AbstractAnalogous to Industry 4.0, we have the advent of Construction 4.0, a transformative process wherein digital technology and digitalization affect every phase of the life cycle of construction projects, from the design and contracting phase to the construction, operation, maintenance, upgrade, and decommissioning ones. The progress of digitalization has been uneven, as has been the recognition of the new security environment in which the architecture, engineering, construction, and operation (AECO) industry operates. Hackers for profit, disloyal competitors, disgruntled insiders, or even state agents employing hybrid warfare all utilize cyber means to achieve goals that can disrupt processes, corrupt information, interrupt operations, and cause significant material damage or even loss of human life. Starting from recognizing the paucity of studies in this field, this paper analyzes the results from a survey on cybersecurity awareness in the AECO industry. The analyses employed statistical methods such as t-test, Spearman’s rank correlation test, and ANOVA to test the hypotheses formulated to answer the research questions of the study. The resulting data are commented upon and placed in the context of an evolving industry confronted with the shock of the new security environment, while also moving forward on Construction 4.0 as a creator of added value, new efficiencies, and new capabilities.IntroductionDigital technologies and the Fourth Industrial Revolution, or, in the construction industry context, Construction 4.0, provide many of the tools we use during the different phases of construction projects. In today’s digital environments, protection against cyberattacks is becoming a critical element. In 2016, the Harvard Business Review published an analysis of the degree of digitalization in various industries. At that time, construction was next to last, with only agriculture and industry being less digitalized in terms of assets, processes, and labor (Gandhi et al. 2016). The last few years have seen a significant change, even though it is not evenly distributed globally or within the industry. The digitalization and automation of the construction sector are positively transforming the way construction projects are planned, designed, executed, and operated. At the same time, this transformation increases construction projects’ vulnerability and makes the construction industry highly susceptible to cyberattacks. In particular, during the construction phase, the increased use of industrial control systems (ICS) for the operation of different equipment [e.g., tower cranes and three-dimensional (3D) printing] introduces cybersecurity risks of connecting operational technology (OT) to enterprise information technology (IT) systems and Internet of Things (IoT) devices, which have the potential to cause physical damage to the structures being built and the workers interacting with those systems (Sonkor and García de Soto 2021).The COVID-19 pandemic has created additional opportunities for malicious actors to infiltrate organizations. This unprecedented situation has forced organizations to adapt to business-as-unusual. According to Forrester (2020), two-thirds of the security and business executives that took part in an online survey in April 2020 indicated that they were very or extremely concerned that COVID-19-related workforce changes will increase their organizations’ level of risk. Their report also indicated that even though COVID-19 had been just months into 2020, 41% of respondents said that their organizations fell victim to pandemic-related malware or phishing—making it the number one mode of compromise.The number of cyberattacks will increase, which means that the cost of cybercrime will increase as well. The cybercrime cost is linked to business disruption, information loss, revenue loss, and damage to equipment. According to Accenture (2019a), the average total annual cost of cybercrime per company was $11.7 million in 2017 and increased to $13.0 million in 2018. The study also showed that the cost of all types of cyberattacks is increasing, with malware and web-based attacks being the most expensive in 2018 (annual cost of $2.6 million and $2.3 million, respectively). From 2017 to 2018, the fastest cost growth was related to malicious insider (+15%) and ransomware (+21%) attacks.Although cybersecurity in the construction sector has not received the attention it deserves (Mantha and García de Soto 2021), there have been several recent events focusing on that. For example, a group of experts had a panel about “Big Data Issues in Construction: Security, Integrity and Ownership” during the Construction Technology Festival–Online on October 21, 2020. In addition, ASCE Plot Points had a podcast with Professor Brad Allenby titled Should Civil Engineers Care about Cybersecurity? (Walpole 2020). Allenby indicated that as more information is built into our built environment and infrastructure (e.g., smart cities, buildings, and transportation systems integrated with sensors and IoT), the more vulnerable our systems become; therefore, there is a need to account for security aspects in civil engineering curriculums.Cybersecurity Aspects of Cyber–Physical SystemsSecurity concerns in the construction industry have particularly increased with the digitalization of construction. The umbrella concept for the digitalization of the construction industry and the built environment is known as Construction 4.0 (Klinc and Turk 2019). It is the construction version of Industry 4.0 (Marr 2018), a fourth major wave of innovation of the industry. The first wave was about mechanization, the second was about electrification and mass production, and the third was about automation. The key concept of Industry and Construction 4.0 is cyber–physical systems (CPS)—where the digital components of information, communication, sensors, and actuators are connected to the real world without a human interface. For example, it is not a human reading a digital blueprint and driving a grader; instead, the grader is self-driven and takes instructions on how and what to do from the computer cloud. This very concept dramatically increases the exposure to all kinds of malicious activities because the safety element of human common sense simply is not there anymore.Industry 4.0 is delivered by technologies such as the internet of people, IoT, cloud computing, robotization and sensor technology, cognitive computing, and the digital twin. The digital twin concept integrates them all—it is a digital replica of the facility used to store information about it and provides a basis for simulations and decision making. It extends building information modeling (BIM) technology from its original task of information exchange to the representation of the real world. Because of its crucial role, the main vectors of cyberattacks are expected to be aimed at the digital twin and its interfaces with the real, tangible world.Cybersecurity and the Construction IndustryThe construction industry is receiving increased attention and becoming an easy target for attacks. According to FireEye’s report (FireEye 2020), the construction/engineering industries have climbed the rank of targeted industries, from the eighth place in 2018 to the fifth place in 2019. The top three in 2019 were entertainment/media, financial, and government. Another trend is that employees of smaller organizations have been the increasing focus of email threats (such as spam, phishing, and email malware) compared with those in large organizations. This trend is concerning because the supply chain of construction projects is mostly composed of small and medium-sized enterprises (SMEs), which generally do not devote sufficient resources to IT and security. The 2019 Internet Security Threat Report (ISTR) (Symantec 2019) indicated that the construction industry was the third industry (after mining and wholesale trade), with a higher percentage of users targeted by malicious emails.The same report noted a 12% rise in enterprise ransomware infections in 2018, compared with a yearly fall of 20% in overall ransomware infections. Other important results from ISTR, which gathers information on cyberattacks, included a 78% rise in supply chain attacks, to which the architecture, engineering, construction, and operation (AECO) industry is particularly vulnerable. Another negative trend with a particular impact on the AECO industry is the rise of malicious email attachments, from 5% of the total in 2017 to 48% in 2018 (Symantec 2019). The security culture of AECO industry employees is lacking because of insufficient awareness and preparation on the part of company executives. The 2019 Cyber Risk Outlook report (Coburn et al. 2019) mentioned that “cyber–physical loss events” also lead to the “increasing propensity for cyber-induced business interruption,” which, in a complex operation such as a construction site, can escalate into a wider disruption with consequences to project timelines and costs. The reputational cost of cyber-induced disruptions should not be dismissed and may, indeed, become a prime motivator for attacks.At the same time, the ubiquity of cyber threats must also factor into the planning of executives and regulators; 40% of ICS came under attack during the first two quarters of 2018 (Coburn et al. 2019). Therefore, rather than preparing for the possibility of attack, the AECO industry must deal with the certainty of attack, with only the means, goals, and frequency being uncertain. Meanwhile, improving protection within individual entities may not be enough, as the 2019 Cyber Threatscape Report (Accenture 2019b) noted that “improvements to basic cybersecurity hygiene appear to be pushing cyberthreat actors to seek new avenues to compromise organizations, such as targeting their supply chains—including those for software, hardware and the cloud.” Given the high number of individual contractors and suppliers in a construction project, companies must pursue full awareness of their threat profiles, and project integrators/managers must make cybersecurity a priority.Table 1 presents some high-impact cyberattack examples during different phases of construction projects [e.g., construction and operation and maintenance (O&M)]. Under the leftmost column, the domain of the attack is