybersecurity? (need not be included in the questions above) _____________________________
-
D.
Any other comments or suggestions? _____________________________
-
E.
If you would like to receive a copy of our research results, please provide your email address: (optional) Email: ___________________________
We thank you for your time spent taking this survey.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Madnick, S. et al. (2017). Measuring Stakeholders’ Perceptions of Cybersecurity for Renewable Energy Systems. In: Woon, W., Aung, Z., Kramer, O., Madnick, S. (eds) Data Analytics for Renewable Energy Integration. DARE 2016. Lecture Notes in Computer Science(), vol 10097. Springer, Cham. https://doi.org/10.1007/978-3-319-50947-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-50947-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-50946-4
Online ISBN: 978-3-319-50947-1
eBook Packages: Computer ScienceComputer Science (R0)