Managing Inherent IT Business Risk against Cyber Threats: a Decision Analysis Case Study of an Oil and Gas Company

Abstract

XYZ, an anonymized oil and gas company, aims to enhance cyber resilience by strategically managing inherent risk profiles in cybersecurity, aligned with business needs and stakeholder expectations. This research addresses challenges including Information Security Control determination, proficiency improvement in risk management, and ISMS preparedness. Additionally, it tackles procurement strategy for Security Operations Control across XYZ Group, operating under PSC Gross Split, Cost Recovery, and Non-PSC statuses. Utilizing diverse frameworks such as problem tree analysis, stakeholders’ power-interest matrix, MITRE ATT&CK, NIST 800-53, COBIT 2019, ISO 27005:2022, KAMI 5.0, and SMART, data analysis includes risk documents, interviews, and cyber-attack data. The research establishes effective IS Control for risk mitigation, readiness for Information Security Management System ISMS implementation, strategic programs enhancing risk management capability, and refined Security Operations Control procurement. These outcomes, incorporated into a collaborative contract structure, significantly mitigate cyber threats and potential impacts, such as disruptions to operations, revenue reduction, increased costs, data theft, and non-compliance.