CYBERSECURITY ASSURANCE IN SMART CITIES: A RISK MANAGEMENT PERSPECTIVE

ABSTRACT Smart cities are interconnected in a complex web of interdependent systems that are critical for functioning of smart services for better living. However, cybersecurity risks in smart cities are a growing concern for smart city councils and governments globally. As more city services are being brought online and connected with other services, the cybersecurity threat surface is also increasing. We experience a surge in exploitation of security vulnerabilities in smart service operations in cities on a global scale. Incidents of cyberattacks bringing down critical smart services like smart grids and other digital infrastructure are now occurring frequently. These cyberattacks are anticipated to increase further on a larger scale if smart city councils do not take a proactive approach toward cybersecurity risk management and assurance. Managing the cyber risks of smart cities is an understudied area of information systems and cybersecurity research domains that is necessary for the development of cyber-resilient societies. This paper attempts to address this gap. It is based on the premise that cybersecurity risks in smart cities cannot be avoided; instead, they must be proactively identified, assessed, and managed. This paper provides an overview of interdependent systems in smart cities, cybersecurity risks in the context of interdependent systems, and impact of recent cyberattacks on public services in cities across the globe. The significance of risk management and assurance in smart cities is introduced in this paper to address the cybersecurity risks arising from system of systems. Cybersecurity risk management utilizing NIST’s Risk Management Framework has been recommended in this paper for smart city councils through a step-wise approach, highlighting the necessary actions for effective operational cybersecurity risk assurance.


INTRODUCTION
The concept of smart cities is gaining attention on a global scale with the rapid increase in population of the cities. According to the UN's World Urbanization Prospects (United Nations, 2018), urban population of the world is expected to increase from 55% in 2018 to 68% by 2050. Frost & Sullivan (2020) have analyzed the global spending on smart city technologies and estimated that smart cities will spend $327 billion by 2025 with focus on data-drivenconnected infrastructure utilizing emerging digital technologies. As we continue to build a more connected future in our cities and societies, we also experience an increase in the frequency of cyberattacks that are disrupting smart services catered to citizens by governments, city councils, and businesses. In this aspect, international collaboration is vital and International Standards are required to establish a global cyber protection strategy and collective action (Brady, 2022).
According to the World Economic Forum's recent Global Risk Report (World Economic Forum, 2022), cyber threats will continue to intensify due to the growth of digital dependency and increasing impact of systems failure from evolving cybersecurity risks. It is also anticipated that if cyberattacks are successfully targeted on large strategic systems, then the physical consequences of such attacks on our societies can be cascading in nature, where one impacted system can prevent normal functioning of a connected system. According to this Report, ransomware attack 1 is a 'dangerously growing threat' globally and a cause of major concern for public safety. Also, 'cybersecurity failure' has been highlighted as a critical short-term threat to the world in this Report. This is specifically relevant for smart cities that are essentially live and large systems of interdependent systems.
With the rapid deployment of digital technologies in smart cities, cybersecurity risks of smart services are also becoming a major concern worldwide for governments, city councils, regulators, policymakers, businesses, end users, and auditors. As a key action for governance and inclusive growth in smart cities, the OECD has highlighted (OECD, 2020) the need to monitor the rapidly changing technologies of today that are enabling digital transformation of cities and its services. Management of security with effective controls based on continuous auditing and continuous monitoring (CA/CM) is of prime necessity to ensure trust in the smart city services (Vasarhelyi & Halper, 1991;Vasarhelyi et al., 2012). Recently, cybersecurity has been shown to be among the top critical risks both in the Risk in Focus Report issued by the European Confederation of Internal Audit Institutions (European Confederation of Institutes of Internal Auditing [ECIIA], 2022) and in the OnRisk Report issued by the Institute of Internal Auditors (The Institute of Internal Auditors IIA, 2022). Cybersecurity is stated as the "most significant gap" in internal audit competencies in these reports (ECIIA, 2022;IIA, 2022). This starts a debate on whether cyber risk assurance activities are sufficient specifically in the context of smart cities where critical services are deployed using digital infrastructure. The purpose of this paper is to address this need and to contribute to the literature on systems-based cybersecurity risk management of smart city services.
This paper intends to address the following research questions: RQ1: What should be the cybersecurity risk management approach for smart cities?
RQ2: What can smart city councils do to provide cybersecurity risk assurance for smart services? To address these research questions, this paper is organized as follows: in the first section, smart city definition is explored based on the relevant literature. The interdependent systems in a smart city are explained with an example of a sectional view of four smart connected services, the influencing factors on operational risks of a smart city service, and the significance of the architectural layers in a smart service application. In the second section, the terminologies-cybersecurity, cybersecurity risk, cybersecurity risk assurance, and cybersecurity risk governance-are explained in the context of smart cities with reference to definitions in the Technical Standard ISO/IEC 27100:2020 and Glossary of NIST Cyber Security Resource Center (NIST, 2022b) and based on review of relevant literature like the Global Technology Audit Guide (GTAG, 2016), Entity's Cybersecurity Risk Management Program (AICPA ASEC, 2017), State of Cybersecurity (COBIT, 2020), and COSO ERM (2019). Recent cyberattacks on smart city services across the globe are highlighted to exemplify the growing cybersecurity concerns associated with these services and the significance of their impact on citizens. In the next section, a cybersecurity risk management process is recommended with a detailed step-wise approach utilizing NIST Risk Management Framework (NIST, 2018

