Risk Management Objectives

Having risk management defined, what then are the objectives of risk management that should be met by the risk management process? ISO 31000 defines objectives as:[3, p. v]

•

tional norms;

• confident and rigorous basis for decision making and planning;

• definitions of controls to empower decision making and planning;

• effective allocation and use of resources for risk treatment;

• enhanced safety;

• improved corporate governance;

• improved financial reporting;

• improved identification of opportunities and threats;

• improved incident management and prevention;

• improved operational effectiveness and efficiency;

• improved stakeholder confidence and trust;

• loss reduction; and

• proactive rather than reactive management.

All of these objectives are valid in the context of machine learning and Industry 4.0. As well as the treatment of risk leading to loss reduction for businesses in In- dustry 4.0, it is important to emphasise that risk management also has a compliance objective, not least of all, because of industry regulatory safety requirements.

Regarding the development of security and safety standards, the objective of defining goals has not been reached with respect to machine learning, as the appli- cable standards have not yet incorporated any relevant control frameworks as yet.

See Subsection5.4. Hence, the development of these security controls is undertaken

as part of this research. (See Subsection5.4)

However, out of these objectives, only the objectivesboldabove can be met di-

rectly by the development and use of a risk management framework. The other objectives are even more challenging to design for and equally evaluate their effec- tiveness in a risk framework. Similarly excluded are some critical success factors for organisations implementing risk management have been considered by Yaraghi et

al.[118, p. 556] These do not relate to risk frameworks themselves, but rather success

factors such as leadership and education of staff.[118, p. 556]

The Committee Draft also take a predominately organisational focus with respect to the necessary conditions for effective risk management. For example, resources

needed for each step of the risk management process.[90, p. 6]

1. tools should be suited to the organisation’s objectives and capabilities;[90, p. 11]

2. up-to-date information on risks;[90, p. 11]

3. people with appropriate knowledge should be involved in the risk process[90,

Here again, only the tools (in bold above)can be directly satisfied alongside a risk management framework. (Per the definition of risk management framework, tools are necessary, but do not part of the framework.)

The risk management framework then needs to support all of the risk manage- ment objectives identified in this section. Nevertheless, further properties of a risk

management framework are considered in Chapter4.

3.2

Risk Management Challenges

There are several specific challenges in the application of cyber security risk man- agement to machine learning systems in Industry 4.0. These challenges have not been considered in the literature specifically with respect to machine learning sys- tems, either in Industry 4.0 or in other domains, most likely because machine learn- ing applications are relatively recent in their application, applications have not yet had severe consequences when deployed and there has been relatively little under- standing of the potential attacks outside of academia. A list follows in this section with a detailed description of each challenge in this context. The approach taken to identifying these challenges is to use several sources in the literature and refine the potential challenges as follows:

• Identify risk management challenges with the application of other similar tech-

nologies: Such challenges are not unprecedented in cyber security and similar

challenges have been considered in the context of IoT, SCADA systems,[28,

p. 1][56] including calls for new methodologies to assess risk concerning such

systems.[74, p. 20]

• Identify risk management challenges from literature cataloguing risks and re-

search priorities in relation to machine learning. See for example, [7] and [93].

• Identify the challenges that follow from Industry 4.0., for example, its high

interconnectedness.

• Identify the challenges that follow from research into machine learning attacks.

For example, the implications of the risks not being precisely defined.

• Filtering the list of challenges to those in Industry 4.0.

The list of challenges to risk management evolved as some challenges did not prove significant and others were added based on feedback from expert reviewers

(See Section7.2.2) both in the early stages of research and explicitly in the valida-

tion phase who reviewed the list of challenges. It should be noted that the list of challenges is non-exhaustive nor in any sense final, but as a result of this process, represents a list of real challenges in this domain.

Some of these challenges relate to the lack of comprehensive understanding we have of machine learning systems and their particular susceptibilities to attack, that we have considered. The challenges also relate to the interconnectedness and com- plexity of machine learning systems in Industry 4.0. Other challenges relate to the fact that they are employed as cyber-physical systems. Finally, other challenges re- late to the dynamic environments of Industry 4.0. Hence, the following key chal- lenges for conducting risk management for machine learning systems can be identi- fied:

Systems

2. New Risks Are Still Being Discovered in Machine Learning Systems

3. Interconnected and Complex Ecosystems Involving Machine Learning Sys- tems

4. Continuous Change in Machine Learning Systems and in Industry 4.0

5. Lack of Historical Data About Attacks on Machine Learning Systems

6. Unclear Liabilities for Consequences of Attacks on Machine Learning Sys- tems

7. Machine Learning Systems Are Potential Attack Platforms

8. Human Interaction in the Application of Machine Learning Systems

9. Multiple Organisations Involved in the Application of Machine Learning Systems in Industry 4.0

10. The Management of Safety of Machine Learning Systems in Industry 4.0

These are considered in more detail, in turn in the following Subsections.