SCADA (Supervisory Control and Data Acquisition Systems) is an industrial control
system used to control infrastructure processes such as water treatment, power grids, gas
pipelines, airports, etc. Critical infrastructures face various vulnerabilities, such as Ransom
attacks on OT systems, physical attacks, supply chain attacks, and Legacy systems. (Cherian,
2025). Ransom attacks on OT systems involve encrypted files that disrupt physical industrial
processes, holding operations hostage until a ransom is paid. Physical attacks with cyber
motives: This method of attack is used to cause physical damage to systems and infrastructure.
Supply chain attacks: In these attacks, the attacker targets a company’s third-party vendors or
providers, such as software Developers and hardware manufacturers, to infiltrate a Target
organization’s Network and spread malware or gain access to sensitive data.(Lenaerts-Bergmans, 2023, p. 1). Legacy systems: hackers exploit outdated Hardware, software, and poor network segmentation, making them easy targets. (Cherian, 2025) .

SCADA applications mitigate these risks through real-time monitoring and automated
responses, enabling continuous monitoring of critical parameters and allowing adjustments and maintenance of every asset across the SCADA system. Segment Networks: The use of Network segmentation to create smaller subnets within the SCADA system. It helps enforce specialized access and isolate sensitive data, also adding layers of firewall and OT security checkpoints. (Security, 2025).

In conclusion, SCADA systems play a significant role in protecting critical
infrastructures from vulnerabilities. These vulnerabilities can lead to physical damage, public

safety, economic damage, National Security risks, and disruption to essential services. The role
of SCADA applications in mitigating these risks is to protect critical infrastructure.

Resources
(2025, July 28). Top Critical Infrastructure Threats in 2025. Micromindercs.com.
https://www.micromindercs.com/blog/critical-infrastructure-threats
(2023, September 26). What Is a Supply Chain Attack? Crowdstrike.com.
https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/supply-chain-attack/#:~:text=Examples%20of%20supply%20chain%20attacks,tools%20and%20services%20available%20today.
(2025, September 16). SCADA Systems Security: Protecting Infrastructure From Risks.
Legitsecurity.com.https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/supply-chainattack/#:~:text=Examples%20of%20supply%20chain%20attacks,tools%20and%20services%20available%20today.

The CIA triad is the core design of information security, confidentiality, integrity, and
availability. These three principles form the foundation of information security. While the CIA
Triad is the foundation of information security, it isn’t fully functioning without authentication
and authorization. Authentication and authorization can be confusing, but they are different.
Authentication is the verification of user identity. Authorization grants permission to the user.
Authentication and Authorization are layers of security that uphold the CIA Triad.

Confidentiality protects data, keeping it secure from unauthorized access. It protects
sensitive information such as personal data, financial records, and classified data. An example is the hospital using encryption to protect patient medical records. Integrity ensures the data is
accurate and complete. Its purpose is to maintain reliable data that can be accessed by authorized personnel. Data integrity provides an accurate reflection of your purchases in your bank statement. Availability is having the data you need at the moment you need it. It keeps network software and data properly maintained, functional, and available for use. An example of availability work is being able to access your emails and different apps from your cell phone at any time of the day.

Authentication and authorization are tools that directly impact the CIA Triads.
Authentication verifies the identity of users through passwords, biometrics, and multi-factor

authentication directly supports Confidentiality. Authorization determines what actions
authorized users can perform, while also supporting Confidentiality by restricting data access to users based on their authorization level. Both ensure Integrity by limiting data editing to
authorized users and Availability by granting authorized access to the system, enabling updates
to software, and maintaining network availability.

In conclusion, CIA Triad, Confidentiality, Integrity, and Availability, are the foundation of
information security. By protecting the data, ensuring the data is accurate, and maintaining the
system for availability. Authentication verifies the identity of users with multi-factor
authentication. Authorization is the granting of privilege to access information or data. Together, they ensure protection against unauthorized access, authorized access for users, data accuracy, and system maintenance.

Ayomide Adewale-Adebowale

CYSE 200T

December 5, 2025

This paper explores three topics: the CIA triad, the NIST Cybersecurity Framework, and SCADA systems, to understand the relations between these topics. While the CIA triad defines the core goals and NIST CSF provides a structured process for achieving them, SCADA systems reveal the physical consequences when these fail in critical infrastructure.

CIA Triad

The CIA triad, Confidentiality, Integrity, and Availability, represents the three foundational goals of information security. Confidentiality ensures that only authorized parties have access to data, Integrity guarantees data accuracy and trustworthiness, and Availability ensures timely and reliable access to systems and information (The CIA Triad, pp. 44-45).