categorized according to the affected assets: IT if the information was affected, or OT if physical assets were affected. Other columns included in the table are Year, Type of Cyberattack (e.g., ransomware, phishing, or denial of service), Project Participant Exploited (e.g., general contractor, designer, or facility manager), Project Phase (e.g., design, construction, or O&M), Summary of the Attack (i.e., further details of the attack), and References (i.e., the source of information).Table 1. High-impact cyberattack examples during different phases of construction projectsTable 1. High-impact cyberattack examples during different phases of construction projectsCategoryYearType of cyberattackProject participant exploitedProject phaseSummary of the attackReferencesIT2015PhishingGeneral contractorConstructionMore than €17 million were stolen from one of the subsidiaries of Finnish crane-maker, Konecranes. The company said perpetrators used identity theft and other methods to induce the subsidiary to make unwarranted payments.Reuters (2015)2016PhishingSupplier/vendorConstructionCentral Concrete Supply Co. Inc. fell victim to a phishing email that compromised the 2015 W-2 information of its employees.Jones (2016)2016PhishingGeneral contractorConstructionTurner Construction Company suffered a spear-phishing attack in which the names and social security numbers of current and ex-employees were inadvertently sent to a fraudulent email address.Jones (2016)2016UnknownSupplier/vendorConstructionHackers from Southeast Asia reportedly stole trade secret information from ThyssenKrupp earlier in 2016 from its plant engineering division and other divisions that had not yet been determined.Auchard and Käckenhoff (2016)2018UnknownGeneral contractorO&MHackers hit French firm, Ingérop, stealing 65 GB of data relating to nuclear power plants. Also, more than 11,000 files from a dozen projects were accessed. Attackers also stole personal details of more than 1,000 Ingérop employees.Cyware (2018)2020MalwareGeneral contractorConstructionBouygues Construction suffered a ransomware attack at the end of January 2020, forcing the company to shut down its systems worldwide.Korman (2020)2020Man-in-the-middle attackOwner/facility managerO&MBam Construct fell victim to an attack that led hackers to the firm’s corporate network. The malicious intruder encrypted files and demanded payment to gain access to them. At about the same time, Interserve suffered a major data breach. As many as 100,000 employees may have been affected by the attack. Authorities noted the possibility that the firms were targeted for their involvement in antipandemic efforts, such as converting buildings into hospitals, rather than for profit.Price (2020)OT2010MalwareOwner/facility managerO&MStuxnet computer worm affected the control systems and destroyed centrifuges in an Iranian nuclear plant in 2010.Hemsley and Fisher (2018)2012Denial of serviceOwner/facility managerO&MShamoon attack on Saudi Arabia’s national oil provider caused the inaccessibility of many computers and the destruction of content in many workstations.Hemsley and Fisher (2018)2015Denial of serviceOwner/facility managerO&MThe December 2015 Ukraine power grid cyberattack, considered the first known successful cyberattack on a power grid, affected 30 substations and left 225,500 customers without electricity for up to 6 h.Slowik (2019)2019Denial of serviceOwner/facility managerO&MThe power outage in June 2019 affected most of Argentina, all of Uruguay, and parts of Paraguay. The actual cause of this power outage is not yet known, and the possibility of being a cyberattack has not been discarded.BBC News (2019)2019Denial of serviceOwner/facility managerO&MUnidentified hackers disrupted the communication networks of a renewable energy provider, sPower, based in Utah. For several hours, the company was unable to communicate with dozens of its energy sites. This is the first known successful cyberattack against a US-based renewable energy provider and power grid operator.Lyngaas (2019)2021Man-in-the-middle attackOwner/facility managerO&MHackers accessed the control system of a water treatment plant in Oldsmar, Florida, and increased the amount of sodium hydroxide in the water to dangerous levels. The attack was discovered before it caused any harm to the public.Margolin and Pereira (2021)2021Ransomware attackOwner/facility managerO&MA hacker group named DarkSide accessed the networks of the largest fuel pipeline in the US, Colonial Pipeline, using a compromised password. The attackers shut off the pipeline, which caused a fuel outage until they received a $4.4 million ransom on May 12, 2021. It was the first time that the Colonial Pipeline was entirely shut down in its 57-year history.Turton and Mehrotra (2021)Necessity of this StudySeveral generic cybersecurity reports showed high-level information about the impacts to some industries (e.g., ISACA 2019; CPR 2020; FireEye 2020; Accenture 2018; CyberEdge 2020; Coburn et al. 2019; Symantec 2019; ITRC 2019). Moreover, a few academic publications that focused on the cybersecurity aspects of the construction industry have been published in recent years. For example, Mantha and García de Soto (2019) proposed a cybersecurity risk identification framework and evaluated the vulnerabilities of traditional (e.g., design–bid–build) and hybrid (e.g., integrated project delivery) delivery methods in construction. Mutis and Paramashivam (2019) investigated the cybersecurity challenges that result from the integrated use of BIM and cloud computing in construction projects. Mantha and García de Soto (2020) proposed using the Common Vulnerability Scoring System in construction networks and implemented it in a real project as a proof of concept. Alshammari et al. (2021) reviewed the literature on IoT use in the built environment and the cybersecurity implications of digital twins. Finally, Turk et al. (2022) developed a construction-specific framework to help analyze cybersecurity problems and plan future actions to provide robust cybersecurity.The previously mentioned publications present growing research interest in the cyberthreats against built environments and construction projects. However, to the best of the authors’ knowledge, there are no publicly available surveys focusing on cybersecurity-related issues for the AECO industry. An exception is a report by AECOM (AECOM 2018) that included a couple of elements related to cybersecurity. They surveyed 509 civil infrastructure professionals. They asked about the likelihood of certain events occurring in the next 5 years; over 68% of the participants responded that it was fairly likely or almost certain that hackers may interfere in different ways with infrastructure. 61% thought that it was fairly likely or almost certain that cyber events may cause death or serious injury (Fig. 1). The report also indicated thatNorth American infrastructure professionals feel better prepared than their international counterparts to manage a growing cyberthreat. Two-thirds (66%) of US and Canadian survey respondents believe the industry is well placed to meet the threat of cyberterrorism, compared with 54% of the Asia-Pacific participants and 35% of those based in Europe (AECOM 2018).The report further indicated that “around one-third of industry leaders believe a major cyberattack is almost certain to happen in the near future” and that “to support economic growth and social prosperity, future-proofing and protection against cyber and physical attack are essential” (AECOM 2018). AECOM’s survey provided valuable information about the cybersecurity concerns of senior decision makers in the civil infrastructure sector. However, its primary purpose was not to assess the awareness level, and it did not cover different seniority levels from different subsectors of the AECO industry. Instead, it focused on a particular field and suggested future directions for resilient infrastructure solutions.Research Questions and HypothesesThe rise in cyberattacks (e.g., phishing and ransomware infections) against the AECO industry and the magnitude of the potential losses in the event of a successful attack—as summarized in the previous subsections—necessitate a deeper understanding of the existing cybersecurity awareness in the industry and academia. The potential results of cyberattacks include financial (e.g., ransom paid to the attackers or wiring money to a fraudulent bank account), reputational, personal (e.g., stolen personal identification and tax information), and physical (e.g., hijacked equipment causing injuries on construction sites) damages and losses. Improved cybersecurity preparedness, which is directly related to awareness, can minimize such adversaries and combat cybercrime. In order to have an insight into the level of cybersecurity awareness in the AECO industry and answer the following research questions, a survey has been conducted. The main and sub research questions (annotated as RQ) and the corresponding hypotheses (annotated as H) are presented in Table 2. The definitions of the terms, such as low, which might refer to different values in different contexts, are provided in the “Statistical Analysis to Test the Hypotheses” section.Table 2. Research questions and hypothesesTable 2. Research questions and hypothesesResearch questionsHypothesesRQ1. What is the level of awareness of the existing cybersecurity frameworks/standards in the AECO industry?H1. The awareness level of different frameworks/standards in the AECO industry is low.RQ1.1. Are there significant differences among the awareness levels of different frameworks/standards?H1.1. There are no significant differences among the awareness levels of different frameworks/standards.RQ1.2. Are there significant differences in awareness levels of different frameworks/standards among regions?H1.2. There are significant differences in awareness levels of different frameworks/standards among regions.RQ1.3. Is there a correlation between (1) seniority and awareness levels of different frameworks/standards, and (2) company size and awareness levels of different frameworks/standards?H1.3. There is a correlation between (1) seniority and awareness levels of different frameworks/standards, and (2) company size and awareness levels of different frameworks/standards.RQ2. What is the