Managing Inherent IT Business Risk against Cyber Threats:  a Decision Analysis Case Study of an Oil and Gas Company

I Wayan Novit Marhaendra Putra; Meditya Wasesa

doi:10.59395/ijadis.v5i1.1315

Authors

I Wayan Novit Marhaendra Putra School of Business and Management, Institut Teknologi Bandung, Indonesia
Meditya Wasesa School of Business and Management, Institut Teknologi Bandung, Indonesia

DOI:

https://doi.org/10.59395/ijadis.v5i1.1315

Keywords:

Inherent Risk Profile, Procurement Strategy, SMART, MITRE ATT&CK, NIST 800-53, COBIT

Abstract

XYZ, an anonymized oil and gas company, aims to enhance cyber resilience by strategically managing inherent risk profiles in cybersecurity, aligned with business needs and stakeholder expectations. This research addresses challenges including Information Security Control determination, proficiency improvement in risk management, and ISMS preparedness. Additionally, it tackles procurement strategy for Security Operations Control across XYZ Group, operating under PSC Gross Split, Cost Recovery, and Non-PSC statuses. Utilizing diverse frameworks such as problem tree analysis, stakeholders’ power-interest matrix, MITRE ATT&CK, NIST 800-53, COBIT 2019, ISO 27005:2022, KAMI 5.0, and SMART, data analysis includes risk documents, interviews, and cyber-attack data. The research establishes effective IS Control for risk mitigation, readiness for Information Security Management System ISMS implementation, strategic programs enhancing risk management capability, and refined Security Operations Control procurement. These outcomes, incorporated into a collaborative contract structure, significantly mitigate cyber threats and potential impacts, such as disruptions to operations, revenue reduction, increased costs, data theft, and non-compliance.

Downloads

Download data is not yet available.

References

A. J. G. de Azambuja, T. Giese, K. Schützer, R. Anderl, B. Schleich, and V. R. Almeida, "Digital Twins in Industry 4.0 - Opportunities and challenges related to Cyber Security," Procedia CIRP, vol. 121, pp. 25-30, 2024, doi: https://doi.org/10.1016/j.procir.2023.09.225. https://doi.org/10.1016/j.procir.2023.09.225

S. Quinn, N. Ivy, M. Barrett, G. Witte, and R. K. Gardner, "Staging cybersecurity risks for enterprise risk management and governance oversight," Feb. 2022. doi: 10.6028/NIST.IR.8286C. https://doi.org/10.6028/NIST.IR.8286C

I. Progoulakis, N. Nikitakos, P. Rohmeyer, B. Bunin, D. Dalaklis, and S. Karamperidis, "Perspectives on Cyber Security for Offshore Oil and Gas Assets," J Mar Sci Eng, vol. 9, no. 2, 2021, doi: 10.3390/jmse9020112. https://doi.org/10.3390/jmse9020112

Y. Li and Q. Liu, "A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments," Energy Reports, vol. 7, pp. 8176-8186, 2021, doi: https://doi.org/10.1016/j.egyr.2021.08.126. https://doi.org/10.1016/j.egyr.2021.08.126

Federal Financial Institutions Examination Council (FFIEC), "FFIEC Cybersecurity Assessment Tool," May 2017. Accessed: Apr. 20, 2024. [Online]. Available: https://www.ffiec.gov/cyberassessmenttool.htm

Satuan Kerja Khusus Pelaksana Kegiatan Usaha Hulu Minyak dan Gas Bumi, Pedoman Tata Kerja No. PTK-007/SKKIA0000/2023/S9 Revisi 5 Pedoman Pelaksanaan Barang dan Jasa. Indonesia, 2023.

Pertamina Hulu Energi, Panduan Pengadaan Barang dan Jasa . Indonesia, 2021.