SMART CITIES AND INTERDEPENDENT SYSTEMS
Although the concept of smart city is gaining interest on a global scale, we get a variety of definitions of it in the literature. Some researchers have tabulated the definitions and dimensions of smart cities from a wide array of the literature, indicating that there is no universal definition of smart cities (Keshavarzi et al., 2021). For example, in our literature review, we find that the World Bank considers smart cities as 'technology-intensive city, with sensors everywhere and highly efficient public services' (World Bank, 2015) that 'leverage data and technology to integrate urban infrastructure and service delivery and provide solutions to achieve a citizen-centric approach' (World Bank, n.d.). According to ISO, smart cities 'rely on integrated and interconnected strategies and systems to effectively provide better services and increase quality of life, ensuring equal opportunities to all and protecting the environment' (ISO, n.d.). The European Commission defines smart city as 'a place where traditional networks and services are made more efficient with the use of digital solutions for the benefit of its inhabitants and business' (European Commission, n.d.). And, according to India's Smart 2023 E D P A C S ª Copyright 2023 Taylor & Francis-All rights reserved.
Cities Mission, these cities 'focus on their most pressing needs and on the greatest opportunities to improve lives' (Smart Cities Mission, n.d.). The definitions of smart city from some leading organizations are summarized in Table 1. In a smart city, the services are digitally enabled with latest technologies such as Internet of Things (IoT), Big Data, Artificial Intelligence (AI), and Analytics to make these context-aware, responsive, and live-these characteristics being represented by the word 'smart'. As the interconnectedness increases among the smart city's systems, subsystems (Lom & Pribyl, 2020), and its services, the interdependencies as well as operational complexities and risks also increase manifold. https://unece.org/housing/sustainable-smart-cities 3. UK Parliament "Smart cities" describes places that incorporate a range of technologies (especially those that collect and use data) to address economic, social, and environmental challenges. Projects usually take place in urban areas but are also deployed in rural settings.