AECO employees’ level of awareness of their organizations’ cybersecurity plans?H2. The AECO employees’ level of awareness of their organizations’ cybersecurity plans is low.RQ2.1. Are there significant differences in the AECO employees’ levels of awareness of their organizations’ cybersecurity plans among regions?H2.1. There are significant differences in the AECO employees’ levels of awareness of their organizations’ cybersecurity plans among regions.RQ2.2. Is there a correlation between (1) employees’ seniority and awareness of their organizations’ cybersecurity plans, and (2) company size and employees’ awareness of their organizations’ cybersecurity plans?H2.2. There is a correlation between (1) employees’ seniority and awareness of their organizations’ cybersecurity plans, and (2) company size and employees’ awareness of their organizations’ cybersecurity plans.RQ3. What is the level of cybersecurity concern in the AECO industry?H3. The level of cybersecurity concern in the AECO industry is high.RQ3.1. Are there significant differences in cybersecurity concerns among regions?H3.1. There are significant differences in cybersecurity concerns among regions.RQ3.2. Is there a correlation between (1) employees’ seniority and cybersecurity concerns, and (2) company size and cybersecurity concerns?H3.2. There is a correlation between (1) employees’ seniority and cybersecurity concerns, and (2) company size and cybersecurity concerns.This study can be considered the first published survey of this nature and extent in the construction sector. The origin of this survey started in February 2020 during the First Workshop on Cybersecurity Implications of Construction 4.0 that took place at New York University Abu Dhabi (NYUAD), bringing together a group of colleagues interested in this topic to discuss the cybersecurity implications to the AECO industry caused by Construction 4.0 (i.e., the digitalization and automation of the construction sector). The ultimate goal was to define a research agenda to address the cybersecurity implications of Construction 4.0. During the workshop, relevant topics (e.g., blockchain, critical infrastructures, CPS, cybersecurity, security frameworks, smart construction sites, and threat modeling) were discussed, and a round-table discussion led to identifying critical elements and defining a research agenda. An outcome of the workshop was the development of this survey. The results of that survey are presented in this paper.About the SurveyThis section provides a general overview of the purpose and structure of the survey and key elements related to its development.Objectives of the SurveyThe main purpose of the survey was to get a better understanding of the cybersecurity implications in the AECO industry due to the digital transformation. Specifically, the objectives included gaining insights into the current awareness of cybersecurity among the researchers and industry professionals, perceived cybersecurity-related threats, actors, and impacts, as well as the readiness of the industry to react to cyber events. The survey was done using Qualtrics made available through the New York University DataServices. All the responses were anonymized, and the information provided was kept confidential.Survey StructureThe survey consisted of three parts. The first one and the last one were related to information about the participant. It included basic demographics such as country of operation, main industry, sectors (e.g., general building, transportation, power, or water supply), as well as the size of the organization. Part three asked about the job level of the participants, their number of years in their role, and whether they would be interested in participating in future research or follow-up. The second part was broken down into three sections. One focused on the awareness of cybersecurity to gauge the main concerns of the participants. Important elements included the awareness of existing cybersecurity frameworks and the most relevant threats and attacks for the construction sector. Another was aimed at getting information about the potential damage and impact of Construction 4.0 from the cybersecurity perspective. The last section allowed participants to provide any insights, comments, opinions, or suggestions related to the cybersecurity implications of Construction 4.0. A schematic structure of the survey is provided in Table 3. The complete questionnaire used in the survey has been made available in a repository (García de Soto et al. 2021).Table 3. Main elements and structure of the surveyTable 3. Main elements and structure of the surveyDifferent parts of the surveyDefinition1Demographics of participants’ organization2Cybersecurity awareness and concerns3Job level and seniority of participants/future involvementDistribution of the SurveyThe online survey was made available in May 2020 and was closed in September 2020. The survey was sent to professional and academic networks from the authors. The survey was also made available through LinkedIn, targeting relevant groups, such as members from ASCE’s Construction Institute and the International Association for Automation and Robotics in Construction (IAARC). It was also sent to construction organizations such as the Associated General Contractors of America (AGC), the European Network of Construction Companies for Research and Development (ENCORD), the European Construction Industry Federation (FIEC), the European International Contractors (EIC), the Spanish Confederation of Construction (CNC) (Spanish acronym for “Confederación Nacional de la Construcción”), and the Portuguese Federation of Construction Industry and Public Works (FEPICOP) (Portuguese acronym for “Federação Portuguesa da Indústria da Construção e Obras Públicas”).Survey ResponsesA total of 281 individuals clicked on the link to open the survey. Of those, 169 (60%) actively participated in Part 1, and 130 (46%) completed all portions of Part 2. A summary of the answers to the different parts of the survey is provided in this section. Due to the content of Parts 1 and 3, they have been shown together in this paper.Parts 1 and 3: Demographics of the ParticipantsParts 1 and 3 gathered general information about the organization of the participants as well as the participant’s role and seniority in the organization. Based on the responses provided, the main offices of participants’ organizations were in the US (36%), followed by Spain (11%), the United Arab Emirates (10%), and the UK (7%). Other countries included Hungary (5%), India (4%), Switzerland (3%), Australia, France, and Peru (2%). The following had 1% of the participants (each) Albania, Algeria, Austria, Barbados, Belgium, Bolivia, Canada, Chile, Colombia, Ecuador, Germany, Ghana, Greece, Haiti, Hong Kong, Iraq, Italy, Lebanon, Luxembourg, Netherlands, New Zealand, Nigeria, Philippines, Portugal, Romania, and Singapore. Participation by geographic regions—based on the World Bank’s regional classification—is shown in Fig. 2.In total, 56% of the participants worked in organizations with over 250 full-time employees, 15% in organizations with 50–249 full-time employee, 14% in organizations with 10–49 full-time employee, and 15% in organizations with fewer than 10 full-time employees. Regarding the job level of the participants, 33% of the participants were senior, executive, or top-level management, followed by manager/advisor (31%), middle-level management/director (26%), entry-level positions (7%), and others (mostly researchers/academic titles) (3%) [Fig. 3(a)].The main industries (vertical) of the participants’ organizations are shown in Fig. 3(b). The majority (57%) were related to the AECO industry. The main activities concerning the AECO industry are summarized in Fig. 3(c).To further classify the different sectors of the participants, the categorization by Engineering News-Record (ENR) was used, which ranges from general building to hazardous waste. Different sectors used in this study, some examples of these sectors, and the number of participants from each sector are shown in Fig. 4. The main sectors were general building and transportation.Part 2: Cybersecurity Awareness and ConcernsPart 2 focused on the awareness of cybersecurity to gauge the main concerns of the participants. It can be divided into three sections: (1) general cybersecurity awareness and preparedness (e.g., awareness of existing cybersecurity frameworks and the most relevant threats and attacks for the construction sector), (2) information about the potential damages and impacts, and (3) general comments or suggestions (insights from the participants).General Cybersecurity Awareness and PreparednessSome cybersecurity frameworks have been developed to improve organizations’ security. Arguably, the most relevant frameworks to the construction industry are the Framework for Improving Critical Infrastructure Cybersecurity version 1.1 by the National Institute of Standards and Technology (NIST) (NIST 2018), the Network and Information Systems (NIS) Directive by the European Union (EU 2016) (with a proposed NIS2 Directive published in December 2020 that would replace the NIS Directive) (EC 2020), Publicly Available Specification (PAS) 1192-5:2015 Specification for Security-Minded Building Information Modelling, Digital Built Environments and Smart Asset Management (BSI 2015) [replaced by ISO 19650-5:2020 (ISO 2020)], and Code of Practice (CoP) for Cyber Security in the Built Environment by the Institution of Engineering and Technology (IET) (Boyes 2014).Unfortunately, many of these frameworks are generally unknown to the construction community. To confirm this presumption, we asked the participants about their familiarity with those frameworks (i.e., NIST, NIS, PAS, and IET/CoP) as they relate to the built environment. The responses are shown in Fig. 5. As can be seen, on average, 46% of the participants had never heard of the provided frameworks, whereas 5% of the participants were very familiar with them. The familiarity with the NIST framework was slightly higher than the others—29% were somewhat or very familiar. Contrarily, the familiarity with PAS 1192-5 was at lower levels—50% had never heard of it. Fig. 5 also shows that despite slight variations, the distribution of participants’ familiarities with four different frameworks