O. J. K. Departemen Penelitian dan Pengaturan Perbankan, "Consultative Paper Manajemen Risiko Keamanan Siber Bank Umum," 2021. Accessed: Apr. 20, 2024. [Online]. Available: https://www.ojk.go.id/id/kanal/perbankan/implementasi-basel/Documents/Pages/Consultative-Papers/Consultative%20Paper%20Manajemen%20Risiko%20Keamanan%20Siber%20Bank%20Umum.pdf

B. Roach and A. Dunstan, "The Indonesian PSC: the end of an era," The Journal of World Energy Law & Business, vol. 11, no. 2, pp. 116-135, Apr. 2018, doi: 10.1093/jwelb/jwy001. https://doi.org/10.1093/jwelb/jwy001

Douglas W. Hubbard and Richard Seiersen, How To Measure Anything In Cybersecurity Risk. New Jersey: John Wiley & Sons.

S. Ricci et al., "PESTLE Analysis of Cybersecurity Education," in Proceedings of the 16th International Conference on Availability, Reliability and Security, in ARES '21. New York, NY, USA: Association for Computing Machinery, 2021. doi: 10.1145/3465481.3469184. https://doi.org/10.1145/3465481.3469184

W. W. Walubengo, D. N. Kyalo, and A. S. Mulwa, "Analytical Review of Application of Problem Tree Analysis As a Project Design Tool For Enhancing Performance of Community Based in Kenya," European Journal of Business & Management Research, vol. 4, Nov. 2019. https://doi.org/10.24018/ejbmr.2019.4.6.120

G. Stergiopoulos, D. A. Gritzalis, and E. Limnaios, "Cyber-Attacks on the Oil & Gas Sector: A Survey on Incident Assessment and Attack Patterns," IEEE Access, vol. 8, pp. 128440-128475, 2020, doi: 10.1109/ACCESS.2020.3007960.

https://doi.org/10.1109/ACCESS.2020.3007960

Joint Task Force Transformation Initiative Interagency Working Group, "Security and Privacy Controls for Information Systems and Organization," Gaithersburg, Jul. 2020. Accessed: Apr. 20, 2024. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

M. Al Fikri, F. A. Putra, Y. Suryanto, and K. Ramli, "Risk Assessment Using NIST SP 800-30 Revision 1 and ISO 27005 Combination Technique in Profit-Based Organization: Case Study of ZZZ Information System Application in ABC Agency," Procedia Comput Sci, vol. 161, pp. 1206-1215, 2019, doi: https://doi.org/10.1016/j.procs.2019.11.234. https://doi.org/10.1016/j.procs.2019.11.234

Badan Siber dan Sandi Negara, Konsultasi dan Assessment Indeks KAMI. Indonesia, 2023. Accessed: Apr. 20, 2024. [Online]. Available: https://www.bssn.go.id/indeks-kami/

S. A. Wulandari, A. P. Dewi, M. R. Pohan, D. I. Sensuse, M. Mishbah, and Syamsudin, "Risk Assessment and Recommendation Strategy Based on COBIT 5 for Risk: Case Study SIKN JIKN Helpdesk Service," Procedia Comput Sci, vol. 161, pp. 168-177, 2019, doi: https://doi.org/10.1016/j.procs.2019.11.112. https://doi.org/10.1016/j.procs.2019.11.112

F. H. Barron and B. E. Barrett, "The efficacy of SMARTER - Simple Multi-Attribute Rating Technique Extended to Ranking," Acta Psychol (Amst), vol. 93, no. 1, pp. 23-36, 1996, doi: https://doi.org/10.1016/0001-6918(96)00010-8. https://doi.org/10.1016/0001-6918(96)00010-8

Deborah J. Bodeau, Richard D. Graubart, Linda K. Jones, Ellen R. Laderman, and David Black, "Cyber Resiliency Approaches and Controls to Mitigate Adversary Tactics, Techniques, and Procedures (TTPs)," Dec. 2021. Accessed: Apr. 20, 2024. [Online]. Available: https://www.mitre.org/news-insights/publication/cyber-resiliency-approaches-controls-mitigate-tactics-rev2

R. Kwon, T. Ashley, J. Castleberry, P. Mckenzie, and S. N. Gupta Gourisetti, "Cyber Threat Dictionary Using MITRE ATT&CK Matrix and NIST Cybersecurity Framework Mapping," in 2020 Resilience Week (RWS), 2020, pp. 106-112. doi: 10.1109/RWS50334.2020.9241271. https://doi.org/10.1109/RWS50334.2020.9241271