The role of safety risk management in the UK rail industry when dealing with cyber threats

Abstract

This study will review the literature available on cyber security strategies (generally and those specific to the railway) and compare these against safety methodologies to determine whether there are any overlaps and whether a common risk approach can be used. An assessment will be made on the evaluation of cyber threats in the absence of statistical/historical data and the merits in applying a quantitative approach including consideration of Cost Benefit Analysis (CBA). It is important to note that as the safety and security disciplines have developed independently of each other, the same words (e.g. risk, hazard, threat, likelihood, probability etc.,) have subtle different meanings. The goal of Risk Management seeks to present arguments and/or demonstrations to support assertions that the identified risks have been managed in a way which satisfies the organisation’s Risk Appetite and/or the principle of As Low as Reasonably Practicable (ALARP) and CBA.