CYBERSECURITY ASSURANCE IN SMART CITIES: A RISK MANAGEMENT PERSPECTIVE

ABSTRACT

Smart cities are interconnected in a complex web of interdependent systems that are critical for functioning of smart services for better living. However, cybersecurity risks in smart cities are a growing concern for smart city councils and governments globally. As more city services are being brought online and connected with other services, the cybersecurity threat surface is also increasing. We experience a surge in exploitation of security vulnerabilities in smart service operations in cities on a global scale. Incidents of cyberattacks bringing down critical smart services like smart grids and other digital infrastructure are now occurring frequently. These cyberattacks are anticipated to increase further on a larger scale if smart city councils do not take a proactive approach toward cybersecurity risk management and assurance.

Managing the cyber risks of smart cities is an understudied area of information systems and cybersecurity research domains that is necessary for the development of cyber-resilient societies. This paper attempts to address this gap. It is based on the premise that cybersecurity risks in smart cities cannot be avoided; instead, they must be proactively identified, assessed, and managed. This paper provides an overview of interdependent systems in smart cities, cybersecurity risks in the context of interdependent systems, and impact of recent cyberattacks on public services in cities across the globe. The significance of risk management and assurance in smart cities is introduced in this paper to address the cybersecurity risks arising from system of systems. Cybersecurity risk management utilizing NIST’s Risk Management Framework has been recommended in this paper for smart city councils through a step-wise approach, highlighting the necessary actions for effective operational cybersecurity risk assurance.

DISCLOSURE STATEMENT

No potential conflict of interest was reported by the author(s).

Supplementary material

Supplemental data for this article can be accessed online at https://doi.org/10.1080/07366981.2023.2165293

Notes

1. Ransomware attack is defined as follows: ‘It is common type of malware that blocks you from accessing your computer. It should be noted that access can be obtained if the ransom is paid, but there is no guarantee’ (NCSC, 2022).

Additional information

Notes on contributors

Abhik Chaudhuri

Abhik Chaudhuri is a Chevening Fellow (UK) in Cyber Policy from Cranfield University, Fellow of Cloud Security Alliance (US) and Senior Member of IEEE. He works at Tata Consultancy Services' Technology and Innovation - Design and Architecture Center of Excellence, and pursuing doctoral program at Indian Institute of Management Ranchi. He is a member of Policy Task Force for technology governance at G20 Global Smart Cities Alliance led by the World Economic Forum, expert contributor of UN and ITU's U4SSC initiative on ‘Enabling People-Centred Cities through Digital Transformation’, project editor and expert contributor for developing global standards at ISO/IEC JTC1 SC27 and IEEE SA.

Sezer Bozkus Kahyaoglu

Sezer Bozkus Kahyaoglu graduated from Bosporus University, and studied in the UK at the University of Sheffield and Manchester Business School. Sezer is an MA in Money, Banking and Finance. She has a PhD in Econometrics from Dokuz Eylul University. She is an Associate Professor of Finance and joined University of South Africa (UNISA) as an academic associate to serve in the Professor Extraordinarius role. She worked in KPMG and Grant Thornton Advisory, TurkDEX as CAE. She is associate editor of three international indexed journals. Sezer is a member of IIA and ACFE Global. She is certified as CIA, CFSA, CRMA, CICP, CFE, CPA.