Open Access articleCyber attacks on industrial control systems (ICS) that underpin critical national infrastructure can be characterised as high-impact, low-frequency events. To date, the volume of attacks versus the overall global footprint of ICS is low, and as a result there is an insufficient dataset to adequately assess the risk to an ICS operator, yet the impacts are potentially catastrophic. This paper identifies key elements of existing decision science that can be used to inform and improve the cyber security of ICS against antagonistic threats and highlights the areas where further development is required to derive realistic risk assessments, as well as detailing how data from established safety processes may inform the decision-making process. The paper concludes by making recommendations as to how a validated dataset could be constructed to support investment in ICS cyber security