were highly similar.When asked about their concern about cybersecurity in the AECO industry, the majority of participants (84%) indicated that they were somewhat or significantly concerned (Fig. 6). However, only a bit over one-third (39%) of the participants worked in organizations with a cybersecurity plan in place (Fig. 7). Furthermore, 11% indicated that their organization was not contemplating developing one; however, 69% of those participants specified that the organization would benefit from a cybersecurity plan.When looking at the relationship between the respondents’ concern about cybersecurity and the use of a cybersecurity plan in their organizations (Fig. 8), it can be observed that the majority of those in organizations with cybersecurity plans were the ones that are significantly concerned about cybersecurity in the AECO industry. It is also interesting that 35% of the respondents did not know if their organizations had a cybersecurity plan in place, which can be interpreted as a lack of general awareness in the sector and shows that AECO organizations do not have cybersecurity as one of their priorities.About two-thirds (63%) of those with a cybersecurity plan in place reported that the plan was fully operational, and 29% indicated that it was partially operational. About one-third (31%) of the cybersecurity plans were based on the NIST framework (NIST 2018), 10% on the NIS directive (EU 2016), 10% on PAS 1192-5 (BSI 2015), and 4% on the CoP by IET (Boyes 2014). One-third (33%) did not know which national or international protocol or protocols had been used for the development of their organization’s cybersecurity protocol, and 13% indicated that they were based on other frameworks or standards, with ISO/International Electrotechnical Commission (IEC) 27001 (ISO/IEC 2013) and MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) (MITRE 2022) being the most common.Almost half of the participants (46%) that had a cybersecurity plan in place indicated that it was for preventive and/or proactive measures, and 20% indicated they had one as a competitive advantage (i.e., to provide better services or increase client value perception) (Fig. 9).In addition to the cybersecurity plan, when asked whether their organization had an emergency plan to deal with cybersecurity breaches, about half of the participants (47%) indicated that they did. However, 18% indicated that the organization did not have any emergency plan, and 35% did not know or were not sure about it.To get an insight into the participant’s concerns about possible attacks, we asked them to rank different cyberattacks in relation to their potential impact on the AECO industry. The ranking scale varied from 0 to 5, with 0 being the lowest concern and 5 being the highest. The cyberattacks considered are given in Table 4, and the summary of the responses is in Fig. 10.Table 4. Different cyberattacks to be ranked by participants based on their potential impact on the AECO industryTable 4. Different cyberattacks to be ranked by participants based on their potential impact on the AECO industryCyberattackExample/definitionComputer viruses/malware (CV)Malicious software, including spyware, ransomware, viruses, and wormsPhishing (PH)Emails with malicious links, infected attachments, or tricking users into providing sensitive or confidential informationMan-in-the-middle attack (MitM)In unsecured Wi-Fi, attackers can insert themselves between a visitor’s device and the networkDenial-of-service attack (DoS)Used to exhaust resources and bandwidth. As a result, the system is unable to fulfill legitimate requestsAttack vectors (AV)Used to gain access to a computer or network in order to infect it with malware or harvest dataFrom Fig. 10, it can be seen that computer viruses (CV), phishing (PH), and attack vectors (AV) had the highest level of concern (Level 5) with 51%, 45%, and 43%, respectively. Remarkably few participants ranked these attacks on the lower side of the scale (0 or 1). This result could be potentially due to the high familiarity with these three cyberattacks and their brief description provided to the survey respondents. For example, PH and CV are among the most common kinds of attacks that everyone is familiar with on a day-to-day basis. In addition, the description of AV is also one of the most commonly suggested types of attacks by financial institutions such as banks and credit unions to prevent credit card or debit account fraud. Although survey respondents did not regard the denial-of-service (DoS) and man-in-the-middle (MitM) attacks as equally concerning as the other type of attacks, more than 54% of the respondents thought that both these types of attacks have at least a concern level of 4. One of the reasons for a lesser concern compared with others was possibly the lower familiarity and lack of understanding of the extent and the impact of these attacks.Participants were asked to provide their view on what they would consider the most relevant sources of cyberattacks to the AECO industry. They were presented with the sources listed in Table 5 and asked to rank them from 0 to 5, with 0 being the least relevant and 5 being the most.Table 5. Different sources of cyberattacks (actors) to the AECO industry to be ranked by participantsTable 5. Different sources of cyberattacks (actors) to the AECO industry to be ranked by participantsSources of cyberattacks (actors)ExampleSingle internal individuals (SI)Internet protocol (IP) breaches, enemy withinSingle external individuals (SE)Lone wolvesInternal groups or coalitions (IG)Contractual breaches, enemies withinExternal groups (EG)Competitors, organized crimeState actors and proxies (SA)GovernmentsFrom Fig. 11, it can be seen that around 51% of the respondents believed that external groups (EG) had high levels of concern (Level 4 and above). On the other hand, a much lower level of concern (45% for Level 2 and below) was raised for internal groups or coalitions (IG) causing the cyberattacks. This is reasonable and understandable given the amount of confidence anyone has in other colleagues or the employer’s confidence in its employees. However, it is interesting that almost 20% of the respondents raised a Level 5 concern (highest level) for single internal individuals (SI). This could potentially be because of past experience with cybersecurity incidents such as internal data leaks.Information about the Potential Damages and ImpactsWhen the participants were asked whether their direct work or their organization as a whole had been affected by a cybersecurity-related incident, more than half (57%) indicated that their direct work had not been affected (27% for their organization as a whole). Only 20% responded that their direct work had been impacted (27% for their organization as a whole). Meanwhile, 23% did not know or were not aware of whether their work had been affected by a cybersecurity-related incident (36% for their organization as a whole) (Fig. 12).The impacted participants were asked to describe the nature of the cybersecurity-related incident or incidents to whatever extent possible, especially highlighting its/their type and implications. Some participants indicated that they fell victim to phishing attacks in which email accounts were used for massive email sending that compromised social security numbers and personal information. Other participants indicated that they suffered DoS attacks, mostly caused by faulty Wi-Fi routers.Other participants indicated that they were victims of ransomware attacks in which the attacker encrypted their data and demanded payment using bitcoin. In some cases, participants indicated that the attack disrupted business processes leading to a financial loss. Some of the remarks regarding the attacks are provided in Table 6.Table 6. Comments about cybersecurity-related incidents experienced by survey participantsTable 6. Comments about cybersecurity-related incidents experienced by survey participantsParticipantParticipants’ experience with cybersecurity-related incidentAnonymous participant 1“We had a ransomware attack that effectively shut our organization down. A ransom was paid with bitcoins, and access keys were sequentially provided to regain control. A third of our PCs were not restorable. Full recovery took approximately 3 to 4 weeks.”Anonymous participant 2“A third party from overseas gained access to our server, following a makeover of our architecture. The attack was realized within hours, and the architecture was altered to close the open door. It was an oversight during the system overhaul that permitted the attack.”Anonymous participant 3“I suffered a phishing attack, which resulted in a loss of productivity. The organization has suffered enterprise attacks shutting down essential services.”Anonymous participant 4“We found a malicious file in our server, but we never knew what really happened or the source of the file. Our understanding was that our information had been compromised.”Anonymous participant 5“Hackers invaded the webserver from the organization replacing the website and hacking into our corporate email system.”Anonymous participant 6“In a medium-sized construction company […], hackers used company executives’ emails, impersonated themselves as the executives (by using their real emails), contacted clients, and asked for a change in bank account associated with jobs. This resulted in over $2 M money sent to wrong accounts, of which only half recovered.”Anonymous participant 7“There was a network intrusion. Some non-critical files were found elsewhere. The source was unknown.”General Comments or Suggestions (Insights from Participants)The integration of new technologies and the digitalization of the AECO industry are quickly evolving. Although there are many benefits to that, there are also new cybersecurity implications and risks. Some of the participants’ insights, comments, opinions, or suggestions concerning the cybersecurity implications of Construction 4.0 will now be presented and discussed. The responses were summarized in two parts; first, the issues and concerns related to cybersecurity, and second, the potential ways to minimize and mitigate these concerns.A respondent suggested that cybersecurity is increasingly becoming a concern due to the recent COVID-19 pandemic and the remote-working model. In