ISA Interchange

Welcome to the official blog of the International Society of Automation (ISA).

This blog covers numerous topics on industrial automation such as operations & management, continuous & batch processing, connectivity, manufacturing & machine control, and Industry 4.0.

The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

COVID-19 and Industrial Cybersecurity: Studies in Risk Response

I never thought that I’d be comparing toilet-roll purchasing habits with cybersecurity risk management, but here I am in the midst of the COVID-19 pandemic seeing some interesting parallels. As an industrial automation consultant and subject-matter expert for the International Society of Automation (ISA), I travel the world talking to organizations about managing their cybersecurity risk. Common themes have emerged. I realize that both COVID-19 and industrial cybersecurity discussions provoke similar reactions—and behind both is the psychology of how people interpret and respond to risk. Here are some examples:

  • There are organizations that deny the abundance of data and insist that they are not at risk. These are COVID-19 deniers, watching the reports of the exponential spread of the virus but claiming that there is really nothing to worry about. Scottish author Hunter Davies recently tweeted that “I’m 84. I survived rationing. I’m not scared of the coronavirus,” which would be like an organization claiming: “We’ve been around for 84 years. We survived a hurricane, so we’ll survive a cyberattack.”
  • There are organizations that ask for advice from cybersecurity experts, then promptly ignore that advice because it is inconvenient to them. When epidemiologists recommend taking extreme action and shutting down public events, they base this on their specialist knowledge and experience. While there may be initial resistance to such recommendations, it is almost always necessary to follow the guidance of experts. After all, expert comes from the Latin expertus, meaning tested or proved.
  • There are organizations that follow others and undertake costly but ultimately ineffective or misguided responses to cybersecurity risk. A typical case is deploying expensive cybersecurity software solutions without establishing good basic cybersecurity hygiene practices. Often the software is purchased because others have done the same, so it must be the right thing to do. But there are more important steps to take. This is the equivalent to the panic buying of toilet paper rolls that we are seeing today. While stocking up on toilet paper might seem like a sensible contingency plan, there are other factors to consider—not least is exposure to the virus in the supermarket itself.

Psychologist Paul Slovic’s review article, “Perception of risk,” published in Science in 1987, gives some insight into why this happens. Slovic’s analysis compared the difference in perception of the risks of nuclear energy versus driving automobiles. He concluded that because there are so many automobile accidents, the risk is knowable. There is also a limited media coverage of automobile accidents, with no speculation of unknown events. Unlike automobile accidents, nuclear energy represents an unknown risk with a relative lack of data. Nuclear accidents get widespread media coverage resulting in speculation about future possible disasters. The result is that the lower risk scenario (nuclear energy) induces more fear than a higher risk activity (driving an automobile).

In the toilet paper versus community spread scenarios, the fear of running out of toilet paper is knowable, whereas there is still much uncertainty about the likelihood of contracting COVID-19, so once again people are failing to accurately measure risk. But the more you know about your risk, the less there is to fear.

What's Next?

Learn how ISA creates experts who understand cybersecurity risks. Browse ISA’s Cybersecurity Resources Collection to find standards, educational materials, and products that fit your organization’s needs. 

This article was originally published in the March/April issue of InTech Magazine under the title “From COVID-19 to Cybersecurity: A Tale of Toilet Paper and Risk.”


About the Author

Steve Mustard is an independent automation consultant and the 2021 ISA president-elect. 

Related Posts

ISA Technical Content Available at Pub Hub

Did you know that the International Society of Automation (ISA) offer a vast library of its technical con...
Liz Neiman Jun 14, 2024 12:56:14 PM

What Drives the Success of Automated Packaging Processes?

Optimizing supply chain operations has never been more important. Disruptions are frequent, efficiency de...
Emily Newton Jun 11, 2024 3:48:10 PM

Deji Chen on Becoming an ISA Fellow

The International Society of Automation (ISA) sat down with Deji Chen, one of four individuals to be elev...
Liz Neiman Jun 7, 2024 7:00:00 AM