ETSI
A 'smart city' uses digital technologies to: • engage more effectively and actively with its citizens • enhance the city performance and the well-being of the citizens • reduce operational costs and the city resource consumption • generate new business opportunities and increase the attractiveness of the city • and much more.
https://www.etsi.org/technologies/smart-cities 5. NIST 'Smart cities' is defined as the efficient use of digital technologies to provide prioritized services and benefits to meet community goals, such as economic vitality, equity, resilience, sustainability, or quality of life https://www.nist.gov/news-events/news/2022/02/nistinternational-collaboration-develops-newframework-smart-cities-and 6. NASDAQ Smart cities use technology to improve efficiency and sustainability and to provide a better quality of life for their residents https://www.nasdaq.com/articles/world-reimagined% 3A-the-potential-of-smart-cities 7. G3ict Smart cities aspire to use technology to put people first. In an era of connected technologies, our cities have the potential to be built to respond to our needs and smooth the path as we lead our lives. This smoother path will help all citizens, especially those across a range of ages and physical or cognitive abilities https://g3ict.org/publication/smart-cities-for-all -a-vision-for-an-inclusive-accessible-urban-future 8. OECD Initiatives or approaches that effectively leverage digitalization to boost citizen well-being and deliver more efficient, sustainable, and inclusive urban services and environments as part of a collaborative, multi-stakeholder process https://www.oecd.org/cfe/regionaldevelopment/ OECD-Roundtable-on-Smart-Cities-and-Inclusive-Growth_Issues-Note.pdf Figure 1 depicts a sectional view of a smart city's system of four connected services, with the smart grid powering the transport service, the water treatment service, and the healthcare service that are dependent on the smart grid. While the transport service delivers food, the water treatment service provides drinking water, and the healthcare service ensures that the city has healthy citizens, all these enable the workforce who delivers the economic activities. In this scenario, the workforce and economic activities of a smart city are dependent on transport, water treatment, and healthcare services directly and indirectly dependent on the smart grid. The order of dependency of smart services on the smart grid can be categorized as follows: • Transport, water treatment, health care-First-order dependency • Food, water, healthy citizens-Second-order dependency • Workforce-Third-order dependency • Economic activity-Fourth-order dependency.
The smart grid is dependent on electricity consumption data that receive from transport, water treatment, and healthcare services, for demand forecasting. All these smart services create a system of interdependent systems of the smart city. Data collected from these and other smart services in a city can be utilized by the smart city council for trend analysis to manage energy demands, monitoring pandemics, traffic management, health monitoring of senior citizens, and a gamut of context-aware actions for better living. Security vulnerabilities in any of these smart systems can be used by cyberattackers to gain access and control to that system remotely or physically and can cause unavailability of smart services to citizens. A virus attack or a ransomware attack on any system can propagate to other connected systems in higher or lower order of system dependency, due to control weaknesses in those systems, leading to compromise and breakdown of critical services.
In such smart service scenario, we can have five influencing factors on operational risks, as in Table 2, which determines the robustness of technology-enabled smart services to address cybersecurity risks. These are described as follows:

E D P A C S
ª Copyright 2023 Taylor & Francis-All rights reserved.
(i) Smart service design: While designing a smart city's service, the service components have to be identified and architectural decisions have to be made about each component of the service (Goldstein et al., 2002) to meet the expectations of the key stakeholders on the security and safety aspects. The stakeholders' needs that should be addressed are related to data interoperability, device interoperability, network interoperability among smart systems and devices, security by-design, and privacy bydesign of smart services. A smart city can generate huge volumes of data due to the communication between devices and systems (machine to machine-M2M), interaction of devices and systems with the citizens (machines to people -M2P), and vice versa (people to machines-P2M). The influence or impact of smart service design on a smart city's service can be evaluated by auditing the recommended controls with reference to appropriate frameworks and standards.  (Foster & Rosenzweig, 2010) and can lead to increased usage and acceptance. At the same time, we should be careful about how these (iii) User expectations: Users of smart services expect that cybersecurity and privacy features are baked-in, enabled bydefault, and no untoward incidence can impact them for using these services. If these user expectations are not addressed with a by-design approach, then it can impact the reliability and trust on the smart service. The failure of information systems in a smart service and the impact of the consequences on end users (Szajna & Scamell, 1993)  (iv) External threats: External threats (Chen et al., 2021) can be from cyberattackers, operational disturbances due to natural calamities or other factors that can impact the normal operation of the smart service. Adequate protection of smart city's services from cyber threats and attacks is a key requirement to ensure continuity of these services as needed without any external mediation and harm. Along with in-built cybersecurity capabilities to provide resilient smart services, it is also necessary to continuously monitor these services across all layers of devices, communication, data storage, and applications, with proactive defense. Frameworks like the NIST Risk Management Framework (NIST, 2018) can be used to address the risks and cybersecurity threats of smart services. Global threat intelligence feeds can be integrated into the Security Information and Event Management (SIEM) solution for cybersecurity event correlation and management (Tounsi & Rais, 2018).