Example

A pro-Russia hacktivist accessed control systems at two Texas water facilities and tampered with their water pumps and alarms, causing water to run past designed shutoff levels and overfill storage tanks. (Recent Attacks on Critical US Infrastructure reading).

Mitigation Techniques

Confidentiality is secured through encryption and access controls; Integrity is maintained through records; and Availability is ensured through backups.

SCADA Systems

Supervisory Control and Data Acquisition (SCADA) systems are industrial control systems used to monitor and control infrastructure processes (e.g., water treatment, pipelines, power generation). Include Human-Machine Interfaces (HMIs), supervisory stations, Remote Terminal Units (RTUs), and communication methods and infrastructure (SCADA Systems).

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) consists of six functions: Govern, Identify, Protect, Detect, Respond, and Recover, that provide a repeatable process for managing cybersecurity risk in both IT and OT environments (READING: The NIST Cybersecurity Framework )

Connection to Topics

SCADA systems are vulnerable because they allow the core of the CIA triad: confidentiality, Integrity, and Availability, to be leveraged by cyber attacks. The NIST cybersecurity framework applied to SCADA systems protects them.

Philosophical Discussion: The Short Arm of Predictive Knowledge

At the beginning of the semester, I believed that if an organization effectively applied the NIST Cybersecurity Framework, it could prevent major attacks. Studying SCADA systems and real critical-infrastructure attacks changed my view. The SCADA handout reading showed that even when SCADA systems are offline, ransom groups can still reach SCADA systems that experts previously thought were safe because they were supposedly isolated. “There is an erroneous belief that SCADA networks are safe enough because they are secured physically. It is also wrongly believed that SCADA networks are safe enough because they are disconnected from the Internet.” (SCADA systems).

Joans highlights that modern tools such as SCADA systems have created space where predictive knowledge falls behind technical expertise: “the predictive knowledge falls behind the technical knowledge which nourishes our power to act, itself assumes ethical importance ” (Joans, 14). This philosophical lens has completely reshaped my thinking. I now see cybersecurity as a preventive and predictive mechanism that operates within ethical intelligence.

Conclusion

The CIA triad, NIST Cybersecurity Framework, and SCADA systems are intertwined to protect data: the CIA triad defines what must be protected; SCADA systems control critical infrastructure that requires the most protection; and the NIST Cybersecurity Framework provides the process for securing SCADA systems. Connecting these topics reveals that, while we have the best systems and frameworks to protect data and infrastructure, the limitations of predictive knowledge impose constraints on the systems, which will continue to make it difficult to predict future events. 

References

• READING: SCADA Systems (http://www.scadasystems.net)

• READING: The NIST Cybersecurity Framework (CSF) Version 2.0

• READING: Recent Attacks on Critical Infrastructure 

• JONAS, H. (1973). TECHNOLOGY AND RESPONSIBILITY: REFLECTIONS ON THE NEW TASKS OF ETHICS. Social Research, 40(1), 31–54. http://www.jstor.org/stable/40970125

Appendix A – Reasoning Notes

Initially, I had no thought of SCADA systems and critical infrastructure being vulnerable; the course materials changed my view of their security. I used AI to brainstorm topic combinations. Also, to rephrase. I rejected any AI-generated content that went beyond the scope of the course. 

This article explores how individual psychological factors and perceptions interact to
shape employees’ attitudes toward cybersecurity compliance in organizational settings. The study
reveals that the Big Five personality traits have a significant direct influence on cybersecurity
compliance, with perceived security risks serving as a facilitator, highlighting the need for
personal cybersecurity training programs.

Relation/Connection to Social Science Principles
The article deeply integrates principles from psychology and behavioral sciences, two
core pillars of the social sciences. It shows the differences within individuals, highlighting how
traits such as conscientiousness and neuroticism influence defense behavior. It also connects to
organizational and social norms, linked to agreeableness. Illustrating how a person’s interactions
in a computing environment, such as perceived security risks, shape their response to security
threats. The study aligns with commitment and consistency, in which individuals’ behaviors
align with their traits and attitudes, expressing their commitment to security policy, and
compliance attitudes reflect individuals’ tendency towards rules and guidelines.