addition, this respondent also mentioned the need for internal and external cybersecurity plans given the nature of communication within (i.e., existing employees) and outside (i.e., subcontractors, clients, installers, and testers) the organization. Another respondent mentioned the negative impact of a past ransomware attack on the morale of the company and self. This response clearly reflects the indirect implications of cyberattacks. Lastly, a respondent raised concerns about the responsibility and ownership of breaches being unclear. For example, if an attack occurred due to the inconsistencies of an architect, but the implications were on the owner and the contractor, who should bear the responsibility?A respondent believed that moving forward, construction should adopt a zero-trust model (i.e., no one can be trusted), which also aligns with the responses to the questions regarding the sources of cyberattacks. That is, 20% of the respondents raised a Level-5 concern for the source of the cyberattacks as single internal individuals. One of the respondents suggested the incorporation (and collaboration) of cybersecurity and IT experts during the planning stages to minimize or eliminate cybersecurity-related incidents during the design, construction, and O&M phases. Interestingly, another respondent suggested developing a comprehensive yet easily understandable and implementable cybersecurity plan or protocol regardless of the knowledge and expertise level of the individual implementing it. Another respondent believed that the key to addressing cybersecurity concerns is to safeguard private data by imposing data access restrictions. One of the respondents was hopeful that cybersecurity standards would become a standard moving forward, as was the case in other industries such as telecommunications. Some of the comments and suggestions from the participants are presented in Table 7.Table 7. Participants’ comments, opinions, or suggestions related to the cybersecurity implications of Construction 4.0Table 7. Participants’ comments, opinions, or suggestions related to the cybersecurity implications of Construction 4.0ParticipantParticipants’ comments, opinions, or suggestionsAnonymous participant 1“As Internet of Things (IoT) is driving the digital and industrial revolution within construction, but also across other markets, the fact cyber and IT security is key for successful implementation, operation, and maintenance is becoming more paramount. Today, not only physical security but also converged security, including cyber, is more of the baseline for mitigating risk. Also, as networks and data are also becoming part of the cloud, the cyber security process, policies, and standards are also becoming more globally recognized. Similar to how ITU standards became part of the telecommunications 1–2 decades ago, similar international standards will also become more typical for the next decade.”Anonymous participant 2“The security protocol and plan should be accessible and easily applicable for every employee. Everybody should easily understand it and get comfortable with the use of it, regardless of the person’s knowledge about cyberspace and/or modern technics.”Anonymous participant 3“In light of the recent pandemic, the issue of working remotely has moved to the forefront of our cybersecurity concerns. While in the past members of our team have worked remotely, in recent months this has become nearly 100% of our staff. This recent way of working heightens the need for even more robust cybersecurity while still permitting us to function efficiently.”Anonymous participant 4“There are large organizations, such as British Land, who have invested significant efforts to establish best practices and require vendors to comply with their requirements. These standards include many references to published guidelines, including but not limited to: ISO 9001, ISO 9003, ISO 27001, NIST, CIS, PCI DSS, and COBIT Supplier Code of Conduct, Bribery and Corruption Policies. The implication of cybersecurity cannot be overstated. The prevalence of “Freemium” Apps and technologies pose a significant risk for data breaches, loss of security, and personal freedom.”Anonymous participant 5“I don’t think the extent of cyber security threats in construction is known-overall. Based on my experience on job sites, cyber security issues on job sites are not taken seriously at all. Even when I answered the survey, the security breaches on the job sites did not concern me as much as cyber security issues related to financials/corporate. However,-in reality-bringing more robots and autonomous machines to job sites makes cyber security issues on job sites enormously important.”Analysis and Survey Findings (Interpretation and Discussion)In the previous sections, direct findings from the survey were presented to provide the overall picture. This section analyzes participants’ responses to the survey questions to answer research questions, test the hypotheses, and discover other results that cannot be directly understood. ANOVA, t-test, Spearman’s rank correlation test, and Scheffe post hoc analysis were employed to address the research questions. Moreover, several charts were created, and the connections and synergies were investigated. These connections were used when making interpretations and providing the related findings.Scoring the ResponsesFor several questions, the responses were scored using numerical values to be able to make comparisons and employ some statistical analysis methods such as ANOVA and box and whisker plot (boxplot). The questions that were numerically scored and the scores assigned to each answer are presented in Table 8. The authors are aware that the numerical scores provided in Table 8 are subjective and cannot accurately represent the participants’ responses due to the qualitative nature of the survey questions and answers. These scores are assigned just for the sake of further analysis and comparison that requires the use of numerical values.Table 8. Original answer options from the survey and their numerical equivalents used in the analysisTable 8. Original answer options from the survey and their numerical equivalents used in the analysisQuestionOptionsAre you concerned about cybersecurity in the AECO industry?No = 0Maybe a little = 1Yes, somewhat = 2Yes, significantly = 3Are you familiar with any of the following cybersecurity protocols and their application to the built environment?Never heard of it = 0Not familiar, but aware of it = 1Somewhat familiar = 2Very familiar = 3Is your organization’s cybersecurity operational?No, the plan is not operational = 0Yes, the plan is partially operational = 1Yes, the plan is fully operational = 2Does your organization have a cybersecurity plan?aI don’t know = 0All other answers = 1What is the size of your organization?bLesser than 10 (micro) = 110–49 (small) = 250–249 (medium) = 3Over 250 (large) = 4What is your level of seniority in your organization?bEntry-level/staff and manager/advisor = 1cMiddle-level management/director = 2Senior, executive, or top-level management = 3Statistical Analysis to Test the HypothesesThis section provides the results of the statistical analyses performed to test the hypotheses presented in Table 2. The statistical methods ANOVA, t-test, and Spearman’s rank correlation test were employed based on the tested hypotheses. IBM’s statistical analysis software, SPSS Statistics 22.214.171.124, was used for conducting these tests.Answers to RQ1Test for H1: Awareness Level of Different Frameworks/Standards in the AECO Industry is LowIn order to test the claim that the awareness level of different frameworks/standards in the AECO industry is low (Hypothesis H1 in Table 2), t-tests were performed. There were four different options to answer the related question in the questionnaire: (1) never heard of it; (2) not familiar, but aware of it; (3) somewhat familiar; and (4) very familiar. These options were scored as 0, 1, 2, and 3, respectively, as indicated in Table 8. The term low in the hypothesis refers to a mean lower than 1. A total of 133 participants provided their awareness level scores for each four protocols. Therefore, the overall sample size was 532 for the statistical tests conducted to analyze the overall awareness of cybersecurity protocols. The mean of the awareness level considering all the provided frameworks/standards was 0.83.The one-tailed one-sample t-test conducted considering all the given cybersecurity protocols revealed that the overall awareness level was significantly low at the confidence level of 95%; t(532)=−4.446 and p<0.001. When looking at each framework/standard, it was found that the means of the awareness levels for the NIST framework, NIS Directive, CoP by IET, and PAS 1192-5 were 1.00, 0.81, 0.74, and 0.75, respectively. One-tailed one-sample t-tests conducted for each cybersecurity protocol revealed that the awareness level of the NIST framework was not significantly low at the confidence level of 95%; t(132)=0 and p=0.50. On the other hand, the awareness levels of the NIS Directive [t(132)=−2.439 and p=0.008], CoP by IET [t(132)=−3.680 and p<0.001], and PAS 1192-5 [t(132)=−3.242 and p<0.001] were significantly low at the confidence level of 95%. This result shows that the survey participants are more familiar with the NIST framework compared with the other three cybersecurity protocols.Test for H1.1: There are No Significant Differences among the Awareness Levels of Different Frameworks/StandardsIn order to test the claim that there are no significant differences among the awareness levels of different frameworks/standards (Hypothesis H1.1 in Table 2), a one-way ANOVA test was conducted. ANOVA revealed that there are no significant differences among the awareness levels of different cybersecurity protocols at the confidence level of 95%; F(3,528)=2.385 and p=0.068. Therefore, even though the participants were more familiar with the NIST framework, as shown in the previous paragraph, it was not significantly higher than the other protocols. Moreover, the participants were not significantly more/less familiar with any of the provided protocols.Tests for H1.2: There are Significant Differences in Awareness Levels of Different Frameworks/Standards among RegionsIn order to test the claim that there are significant