Socio-Technical Security Modelling and Simulations in Cyber-Physical Systems: Outlook on Knowledge, Perceptions, Practices, Enablers, and Barriers

Socio-Technical Security Modelling and Simulation (STSec-M&S) is a technique used for reasoning and representing security viewpoints that include both the social and technical aspects of a system. It has shown great potential for improving the cybersecurity and resilience of Critical Infrastructure (CI). This study involved a multi-methods approach, consisting of a scoping literature review and a focus group workshop, conducted with stakeholder engagement from critical infrastructure stakeholders to explore their perceptions and practices regarding the use of socio-technical security modelling and simulation. The findings suggest that the current state of knowledge regarding the use and effectiveness of STSec-M&Ss approaches is limited in CI domains. Consequently, there is little application of it in existing CI systems, regardless of its recognised benefits of enabling a better understanding of CI functionalities, security goals, early and more holistic risk identifications and selection of appropriate countermeasures. The benefits of the STSec-M&S approach can be better realised by effective cross-sector communications and collaborations, team partnerships, system and approach sophistication, and better security awareness amongst others. The potential barriers that can impede such benefits include high expense for implementing the technique, low data availability and quality, regulatory compliance, and competency gaps, etc. Helpful recommendations include exploring and using realistic data, validating system security models, and exploring new ways of reskilling and upskilling CI stakeholders in socio-technical security-thinking and M&S approaches to enhance cybersecurity and resilience of CIs.