Research Question
How do perceived security risks and Big Five personality traits influence cybersecurity
behaviors, and what mediating roles do these factors play?
Hypothesis / Independent / Dependent Variable
The Big Five personality traits have a significant influence on cybersecurity behavior.
The Big Five personality traits have a substantial impact on cybersecurity compliance attitudes.
Cybersecurity behavior significantly mediates the relationship between Big Five personality
traits and cybersecurity compliance attitude. Perceived security and privacy risk significantly

moderate the relationship between Big Five personality traits and cybersecurity behavior.
Perceived security and privacy risk significantly moderate the relationship between cybersecurity
behavior traits and cybersecurity compliance attitude. Independent Variable: Perceived security
risks and Big Five personality traits. Dependent Variable: Cybersecurity compliance attitude.
(Ghaleb, M. M. S., & Sattarov, D., 2025).

Research Methods
The study employed a quantitative research method. Two hundred fifty-nine employees
across various organizations, exposed to cybersecurity policies, digital communication platforms,
and information systems, participated; cybersecurity behavior was measured by focusing on
preventive and protective security actions. Researchers evaluated Cybersecurity compliance
attitude through alignment and willingness to adhere to security protocols. Perceived security
and privacy risks were captured by emphasizing the cognitive evaluation of potential security
threats and their implications. The data were analyzed using Stata software in a two-step manner.
The validity and reliability of the model were assessed using a confirmatory factor analysis
(CFA), and the structural model was evaluated to test the direct, indirect, and interaction effects
of the hypothesized relationships (Ghaleb, M. M. S., & Sattarov, D., 2025, p. 38).

Data Analysis
The authors used structural equation modeling (SEM) with STATA to analyze the direct
and indirect associations between personality attributes, cybersecurity behavior, perceived risk,
and compliance attitudes. (Ghaleb, M. M. S., & Sattarov, D., 2025, p.27).

Connections to other Course Concepts
This study reinforces and delves deeper into course concepts from the PowerPoint
modules on Applying Psychological Principles of Cyber Offending, Victimization, and

Professionals, particularly the slide on “Personality theories,” discussing how personal
psychological traits (Big Five Personality Traits) contribute to behavior. It also ties to
“Psychology Experiments,” which is considered the Gold standard in research design, one of the
most rigorous forms of research.

Connections to the Concerns or Contributions of Marginalized Groups
The study doesn’t specify a marginalized group. Researchers found that individuals’
personality traits shape cognitive processing, risk perception, and decision-making.
Conscientious individuals who are equally hardworking and law-abiding are more likely to adhere to security protocols. At the same time, those who are open-minded tend to investigate
more and are thus more prone to novel cyberattacks. (Ghaleb, M. M. S., & Sattarov, D., 2025,
p.30).

In conclusion, this research assessed how psychological factors in cybersecurity impact
digital safety, showing that the Big Five personality traits influence the willingness to adhere to
security protocols and practice online safety. Implementing an approach that combines
psychology with cybersecurity to encourage security compliance within an organization can
create fewer vulnerabilities and promote cybersecurity hygiene.

Reference
Ghaleb, M. M. S., & Sattarov, D. (2025). Perceived Security Risks and Cybersecurity
Compliance Attitude: Role of Personality Traits and Cybersecurity Behavior. International
Journal of Cyber Criminology, vol 19 (1).
Article link: https://cybercrimejournal.com/menuscript/index.php/cybercrimejournal/article/view/438/124

The article “Harnessing Large Language Models to Simulate Realistic Human Responses
to Social Engineering Attacks: A Case Study” by Asfour and Murillo (2023) addresses a crucial
issue in cybersecurity: how human behavior influences vulnerability to social engineering
attacks, such as phishing emails (Asfour & Murillo, 2023). Combining advanced technology
With everyday human behaviors. The primary research question is: How do simulated human
behaviors, influenced by the Big Five personality traits (openness, conscientiousness,
extraversion, agreeableness, and neuroticism), respond to social engineering attacks? The authors suggest that specific personality traits, such as high agreeableness or low conscientiousness, make people more susceptible to these attacks because they are more likely to trust manipulative tactics. In this case, the independent variable is the Big Five personality traits. In contrast, the dependent variable is the simulated response to the attack, measured by actions like opening emails or sharing information.

This topic is closely related to social science concepts, particularly those from
psychology and sociology. Psychologically, it uses trait theory to explain individual differences
in risk-taking, showing how personality influences decision-making under uncertainty.
Sociologically, it illustrates social norms by demonstrating how cybercrimes exploit shared
norms of trust and shared information in digital interactions, ideas we have studied in class that emphasize cybersecurity as not just a tech issue, but a human one rooted in common behavior.

