Identifying cyber risk factors associated with construction projects

As construction projects adopt increasingly interconnected digital technologies, their cyber-attack surface expands, making comprehensive cyber risk management essential to prevent incidents, mitigate risks, and minimize potential losses resulting from such attacks. However, the necessary risk factors for this purpose are lacking. Therefore, the study aims to develop a comprehensive set of project-level cyber risk factors tailored to the complexities of construction projects, identified through a systematic and flexible seven-step methodological framework: (1) a literature review of construction and cybersecurity sources to identify initial factors; (2) initial definition of risk categories; (3) internal evaluation and expert input to refine these factors; (4) distribution of a detailed expert questionnaire for rating; (5) expert evaluations through meetings and feedback sessions to enhance validity; (6) elimination of lower-scoring factors; and (7) establishment of quantitative scales for precise risk assessment. The findings include the 32 identified risk factors into five groups: project information, project structure, information technology (IT), operational technology (OT), and management and human aspects. The contributions include providing a set of risk factors that serve as cybersecurity management references and inputs for future quantitative risk assessments, offering a checklist used for proactive risk management, and introducing a framework adaptable for identifying factors of other risks.