E D P A C S
ª Copyright 2023 Taylor & Francis-All rights reserved.
(v) Laws and regulations: Addressing the requirements of national, local, or regional laws, regulations, and standards is a key need for smart service operation's compliance and reporting to authorities. Security of information systems, personal data protection, and secured access to data and services are some of the key regulatory compliance characteristics for smart city services (Weber & Žarko, 2019) that need attention and due diligence. Relevant references should be utilized as per need to identify the compliance requirements in smart services, such as the EU General Data Protection Regulation (GDPR, 2018), California Consumer Privacy Act (CCPA, 2018), and US Health Insurance Portability and Accountability Act (ASPE, 1996).
If these influencing factors are not addressed, monitored, and managed with relevant safeguards, then the security posture of the smart service's components and the system of systems running the smart city's services can become vulnerable to cyber threats and attacks.
At the technology level, a smart city's service can have a threelayered architecture (Figure 2) that comprises the sensor layer, communication layer, and the application layer. The sensor layer senses contextual data based on predefined context, and the communication layer receives these contextual data from the sensor layer and communicates to the application layer for analysis and action. Control data travels in reverse order from the application layer to the sensor to recalibrate the context for the desired output from this smart service.
If there is unaddressed security vulnerability in one or more of these layers, then the holistic security of the smart service can be impacted. For critical smart services in a city, it can lead to multiple consequences such as loss of end users' trust in the smart service, reputational loss, financial damage, healthcare issue, human safety issue, regulatory noncompliance, and penalties (Industrial Internet Consortium, 2021).

SMART CITIES AND CYBERSECURITY RISKS
To understand the cybersecurity risks in a smart city's context and the impacts, it is essential to understand the related terminologies. An attempt has been made in this paper to map the relevant terminologies with corresponding definitions from ISO/IEC TS 27100:2020 standard (ISO, 2020) and NIST Computer Security

Analyse and Act Communicate Sense
Resource Center's Glossary (NIST, 2022b) and then explained in a smart city's context. As in Table 3, 'cyber' in the context of a smart city relates to information and communication networks of connected smart city services. The networks, services, systems, people, processes, organizations that are digitally interconnected in a smart city can be holistically termed as the 'cyberspace'. 'Cyber risks' in a smart city refers to the risk of dependency on systems and services in the smart city's cyberspace. 'Cyber risks' are different from 'cybersecurity risks'. While 'cybersecurity' in a smart city's context is about protecting the smart city's information systems, services, and people from cyber risks with adequate safeguards and overarching governance, the 'cybersecurity risks' relate to loss of confidentiality, integrity, or availability of information, data, information control systems, and applications that can adversely impact the citizens by impairing normal functionality of a smart city or its services. 'Cyber threat' is a potential cybersecurity incident that can disturb the normal functioning of a smart city service and can negatively impact the citizens. 'Cyber-attack' is a malicious attempt to exploit vulnerabilities in a smart city's cyberspace. 'Security assurance' is the measure of confidence that 'the set of intended security controls in an information system are effective in their application' (NIST, 2022a). 'Cybersecurity risk assurance' for smart cities can be defined as the actions to obtain a measure of confidence that the smart city's information systems are adequately safeguarded against cybersecurity risks with effective security controls. This measure of confidence can be built over time by smart city councils with material evidence of control effectiveness from an established internal audit function, periodic internal and external cybersecurity risk audits, and continuous improvement of security controls.
The COBIT framework (De Haes et al., 2020) refers to the Governance objective with three key actions-Evaluate, Direct, and Monitor. For cybersecurity risk governance in smart cities, it is necessary to have oversight function enabled by the smart city council on the current state of control effectiveness in smart city's systems and services through continuous risk evaluation, direction for improvements, and risk monitoring. It is important to address the risks from emerging internal and external cybersecurity threats with appropriate direction to the teams managing the security posture. Continuous monitoring of the smart systems' operational performance is necessary from cybersecurity perspective for agile risk response.
As we connect more devices and city services on the communication network, the threat surface for cyberattacks also increases manifold due to complexities in multiple layers of sensing, communication, context-based applications, and the operational dependencies on multiple stakeholders like developers of smart services and devices, providers of smart services, and end users. It is necessary to examine the security posture at each layer of a smart city service, identify the risks and challenges (Gharaibeh et al., 2017) that can arise from the current state, and then respond with appropriate strategies and solutions (Deep et al., 2022).
Effective reduction in security threats and risks is possible in smart environments if we implement control measures (Karie et al., 2021) with necessary assurance and conformance actions utilizing appropriate standards, policies, and procedures. Security governance is a key factor to address 'data theft, unauthorized data access, system breaches, virus-based attacks and other threats to operational integrity' (Ismagilova et al., 2022) of smart cities.
A cyberattack on the interconnected and interdependent smart services in cities can impact one or more critical services and a wide array of stakeholders in the city's digital ecosystem. Table 4 depicts the recent cyberattacks on city services across the globe and the impacted services. Data provided in Table 4 indicate the seriousness of the issue of cybersecurity and cyberattacks in smart cities that need immediate attention across all components of technology, processes, people, laws, and regulations.
Securing the smart service's communication network and mitigating cyberattack to prevent it from cascading to other connected systems and services through the network (Braun et al., 2018) are key challenges. Hence, it is necessary to proactively recognize security threats from vulnerable IoT devices (Schiller et al., 2022), communication networks, sensitive data in storage or in use and in transmission, and from service-oriented smart applications. Periodic internal and external audits are necessary to comprehend the risk posture based on evolving security threats and to deploy the necessary controls. A study (Pierce & Andersson, 2017) based on the perception of decision makers from 25 mid-sized city municipalities across Europe highlighted the security of smart city infrastructure and data among key technical challenges that are concerning yet not fully acknowledged.

