Abstract

The increasing adoption of ICT in traditional Critical infrastructure (CI) to improve productivity and efficiency while creating new services and functions is vital for modern society. However, CI driven by ICT is inherently vulnerable to cyberattacks with potentials for cascaded and escalating effects on depending and interconnected CIs. Therefore, the degree of CI dependency on ICT is a cyber risk factor that requires empirical quantification. Consequently, an ICT Dependency Model was developed for this purpose, based on predefined pillars, namely: Adoption, Integration and Automation. These pillars form the basis for computation of the ICT dependency index (IDI). The ICT Dependency Quadrant (IDQ) is introduced to categorise the IDI of CI organisations into four quadrants, viz: Q1, Q2, Q3 and Q4. Twenty-seven CI organisations participated in the pilot test of the model. The Findings showed that 3 of the CI organisations fall in Q4, while 20 fall in Q3. Similarly, 3 and 1 organisations fall into Q2 and Q1 respectively. The combination of IDI and IDQ provide a comparative tool to visualise the various IDI scores in a single view. Thus, it supports the monitoring of the growth of ICT in CI organisations vis-à-vis the potential cyber risk it presents.