A Socio-Technical Approach to Cyber Risk Management and Impact Assessment


Technology is increasingly being used by organisations to mediate social/business relationships and social/business transactions. While traditional models of impact assessment have focused on the loss of confidentiality, integrity and availability, we propose a new model based upon socio-technical systems thinking that places the people and the technology within an organisations business/functional context. Thus in performing risk management in a cyber security and safety context, a detailed picture of the impact that a security/safety incident can have on an organisation is developed. This in turn stimulates a more holistic view of the effectiveness, and appropriateness, of a counter measure.

Share and Cite:

K. Charitoudi and A. Blyth, "A Socio-Technical Approach to Cyber Risk Management and Impact Assessment," Journal of Information Security, Vol. 4 No. 1, 2013, pp. 33-41. doi: 10.4236/jis.2013.41005.

Conflicts of Interest

The authors declare no conflicts of interest.


[1] Lili Sun, R. P. Srivastava and T. J. Mock, “An Information Systems Security Risk Assessment Model under Dempster-Shafer Theory of Belief Functions,” Journal of Management Information Systems, Vol. 22, No. 4, 2006, pp. 109-142. doi:10.2753/MIS0742-1222220405
[2] Collaboration, “Socio-Technical Systems Engineering Handbook,” St. Andrews University, St Andrews, 2011.
[3] W. M. Fox, “Sociotechnical System Principles and Guidelines: Past and Present,” Journal of Applied Behavioral Science, Vol. 31, No. 1, 1995, pp. 91-105. doi:10.1177/0021886395311009
[4] E. Trist and K. Bamforth “Some Social and Psychological Consequences of the Longwall Method of Coal Getting,” Human Relations, Vol. 4, No. 1, 1951, pp. 3-38.
[5] G. Dewsbury and J. Dobson, “Responsibility and Dependable Systems,” Springer, Berlin, 2007.
[6] P. Periorellis and J. E. Dobson, “Organisational Failures in Dependable Collaborative Enterprise Systems,” Journal of Object Technology, Vol. 1, No. 3, 2002, pp. 107-117.
[7] B. Aubert, M. Patry and A. Rivard, “A Framework for Information Technology Outsourcing Risk Management,” ACM SIGMIS Database, New York, 2005.
[8] K. Padayschee, “An Interpretive Study of Software Risk Management Perspectives, SAICSIT’02,” Proceedings of the 2002 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on Enablement Through Technology, 2002, Port Elizabeth, pp. 118-127.
[9] H. W. Lewis, et al., “Risk Assessment Review Group Report to the U.S. Nuclear Regulatory Commission,” National Technical Information Service, Technical Report, Alexandria, 1978. doi:10.2172/6489792
[10] R. Carvajal, “Systemic Netfields: The Systems’ Paradigm Crises. Part I,” Human Relations, Vol. 36, No. 3, 1983, pp. 227-246. doi:10.1177/001872678303600302
[11] A. J. C. Blyth, “Enterprise Modelling and Its Application to Organisational Requirements, Capture and Definition,” Ph.D. Thesis, University of Newcastle, Newcastle, 1995.
[12] J. R. Searle, “Speech Acts: An Essay in the Philosophy of Languages,” Cambridge University Press, Cambridge, 1984.
[13] J. J. Thomson, “Acts and Other Events (Contemporary Philosophy Series), Cornell University Press, New York, 1977.
[14] R. Nederpelt and F. Kamareddine, “Logical Reasoning: A First Course,” College Publications, London, 2004.
[15] M. Blowfield and A. Murray, “Corporate Responsibility,” Oxford University Press, Oxford, 2011.
[16] K. Brand and H. Boonen, “IT Governance CobiT 4.1—A Management Guide,” 3rd Edition, Van Haren Publishing, Zaltbommel, 2008
[17] C Feltus, “Strengthening Employee’s Responsibility to Enhance Governance of IT: COBIT RACI Chart Case Study,” Proceedings of the First ACM Workshop on Information Security Governance, New York, 9-13 November 2009, pp. 23-32. doi:10.1145/1655168.1655174

Copyright © 2023 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.