Table 4 Recent cyberattacks in smart cities across the globe and impact on city services (prepared by the authors).
Researchers (Kitchin & Dodge, 2019) found it paradoxical that smart city technologies are being promoted as risk-managed for efficient delivery of smart services, but these often expose the cities to new threats and vulnerabilities rendering the city services insecure. They did not find a single city that had systemic and enhanced oversight for secure deployment of smart city technologies. Others (Vitunskaite et al., 2019) have studied the governance approach and cybersecurity measures of Barcelona, Singapore, and London smart cities and have suggested a security by-design approach for smart cities based on compliance assurance from internal and external auditors. There is a need to establish 'capable guardian services' (Elmaghraby & Losavio, 2014) to mitigate security risks in smart city's systems.
The human dimension of cybersecurity is an important consideration for smart services due to the ethical implications it can have on our society (Von Solms & Van Niekerk, 2013). It is specifically significant for the security of critical smart services like the embedded smart health systems that can impact safety of the patients if defined functionality is prevented by security breaches due to design issues' and end-users' lack of knowledge. EU Cybersecurity Act 2019/881 mandates "to promote concrete actions through good practices for citizens, organizations, and businesses in awareness, education, and cyber hygiene" (Hernandez-Ramos et al., 2020).
Smart cities should be treated as "modern day enterprise" because of the complexity of interactions and challenges of interdependencies (Bastidas et al., 2017) among the systems, various stakeholders, and smart services. Cybersecurity risks require enterprise-level treatment with overarching governance by smart city councils to provide a safe and trustworthy interplay between services and the stakeholders. Cybersecurity risks should be continuously identified, treated with appropriate control measures, and integrated into the enterprise risk management program of the smart city council for holistic evaluation, monitoring, and mitigation. Among the major frameworks and standards available in the current literature for risk management and assurance, NIST's Risk Management Framework (NIST, 2018) can be utilized to address cybersecurity risks in smart cities.

CYBERSECURITY RISK MANAGEMENT IN SMART CITIES UTILIZING NIST'S RISK MANAGEMENT FRAMEWORK
NIST's Risk Management Framework (NIST, 2018) provides a process-based approach to address the risks from cybersecurity, privacy, and cyber supply chain considering the 'effectiveness, efficiency and constraints' (NIST, 2020a). This framework provides the flexibility to analyze and decide on a risk mitigation strategy based on the risks identified from the information systems of an organization (Kohnke et al., 2016), which is a smart city council in its current context. Available publications on security and privacy control (AICPA ASEC, 2017; COBIT, 2018; GTAG, 2016; NIST, 2020b) and control baselines (COSO ERM, 2019; NIST, 2020c) can be tailored as per need for effective risk management. As shown in Figure 3, this framework is structured into a sevenstep process of Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor, that have been discussed here with relevance to cybersecurity risks in smart cities.
The first step for a smart city council is to 'prepare' for organizational readiness for managing the security and privacy risks. One of the essential outcomes of this step is the identification of key cybersecurity risk management roles in the city council. An organization-level risk management strategy should be established considering that the smart services portfolio, the criticality and interdependency of these services, the architecture and design of these services, and the risk tolerance limit should be determined considering potential cybersecurity breach scenarios and severity of impact both at the system level and the service it caters to. A smart city has both information technology (IT) and operational technology (OT) components that are integrated as required for the smart service. Cybersecurity risk assessment of all critical information systems (IT and OT) is an important activity that will provide the cybersecurity risk posture in these systems and services. Based on this assessment, it is necessary to establish cybersecurity controls across people, processes, and technologies used for smart services and deploy appropriate tools and solutions for continuous security monitoring of smart systems.
If these essential preparatory activities are not conducted, then there can be consequences of cyberattacks and related impacts. For example, in 2018, a massive cyberattack on smart nation Singapore's citizen health-related database resulted in data breach