The authors used large language models (LLMs), such as OpenAI’s GPT-4, to generate
real human responses in their research. “Their approach to obtain those findings through expert interviews and individual tests was manual, time-consuming, and lacked standardization of the victims’ conditions and attack techniques”(Asfour & Murillo, 2023). They implemented real-life phishing attempts. “The prompt was designed to mimic a real-world phishing email, posing as an authentic security alert from Apple, requesting the recipient to verify their identity by replying with their current password. It is important to note that the email used in this study was extracted from a real-world phishing attack, and it includes original spelling and formatting” (Asfour & Murillo, 2023).

Social engineering attacks target individuals with little to no understanding of the dangers of the internet, such as older adults. This article examines how human behavior and personality traits influence vulnerability to social engineering attacks, particularly in the context of cybersecurity.

The study’s primary research question is: How do simulated human behaviors, influenced by the Big Five personality traits (openness, conscientiousness, extraversion, agreeableness, and neuroticism), respond to social engineering attacks? The authors hypothesize that certain personality traits, such as high agreeableness and low conscientiousness, may increase the likelihood that individuals will fall for phishing attacks. The independent variable (IV) is the Big Five personality traits, and the dependent variable (DV) is the response to the social engineering attack.

For their research methods, the authors developed a realistic approach, using large language models (LLMs) such as OpenAI’s GPT-4 to generate real human responses to phishing attacks. This approach allowed researchers to create controlled scenarios that mimic real-world social engineering attempts.

Concepts from PowerPoint on human factors are closely related to the article’s findings, particularly in the areas of technology and psychology, where we discussed victimization and the behaviors of victims that result from their victimization. The topic also highlights the challenges marginalized groups face in digital security. Designing cybersecurity defenses to address the specific needs of users with limited computer knowledge is essential to reducing their risk and developing better tools to spot and identify theft and financial exploitation.

Overall, the contributions of this study to society are significant. This research validates the use of LLMs for understanding human behavior, recognizing how phishing attacks succeed, and enabling proactive defense in a world where cyberattacks and social engineering have become increasingly common.

In conclusion, Asfour and Murillo’s research gives a clearer understanding of cybercrime through innovative methods. They also advance the role of social sciences in promoting digital safety and literacy. It requires guidelines to be established to protect everyone. Having a better understanding of human factors and how they impact each attack can lead to more in-depth
preventive measures.

References
Asfour, M., & Murillo, J. C. (2023). Harnessing large language models to simulate realistic human
responses to social engineering attacks: A case study. International Journal of Cybersecurity Intelligence
& Cybercrime, 6(2), 41-60. https://vc.bridgew.edu/ijcic/vol6/iss2/3/

Rank the motives from 1 to 8 as the motives that you think make the most sense (being 1) to the least sense (being 8).  Explain why you rank each motive the way you rank it.

Ayomide Adewale-Adebowale

Money: I choose money as the most important because the world we live in runs on money; we can’t do anything without it. According to Markle Science, in 2021, nearly $200 million was stolen by cybercriminals; today, that number is in the trillions of dollars.  Revenge: Humans are emotional beings; revenge often occurs due to a mix of emotions, which can bring a desire for justice, control, or emotional relief. Recognition: People seek recognition for various reasons. Some do it for personal recognition to gain power, influence, higher-paying opportunities, or to network, while others do it for competitive advantage. Political: The purpose of this is to advance political agendas. I chose this to be the 4th  on my list because there are constant attacks from different political entities trying to steal sensitive data or to cause disruption. Entertainment: Some people live for the thrill, enjoying and thriving in high-risk activities. Curiosity: We are all curious about one thing or another; some curiosity about technology and how it can be used to their advantage leads them to cybercrime. Boredom: Curiosity and Boredom can be related; the lack of having something meaningful to do can result in curiosity about how things work and what you can make them do. Multiple reasons: This makes the least sense because there is no specific reason why; it’s like an excuse (I did it because I felt like doing it).

Cybersecurity and Social Science

“This course addresses the social, political, legal, criminological, and economic dimensions of cybersecurity through a social science framework.  Students are introduced to a human-factors approach to understanding cybersecurity threats.  Attention is given to the social factors that contribute to cyber incidents and the political and legal mechanisms that are developed to control the behaviors of those who create risks in cybersecurity incidents.  The class also explores how cybersecurity is studied by social scientists in psychology, political science, criminology, economics, sociology, international studies, and other social science disciplines.”

Diwakar Yalpi