Human-Centered Cybersecurity Risk Management for IT/OT-Converged Oil and Gas Operating Facilities

• Introduces STS-CROP, a socio-technical cybersecurity framework for IT/OT projects • Adds "process" as a fourth independent socio-technical dimension in cybersecurity risk governance • Empirically validated with 23 expert interviews from the oil and gas sector in the GCC • Bridges ISO/IEC 27001 and IEC 62443 through socio-technical integration and optimization • Provides practical, policy, and methodological contributions to cybersecurity research The convergence of Information Technology (IT) and Operational Technology (OT) in oil and gas operating facilities has transformed these assets into digitally intensive, highly connected socio-technical systems, while also expanding the cyber risk surface. Existing standards such as ISO/IEC 27001 and IEC 62443 prioritize technical safeguards but underplay human, organizational, and environmental factors. This represents a serious gap in critical infrastructures where safety, continuity, and global-local contexts are tightly coupled. To address this challenge, this paper develops the STS-CROP (Socio-Technical Systems Cybersecurity Risk Optimization Process), a human-centered process framework for cybersecurity risk management grounded in socio-technical systems theory and employing an abductive research design. Iterating between theory and 23 expert interviews in IT/OT-converged oil and gas settings, the study identifies socio-technical cyber risk gaps and structures a process to address them. The proposed framework comprises three interdependent components: (1) Cybersecurity controls classification system spanning social, technical, process, and environmental dimensions; (2) Joint optimization mechanism to align and balance controls; and (3) Dynamic cyber risk management process to ensure compliance with international standards (ISO/IEC 27001 and IEC 62443) through continuous improvement and governance. Validation with industry practitioners confirmed the framework’s applicability to oil and gas projects and suggests broader relevance for other critical infrastructures. By elevating the process to a distinct, independent socio-technical dimension and operationalizing joint optimization, STS-CROP advances socio-technical systems theory while offering a practical governance model for IT/OT cybersecurity. The study provides actionable insights for practitioners and policymakers seeking resilient and adaptive approaches to cyber risk management in converged environments.