E D P A C S
ª Copyright 2023 Taylor & Francis-All rights reserved. of 1.5 million patients (Tham, 2018). This cyberattack was attributed to infiltration of computers by hackers who utilized a vulnerable workstation that was infected by malware. Reviewing existing cybersecurity measures and deploying additional security safeguards were some post-incident recommendations that could have been proactively addressed with a process-based risk management approach.
Next, an impact analysis should be performed to 'categorize' the systems and information utilized by the smart services. It is necessary to perform system interdependency simulations and risk analysis for obtaining granular information about how cyberattack on a system can impact the normal functioning of its dependent systems and the smart services. Cybersecurity risks can arise due to a variety of reasons such as interception of datain-transit over wired or wireless networks, leakage, or loss of confidential or personal identifier information while using smart services, and the possibility of unmonitored injection of Trojans or viruses into sensors and other devices used for rendering smart services. It is necessary for the smart city council to have a component protection strategy for agile risk analysis of the critical architectural components of interdependent systems.
'Selecting', tailoring, and documenting the necessary controls is the next step for protecting the critical systems and services by adequately addressing the cybersecurity risks. The NIST publications can be utilized to identify appropriate control recommendations for risk mitigation (NIST , 2020b) and for developing a control baseline (NIST , 2020c) in alignment with the Risk Management Framework. Utilizing these references, Appendix 1 lays out 20 control families with the breakup of 1189 recommended controls. Due to the incorporation of 176 controls either into other controls or movement from a control family to another, the count of suggested controls is 1013. These can be tailored through a continuous review and approval process to be fit for purpose and to align these with system components with a continuous monitoring strategy.
Next, these identified and tailored controls should be 'implemented' as per the strategic plan for ensuring security and privacy of the systems and smart services. Due to the evolving cyber threat scenarios, changing regulatory needs ,and user expectations, the risk profile for smart cities is also changing continuously. Hence, the controls and plan of actions should be adjusted to address these risks.
Ensuring control effectiveness through planned and periodic 'assessments' is the next step. It helps to ensure that the controls implemented are working properly and as intended to address cybersecurity risks and meeting the desired outcome by meeting the cybersecurity needs of the systems and smart services. Based on the assessment outcome, time-bound remediation actions should be recommended to close the identified cybersecurity deficiencies or weaknesses.
If there is any security or privacy risk due to operation of a system or implementation of a control, then an officially accountable person should determine the appropriate risk treatment and have the authority to approve or deny the system from functioning and to retain or remove the implemented controls. For example, during the recent ransomware attack on Palermo's municipal services (Hope, 2022), the identified systems were isolated from the network to reduce the impact of attack and to contain its spread to other dependent systems and services. Such decisions require an accountable and authorized risk response based on the determined risk.
The immediate next step is to continuously 'monitor' the cybersecurity and data protection postures of smart systems and services and take risk management decisions based on situational awareness. The continuous monitoring strategy and control effectiveness assessments will help to report the current risk posture to the smart city council for appropriate authorizations on systems and other components in the control environment.
All these steps are cyclical to ensure a continuous riskmitigated outcome for smart services and associated systems.

