Cassandra’s Calling Card: Socio-technical Risk Analysis and Management in Cyber Security Systems Richard McEvoy 1,2 and Stewart Kowalski 1 1 NTNU i Gjøvik, Teknologivegen 22, 2815 Gjøvik, Norway 2 DXC Technology, Royal Pavilion Wellesley Road Aldershot Hampshire GU11 1PZ www.ntnu.no Abstract. Current methodologies for cyber security risk analysis are largely fo- cused on process and technology. They do not systematically incorporate socio- technical thinking. We argue this reduces their predictive power in determining the risks of cyber threats to organizations and hence limits the range of responses. A remedy is to augment such systems using suitable socio-technical models. As an example, we propose a re-working of Rasmussen’s model for safety in sys- tems, applying it to cyber security. The updated model gives rise to a set of pre- dictors and boundary conditions which can be used to determine an organiza- tion’s resilience in the face of external and internal cyber threats, enabling ana- lysts to propose an extended range of countermeasures. We propose using this approach as a basis to include socio-technical analysis in risk assessment. As an example, we provide a critique of the risk methodology used in SABSA against this model. We discuss practical applications of the approach and some associ- ated issues. Future work will focus on incorporating this approach into a variety of risk methodologies and the creation of novel techniques that can be tested in the simulated cyber security environment of a cyber range or in the field. Keywords: socio-technical systems analysis, cyber security, risk analysis, risk management 1 Introduction Current methodologies used for cyber security risk analysis and management largely focus on technical and process requirements. Evidence from incidents such as the Sony hacks and failures at SingHealth (see section 3) point to social failures as much as tech- nical or procedural weaknesses as reasons for the occurrence of security incidents. Threats and vulnerabilities in organizations are also not simply technical or procedural in nature but result from complex systemic factors arising in modern organizations and societies. We argue that the lack of socio-technical systems analysis in commonly used risk analysis methodologies leaves organizations more vulnerable to cyber security risk than they should be. As one possible means of addressing this, we show how Rasmus- sen’s model of a complex socio-technical systems for safety engineering can be adapted for cyber security purposes. This adaptation, in turn, provides a basis for enhancing current approaches to risk analysis and management. We give an example of applying Proceedings of STPIS'19 Edited by S. Kowalski, P. Bednar and I. Bider 65