Abstract: The evolution of cyber space is transforming the way our infrastructure is managed. Industrial control systems, that is those systems that manage critical utility infrastructure such as Energy, Water and Transport are increasingly interacting with enterprise IT systems in intricate fashions. This leads to an increase in the level of threats to these critical infrastructures. Given the importance of industrial control systems to society, it is important that decision-makers are able to effectively articulate the risks posed to them from cyber space. Even more importantly, decision-makers should be able to understand and respond to such risks from a business continuity and recovery perspective in order to evaluate and prioritise their mitigation responses. In this talk, I will discuss the complexity of cyber risk decision making in ICS settings and limitations of security metrics in this regard. I will then draw upon on-going programme of various projects at Lancaster to discuss the role of perception in understanding and articulating cyber risks and how a poor understanding of such risks leads to latent flawed designs within industrial control systems.

Bio: Professor Awais Rashid is Director of Security Lancaster Research Centre, one of the UK’s Academic Centres of Excellence in Cyber Security Research. He possesses an extensive multi-disciplinary background having worked at the boundary of computer science, social science and psychology for several years. He is particularly focused on sense-making of large, heterogeneous data sources and human factors in order to unravel impacts on cyber resilience of individuals, organisations and infrastructures. He developed novel digital persona analysis techniques to detect the deception tactics deployed by sophisticated cyber criminals online. This work was selected as one of the 100 Big Ideas of the Future by Research Councils UK and Universities UK, influenced UK and European policy frameworks, is used in law enforcement applications and underpins commercial products through a spin-out company. He has also conducted research on analysis of large-scale networks including Internet-scale systems, techniques for open-source intelligence (OSINT) and the security and privacy issues pertaining to OSINT. He also researchers novel techniques for detecting sophisticated social engineering attacks and socio-technical factors underpinning online group formation and behaviours. He currently leads a number of research projects on cyber-security of industrial control systems researching novel socio-technical metrics for studying and articulating cyber security risks in such environments.