CYBERSECURITY RISK ASSURANCE IN SMART CITIES
NIST's catalog of recommended controls (NIST , 2020b) can be utilized by smart city councils to address cybersecurity and privacy risks in smart services. These controls are segregated into 20 control families, as in Appendix 1, and count more than a thousand to cover the risks at a granular level. Smart city councils can create an overarching mechanism of defining and deploying internal controls by tailoring them as per need from this catalog of controls and also by creating new controls as necessary to mitigate new and evolving cybersecurity risks. For example, the interdependency of systems can create new risks (Stine et al., 2020) in the smart service operation and these should be proactively identified. Hence, continuous registration of cybersecurity risks, effective internal and external audits, and proactive mitigation are of prime importance to ensure that smart services are secured and available. In this regard, a cyber risk governance strategy with supporting key risk indicators (KRIs) are provided in Appendix 2, as reference for smart city councils.
The COSO Internal Control Integrated Framework (COSO, 2013) recommends monitoring and evaluation 'to ascertain whether the components of internal control are present and functioning'. This is a vital activity for smart city councils that should be performed periodically 'to reduce the potential exposure to cyber risks' (Galligan & Rau, 2015). The control environment for smart services can be designed after due consideration of the systems, data flows, interdependencies, stakeholder needs, and regulatory compliance obligations. Control families provide a basis for setting up control environments that should be supplemented with continuous evaluation of the control effectiveness through audit and assurance functions to provide risk-managed smart services.
With the evolution of cyberattacks, new trends in cybersecurity defense are becoming popular. One such requirement is to address the possibilistic risk of attacks from adversaries with 'zero trust architecture' (Rose et al., 2020). Such a measure is very relevant for smart cities where we have networked devices, sensors, and critical smart applications, to ensure verification of both the access request and the requester before hand-shaking and trusted 2023 E D P A C S ª Copyright 2023 Taylor & Francis-All rights reserved.
communication. Micro-segmentation of network architecture is a security by-design approach to enable zero trust.
It is essential for smart city councils to develop a risk-aware cybersecurity culture. The COSO Internal Control principles (COSO, 2013; COSO ERM, 2019) suggest establishing accountability within the organization for internal control responsibilities and decision-making. Deploying controls with approved policies and defined procedures is a recommended control activity for smart city councils to enable a robust cybersecurity control function. Validating and verifying the deployed controls through periodic internal and external audits will help to judiciously report the gaps in security architecture of the smart services, system vulnerabilities, process inefficiencies, and people issue from risk management capability perspective, and regulatory non-compliances, to the key stakeholders for corrective action and continuous improvement in cybersecurity posture and riskresponse.

CONCLUSION
In this paper, we have attempted to address the need for cybersecurity risk management and assurance in smart cities by utilizing the NIST Risk Management Framework (NIST, 2018), relevant assurance standards, and control guidance. Through this approach, we have tried to answer the two research questions raised in the introductory section of this paper. Instead of the traditional way of risk treatments that are reactive and lack appropriate oversight and governance, this proposed approach can provide a holistic risk treatment by proactively identifying the risks from the systems providing the smart services, mapping the interdependencies of the system components, and determining potential impact from these risks on smart services and on the stakeholders. One of the motivations for this paper is the lack of contribution in research and literature for systems-based cybersecurity risk management of smart city's services. Our paper provides a relevant systems-based approach considering the recent cyberattacks on city services and the growing concern of this issue across the globe. It shows how the cybersecurity risks can be managed through a practice-based approach utilizing a risk management framework. Smart city councils can benefit from this research by identifying and managing cybersecurity risks with appropriate oversight and through the steps mentioned in this paper.
Future research opportunity lies in the case study of smart cities that manage cybersecurity risks as per the approach proposed in this paper, to estimate the risk-response effectiveness. It should be noted that in order to achieve successful results in this field, there is a need for synchronized global knowledge and experience sharing among smart cities for proactively identifying and addressing cybersecurity vulnerabilities in smart systems and services. We also need cooperation and coordination of global standardization and regulatory bodies that determine professional risk management and assurance standards, and cyber policies relevant for city councils, institutions, and nation states to address cybersecurity risks. Note 1. Ransomware attack is defined as follows: 'It is common type of malware that blocks you from accessing your computer. It should be noted that access can be obtained if the ransom is paid, but there is no guarantee' (NCSC, 2022).

DISCLOSURE STATEMENT
No potential conflict of interest was reported by the author(s).