differences in awareness levels of different frameworks/standards among regions (Hypothesis H1.2 in Table 2), a one-way ANOVA test was run. Regions were grouped into three categories to balance the number of participants from each group: Europe and Central Asia (N=46), North America (N=56), and Others (N=31). ANOVA revealed that there is a significant difference in the overall awareness levels of the given cybersecurity protocols among regions at the confidence level of 95%; F(2,529)=9.002 and p<0.001.In order to understand which region groups are different from each other, a post hoc analysis was conducted. Because the sample sizes of different region groups were not equal, a Scheffe test was conducted instead of Tukey. The Scheffe post hoc analysis revealed that North America [n=224, μ=1.02, and standard deviation (SD)=0.966] has a significantly higher level of awareness of the given frameworks/standards than both Europe and Central Asia (n=184, μ=0.69, and SD=0.773) and Others (n=124, μ=0.68, and SD=0.924).Then, individual ANOVA tests for each different protocol were conducted to see the changes in awareness levels of each protocol among regions. ANOVA showed a significant difference in awareness levels of the NIST framework among regions at the confidence level of 95%; F(2,130)=11.986 and p<0.001. The Scheffe post hoc analysis revealed that North America (n=56, μ=1.46, and SD=1.008) has a significantly higher level of awareness of the NIST framework than both Europe and Central Asia (n=46, μ=0.65, and SD=0.766) and Others (n=31, μ=0.68, and SD=1.013). For other protocols (i.e., NIS, IET, and PAS), ANOVA revealed that there is no significant difference in awareness levels among regions at the confidence level of 95%.Test for H1.3: There is a Correlation between (1) Seniority and Awareness Levels of Different Frameworks/Standards, and (2) Company Size and Awareness Levels of Different Frameworks/StandardsIt was hypothesized that the level of seniority and size of the organization would have an impact on the awareness levels of cybersecurity frameworks/standards. In order to examine the relationships between (1) seniority and awareness levels of different frameworks/standards; and (2) company size and awareness levels of different frameworks/standards (Hypothesis H1.3 in Table 2), Spearman’s rank correlation tests were run. According to the test results, there was no sufficient evidence to support the claim that there is a correlation between seniority and overall awareness levels of the provided frameworks/standards (rs=0.055, n=504, and p=0.219) at the confidence level of 95%. Moreover, there was no sufficient evidence to support the claim that there is a correlation between company size and awareness levels of the provided frameworks/standards (rs=0.033, n=532, and p=0.450).Then, individual tests for each different protocol were conducted. According to the results of the individual tests, there was no sufficient evidence to support the claim that there is a correlation between seniority and awareness levels of the NIST framework (rs=0.113, n=126, and p=0.207), NIS Directive (rs=0.115, n=126, and p=0.201), CoP by IET (rs=0.017, n=126, and p=0.849), and PAS 1192-5 (rs=−0.025, n=126, and p=0.780) at the confidence level of 95%. Moreover, there was no sufficient evidence to support the claim that there is a correlation between company size and awareness levels of the NIST framework (rs=0.008, n=133, and p=0.925), NIS Directive (rs=0.056, n=133, and p=0.521), CoP by IET (rs=0.085, n=133, and p=0.331), and PAS 1192-5 (rs=−.012, n=133, and p=0.888) at the confidence level of 95%. Therefore, it is not statistically possible to state that the awareness levels of the given protocols are correlated with the seniority or company size.Answers to RQ2Test for H2: AECO Employees’ Level of Awareness of Their Organizations’ Cybersecurity Plans is LowIn order to test the claim that the AECO employees’ level of awareness of their organizations’ cybersecurity plans is low (Hypothesis H2 in Table 2), a t-test was performed. There were five different options to answer the related question in the survey: (1) I don’t know; (2) No, and we are not contemplating to develop one; (3) No, but we are contemplating to develop one; (4) Yes, but NOT BASED on national or international protocols; and (5) Yes, developed BASED on national or international protocols. The first option was scored as 0, whereas all other options were scored as 1, as indicated in Table 8. The term low in the hypothesis refers to a mean lower than 0.75. The mean of all collected answers (N=133) is 0.65. One-tailed one-sample t-tests revealed that the AECO employees’ level of awareness of their organizations’ cybersecurity plans was significantly low at the confidence level of 95%; t(132)=−2.485 and p=0.007. This result shows that a significant portion (i.e., significantly more than 25% in this case) of the participants did not know whether their company has a cybersecurity plan or not.Test for H2.1: There are Significant Differences in the AECO Employees’ Levels of Awareness of Their Organizations’ Cybersecurity Plans among RegionsIn order to test the claim that there are significant differences in the AECO employees’ levels of awareness of their organizations’ cybersecurity plans among regions (Hypothesis H2.1 in Table 2), a one-way ANOVA test was run. Regions were grouped into the same three categories with the same number of participants as the previous subsection. ANOVA revealed that there were no significant differences in awareness levels among regions at the confidence level of 95%; F(2,130)=1.981, and p=0.142. Therefore, none of the three region groups’ participants have a significantly higher awareness of their organizations’ cybersecurity plans than the participants of the other region groups.Test for H2.2: There is a Correlation between (1) Employees’ Seniority and Awareness of Their Organizations’ Cybersecurity Plans, and (2) Company Size and Employees’ Awareness of Their Organizations’ Cybersecurity PlansIn order to examine the relationships between (1) employees’ seniority and awareness of their organizations’ cybersecurity plans, and (2) company size and employees’ awareness of their organizations’ cybersecurity plans (Hypothesis H2.2 in Table 2), Spearman’s rank correlation tests were run. According to the test results, there was sufficient evidence to support the claim that there is a correlation between employees’ seniority and awareness of their organizations’ cybersecurity plans (rs=0.175, n=126, and p=0.050) at the confidence level of 95%. Therefore, the result shows that as seniority increases, the awareness of cybersecurity plans also increases. However, there was not sufficient evidence to support the claim that there is a correlation between company size and employees’ awareness of their organizations’ cybersecurity plans (rs=−0.131, n=133, and p=0.133) at the confidence level of 95%. These results show that the participants with higher seniorities are significantly more aware of their organizations’ cybersecurity plan. However, this awareness does not significantly change as the company size increases or decreases.Answers to RQ3Test for H3: Level of Cybersecurity Concern in the AECO Industry is HighIn order to test the claim that the level of cybersecurity concern in the AECO industry is high (Hypothesis H3 in Table 2), a t-test was run. There were five different options to answer the related question in the questionnaire: (1) I don’t know/never thought about it; (2) No; (3) Maybe a little; (4) Yes, somewhat; and (5) Yes, significantly. The first option was not considered in the scoring and following analyses. The remaining options were scored as 0, 1, 2, and 3, respectively, as detailed in Table 8. The term high in the hypothesis refers to a mean higher than 2. The mean of all collected answers (N=135) was 2.37. According to the one-tailed one-sample t-test results, the level of cybersecurity concern in the AECO industry is significantly high at the confidence level of 95%; t(134)=5.734 and p<0.001. In other words, the overall cybersecurity concern of the survey participants was not low (i.e., higher than expected before the analysis).Test for H3.1: There are Significant Differences in Cybersecurity Concerns among RegionsIn order to test the claim that there are significant differences in cybersecurity concerns among regions (Hypothesis H3.1 in Table 2), a one-way ANOVA test was conducted. Regions were grouped into the same three categories as the previous subsections: Europe and Central Asia (N=47), North America (N=57), and Others (N=31). ANOVA showed that there are significant differences in cybersecurity concerns among regions at the confidence level of 95%; F(2,132)=8.386 and p<0.001. The Scheffe post hoc analysis showed that North America (n=57, μ=2.61, and SD=0.648) had a significantly higher level of cybersecurity concern than Europe and Central Asia (n=47, μ=2.04, and SD=0.721). On the other hand, there was no significant difference between North America and Others (n=31, μ=2.42, and SD=0.807) and no significant difference between Europe and Central Asia and Others. These results show that the participants from North America had the highest and the participants from Europe and Central Asia had the lowest concern among the three analyzed region groups. Moreover, these two groups’ concerns were significantly different from each other.Test for H3.2: There is a Correlation between (1) Employees’ Seniority and Cybersecurity Concerns, and (2) Company Size and Cybersecurity ConcernsIn order to examine the relationships between (1) employees’ seniority and cybersecurity concern, and (2) company size and cybersecurity concern (Hypothesis H3.2 in Table 2), Spearman’s rank correlation tests were performed. According to the test results, there is enough evidence to support the claim that there is a correlation between employees’ seniority and cybersecurity concerns (rs=0.383, n=121, and p<0.001) at the confidence level of 95%. Therefore, the result shows that as seniority increases, cybersecurity concerns also increase. However, there was no sufficient evidence to support the claim that there is a correlation between company size and cybersecurity concern (rs=0.135, n=135, and p=0.119) at the confidence level of 95%. Therefore, the company size does not have a significant effect on the employees’ concern.A summary of the results for the different hypotheses tested to answer the different research questions is provided in Table 9.Table 9. Summary of results for the hypotheses tested to answer research questions based on the answers provided by survey participantsTable 9. Summary of results for the hypotheses tested to answer research questions based on the answers provided by survey participantsHypothesis number (from Table 2)Null hypothesisAlternative hypothesisResultH1H0:μ≥1H1:μ<1 (original claima)• Reject the null hypothesis for the overall cybersecurity protocol awareness.