Managing emerging information security risks during transitions to Integrated Operations

The Norwegian Oil and Gas Industry is adopting new information communication technology to connect its offshore platforms, onshore control centers and the suppliers The management of the oil companies is generally aware of the increasing risks associated with the transition, but so far, investment in incident response (IR) capability has not been highly prioritized because of uncertainty related to risks and the present reactive mental model for security risk management. In this paper, we extend previous system dynamics models on operation transition and change of vulnerability, investigating the role of IR capability in controlling the severity of incidents. The model simulation shows that a reactive approach to security risk management might trap the organization in low IR capability and lead to severe incidents With a long-term view, proactive investment in IR capability is of financial benefit.