The cyber security of nuclear power plants (NPPs) recently has become a major issue, and the cyber security regulatory body in Korea requires a utility to comply with cyber security controls and to perform cyber security risk management based on the regulatory guide RS-015. However, it is practically difficult to fully implement the controls with limited resources. In this situation, research on finding which controls are relatively more important than other controls is necessary in order to reduce risk effectively by implementing higher priority controls first.
The aim of this study is to develop a method for quantifying the relative importance of NPP cyber attack probability variables. The cyber attack probability variables were investigated through a literature survey, and they were classified into two types: (1) attacker-related variables and (2) target-related variables. The factor analysis (FA) method was used to confirm the validity of the rearrangement and classification results, and the analytical hierarchy process (AHP) method was applied to evaluate the relative importance among the variables. Moreover, the cyber security controls that have higher priority to be implemented were identified by applying the relative importance to the regulatory guide RS-015. Considering the relatively more important controls, it is expected that the utility can follow cyber security controls efficiently.