• Fail to reject the null hypothesis for the NIST framework.• Reject the null hypothesis for the other cybersecurity protocols.H1.1H0:μ1=μ2=μ3=μ4 (original claim)H1: At least one mean is different.Fail to reject the null hypothesis.H1.2H0:μ1=μ2=μ3H1: At least one mean is different. (original claim)• Reject the null hypothesis for the overall cybersecurity protocol awareness.• Reject the null hypothesis for the NIST framework.• Fail to reject the null hypothesis for the cybersecurity protocols.H1.3 (a)H0: There is no correlationH1: There is a correlation (original claim)• Fail to reject the null hypothesis for the overall cybersecurity protocol awareness.• Fail to reject the null hypothesis for each cybersecurity protocol.H1.3 (b)H0: There is no correlationH1: There is a correlation (original claim)• Fail to reject the null hypothesis for the overall cybersecurity protocol awareness.• Fail to reject the null hypothesis for each cybersecurity protocol.H2H0:μ≥0.75H1:μ<0.75 (original claim)Reject the null hypothesis.H2.1H0:μ1=μ2=μ3H1: At least one mean is different. (original claim)Fail to reject the null hypothesis.H2.2 (a)H0: There is no correlationH1: There is a correlation (original claim)Reject the null hypothesis.H2.2 (b)H0: There is no correlationH1: There is a correlation (original claim)Fail to reject the null hypothesis.H3H0:μ≤2H1:μ>2 (original claim)Reject the null hypothesis.H3.1H0:μ1=μ2=μ3H1: At least one mean is different. (original claim)Reject the null hypothesis.H3.2 (a)H0: There is no correlationH1: There is a correlation (original claim)Reject the null hypothesis.H3.2 (b)H0: There is no correlationH1: There is a correlation (original claim)Fail to reject the null hypothesis.Other Analyses and InterpretationsWhereas the previously shown statistical analyses tested the hypotheses and answered the research questions, the analyses in this section provide additional interpretations by handling the answers of several survey questions together. The interpretations were made based on the charts shown in Figs. 13 and 14.Details of the ChartsIn Figs. 13(a–c), responses to two different categorical questions (i.e., questions from Parts 1 and 3 of the survey) and the numerical equivalents of the answers to the question “Are you concerned about cybersecurity in the AECO industry?” are presented together. For example, Fig. 13(a) shows the cybersecurity concerns of the participants from different seniority levels and company sizes in a combined manner. Therefore, it is possible to see the change of concern for each seniority within each company size. The positive correlation between the seniority level and cybersecurity concern (H3.2) was statistically confirmed by employing Spearman’s rank correlation test in the previous section.The information in Fig. 13 is presented using the boxplot method, and the visualization was created using Tableau version 2021.2 software. A regular boxplot visualization with distinct upper/lower hinge, upper/lower whisker, and median values can be seen in Fig. 13(a), where Middle-Level Management/Director and Less than 10 (micro) intersect. In this intersection, the boxplot shows that the median value (i.e., the line that divides the box into two parts) is 2.00. To calculate the hinges, Tableau uses Tukey’s method (Tableau 2019), which has been explained in detail by Baldwin (2017). For the mentioned intersection in Fig. 13(a), the upper hinge was 2.50, the lower hinge was 1.50, the upper whisker was 3.00, and the lower whisker was 1.00.In the charts in Fig. 13, on top of all statistical values presented by the boxplot method, arithmetic means of the response scores are also shown. For example, in Fig. 13(a), the average score for the cybersecurity concern of the participants that are in Manager/Advisor positions and working in 10–49 (small) companies is 2.40 out of 3.00. Moreover, the charts in Fig. 13 show the density of the participants’ answers for different intersections of the questions using darker or lighter shades for the circles—darker shades mean higher participation. For example, in Fig. 13(b), the circle corresponding to Senior, Executive or Top-Level Management participants from North America has the darkest shade, which indicates the highest number of participants for the intersection of these two criteria.Another critical point to consider is the low or zero participation for some intersection points on the charts. For example, Fig. 13(c) shows that there were no Entry-Level/Staff participants from East Asia and Pacific, Latin America and Caribbean, and South Asia regions. Even for the intersection points with relatively higher participation, the limited overall participation for the survey was borne in mind. Therefore, the interpretations and findings from this study should not be generalized to the whole AECO community. Instead, the purpose was to shed light on the potential cybersecurity issues in the AECO industry and discuss possible solutions for the identified problems and gaps.Fig. 13(d) summarizes the participants’ responses to the question “Is your organization’s cybersecurity operational?” for different company sizes. The answers are shown using boxplots and circles with different color densities depending on the participation. Fig. 14 shows the distribution of the answers for different seniority levels for the questions “Has your direct work been affected by a cybersecurity-related incident?” [Fig. 14(a)], “Has your organization as a whole been affected by a cybersecurity-related incident?” [Fig. 14(b)], and answers for different company sizes to the questions “Does your organization have any emergency plan to deal with cybersecurity breaches?” [Fig. 14(c)] and “Does your organization have a cybersecurity plan?” [Fig. 14(d)].Analysis of the Charts and InterpretationsFig. 13(b) shows that in all different regions, Senior, Executive, or Top-Level Management participants had the highest concern about cybersecurity in the AECO industry, whereas Entry-Level/Staff participants had the lowest concern. The statistical analysis to test the Hypothesis H3.2 conducted in the “Statistical Analysis to Test the Hypotheses” section supports this correlation between seniority and cybersecurity concern. In Figs. 14(a and b), we can see that Senior, Executive, or Top-Level Management participants and their organizations had been affected the most by cybersecurity-related incidents. In contrast, Entry-Level/Staff participants’ direct work had never been affected. Therefore, the percentages of being affected and concern levels can be correlated for different seniority levels.Moreover, Fig. 13(c) presents that, on average, Senior, Executive, or Top-Level Management participants had the highest overall familiarity with all different cybersecurity protocols provided, whereas Entry-Level/Staff participants had the lowest overall familiarity. These findings may indicate that higher familiarity with cybersecurity protocols, more experience with cybersecurity incidents in the past, and as a result, higher awareness bring higher concerns about cybersecurity in the AECO industry.Fig. 13(a) provides another finding showing that particularly Entry-Level/Staff participants working in companies with over 250 employees have the lowest concern among all different company size and seniority combinations. Larger companies registered higher percentages of the presence of a cybersecurity plan [Fig. 14(d)], higher percentages of emergency plans to deal with cybersecurity breaches [Fig. 14(c)], and having more operational cybersecurity plans [Fig. 13(d)], which may indicate that better cybersecurity practices prevent lower seniority levels from being exposed to cyber incidents. Therefore, lower seniority levels in larger companies might be less aware of possible cyberattacks because they are already protected with more robust cybersecurity defense systems, and as a result, are less concerned about cybersecurity. However, the actions of all different levels of employees have critical roles in providing robust protection against cyberattacks and breaches because a chain is only as strong as its weakest link. For this reason, all companies, regardless of their size and existing protection mechanisms, should pay enough attention to training their employees from all levels for cybersecurity awareness.Conclusions, Limitations, and Future DirectionsAccelerating digitalization in the AECO industry enables increasingly efficient work environments in all phases of construction projects. Moving project data into digital storage (i.e., common data environments) and employing CPS to achieve optimum time, quality, and cost raise cybersecurity concerns, as they did in other digitalized industries. This study aimed to understand to what extent the AECO professionals and researchers are aware of the rising cybersecurity issues and the extent to which they are prepared for the potential upcoming threats. For this purpose, a cybersecurity awareness survey was conducted by the authors from May to September 2020. A total of 281 people participated in the survey, and 130 of them completed Part 2, which involved questions related to cybersecurity awareness and concerns. The limited number of participants was kept in mind when making analyses and interpretations using the survey results. Therefore, no generalizations for the whole AECO industry were made based on this survey’s results. Instead, the purpose was to discover potential gaps in the industry concerning the awareness and knowledge of cybersecurity and make suggestions to improve the status quo.The analysis of the survey responses revealed that almost half of the participants (46% on average) had never heard of the provided internationally recognized cybersecurity frameworks (Fig. 5), and 35% of the participants did not know if their organization had a cybersecurity plan or not. These results indicate a general lack of awareness toward cybersecurity frameworks/standards and their use in organizations. The vast majority of the participants (84%) indicated that they were somewhat or significantly concerned about cybersecurity in the AECO industry; however, only 39% indicated that they had a cybersecurity plan in place in their organizations. Therefore, it shows that even though the employees are concerned about cybersecurity, it is not currently the priority of construction companies.Statistical analyses that employed ANOVA, t-test, Spearman’s rank correlation test, and Scheffe post hoc analysis were conducted to answer the research questions and test the hypotheses given in the “Introduction” section. These analyses revealed that although the awareness levels of the NIS Directive, CoP by IET, and PAS 1192-5 cybersecurity protocols were significantly low, the awareness of the NIST framework was not. Particularly in North America, the awareness level of the NIST cybersecurity framework was significantly higher than in the other regions. Moreover, the statistical tests showed that the AECO employees’ level of awareness of their organizations’ cybersecurity plans was significantly low. However, this awareness increased together with the increasing level of seniority according to Spearman’s rank correlation test.Lastly, the analyses showed that the AECO employees were significantly concerned about cybersecurity. The concern level was the highest in North America among all different region groups considered in the analyses, and it had a positive correlation with seniority. More in-depth analyses that combined several different aspects from the survey showed the lack of concern among the entry-level employees, especially in large companies. This result can be correlated with the entry-level employees’ lack of prior cyber incident experiences and the higher level of security protection in larger companies decreasing employees’ exposure to cyber threats.There are several lessons learned from the survey results and previous cyberattack examples. Even though there is increasing concern over cybersecurity among AECO employees, a deeper understanding of the potential outcomes, cyberattack types, and the ways to avoid cyber incidents is missing. The general lack of awareness of the existing cybersecurity frameworks and standards that the survey showed supports this statement. Another observation based on the survey results is the relatively lower cybersecurity awareness and concern among junior employees. The awareness of entry-level employees decreases even more as the company size increases. Among many other examples, the Colonial Pipeline attack where the hackers accessed the control system using a compromised password used by an employee (Turton and Mehrotra 2021) and disrupted one of the largest pipelines in the US shows the importance of cybersecurity awareness at all levels of organizations. Therefore, an employee’s seniority cannot be an excuse for lower awareness, particularly for critical infrastructures. Finally, a decrease in the employed cybersecurity measures and exercises was observed as the organization size becomes smaller, which can be explained by the lower budgets of such companies.In the light of the findings and aforementioned lessons learned, future directions for the industry and academia are provided as follows. Organizations in the AECO industry should take immediate actions to train their employees for cybersecurity awareness and start developing a strong cybersecurity culture to be prepared for increasing cyber threats. These training sessions should be conducted at all levels of the organization regardless of the employees’ seniority level and the years spent in the organization. Because construction projects are usually composed of many SMEs, cybersecurity plans should be a norm among relatively smaller AECO organizations as well. However, considering the relatively limited budget of SMEs, the cost aspect of hiring cybersecurity professionals or third-party consultants should be born in mind.Cybersecurity-related actions can be expected to follow a similar path to BIM, i.e., initially started to be involved in large-scale organizations’ processes and became more widespread among SMEs in the following years. The industry should be aware that not only the confidential data and IT systems but also OT and control systems that are increasingly utilized during the construction and O&M phases of the projects are threatened by malicious actors. Cybersecurity frameworks addressing both IT and OT aspects, such as the NIST cybersecurity framework, might be adapted to the conditions of construction work environments. Best practices for cybersecurity from other industries that are ahead of the construction industry in digitalization might be valuable sources for implementing new protective measures. Some of these best practices include organizing cybersecurity training sessions regularly, phishing the employees regularly to keep them alert against phishing attacks, and performing penetration testing either by the organization’s cybersecurity team or by a third-party provider.Even though the actions taken by the industry are critical, the role of academia cannot be ignored to improve the overall cybersecurity level. Researchers working on adapting new technologies in construction environments should keep the cybersecurity implications in mind. For example, if a researcher is working on automating site progress monitoring using a robot and laser scanner, potential cybersecurity vulnerabilities of the equipment used should be included in the proposal. Moreover, as the digital transformation of the industry accelerates, more research focusing on solving construction-specific cybersecurity challenges is required. Currently, most of the cybersecurity research is conducted by computer science academics; however, we can expect more construction researchers to shift their focus on cybersecurity-related topics in the following years, such as has happened in other technological domains such as automation and artificial intelligence—in the beginning, they were not considered within the construction research scope.There are several limitations of taking the previously suggested actions for the industry and academia. The first limitation is the lacking awareness and preparedness, as shown in detail in this study. A better understanding of the threats, vulnerabilities, and mitigation methods is required before expecting decision makers and researchers to follow the suggested directions. Secondly, there is a lack of construction-specific cybersecurity frameworks developed by prominent institutions. Such frameworks help identify the current cybersecurity level of the organization, set targets, and develop cybersecurity strategies that are aligned with the budget and priorities of the company. Finally, as shown in the survey results, not all companies are motivated to prioritize cybersecurity and allocate a budget for related expenses. To overcome this limitation, governments can impose cybersecurity requirements on contractors tendering for government projects. It can be a starting point for establishing more resilient and secure construction environments.The contribution of this work to the literature on digitalization of the construction industry is twofold: (1) it gauged the cybersecurity awareness and preparedness within the industry by conducting a survey—which is the first of its kind—and presented the results; and (2) based on the survey results, it suggested immediate actions for the industry and academia to move toward more secure and resilient construction environments. Therefore, the authors expect (1) the AECO decision makers to benefit from the suggestions in this study while developing their organizational cybersecurity strategy; and (2) academics to benefit from the survey results by having an insight into the current cybersecurity awareness in the AECO industry and directing their attention to this area of research or keeping cybersecurity in mind while proposing the use of new technologies in construction.Data Availability StatementSome or all data, models, or code generated or used during the study are available in a repository online in accordance with funder data retention policies. The repository can be found at https://doi.org/10.17605/OSF.IO/SWVCD.AcknowledgmentsPart of this work was conceived during the 1st Workshop on Cybersecurity Implications of Construction 4.0 (CIC4-2020) that took place in New York University Abu Dhabi (NYUAD). The workshop was organized by the S.M.A.R.T. Construction Research Group and generously funded by the NYUAD Institute. The authors thank the participants from the industry and academia all over the world for taking their time to fill out the questionnaire. Without their contribution, this study would not have been possible. The authors also thank Onur Korkmaz for his valuable suggestions on data analysis. Special thanks also to the Center for Cyber Security at New York University Abu Dhabi (CCS-NYUAD) for their support.References Alshammari, K., T. Beach, and Y. Rezgui. 2021. “Cybersecurity for digital twins in the built environment: Current research and future directions.” J. Inf. Technol. Construct. 26 (Apr): 159–173. https://doi.org/10.36680/j.itcon.2021.010. Boyes, H. 2014. Code of practice for cyber security in the built environment. London: Institution of Engineering and Technology. BSI (British Standards Institution). 2015. Specification for security-minded building information modelling, digital built environments and smart asset management. PAS 1192-5:2015. London: BSI. Coburn, A. W., J. Daffron, K. Quantrill, E. Leverett, J. Bordeau, A. Smith, and T. Harvey. 2019. “Cyber risk outlook.” Centre for Risk Studies, University of Cambridge, in collaboration with Risk Management Solutions, Inc. Accessed July 26, 2021. https://www.jbs.cam.ac.uk/wp-content/uploads/2020/08/crs-cyber-risk-outlook-2019.pdf. EU (European Union). 2016. “Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. In Official Journal of the European Union.” Accessed August 10, 2021. http://data.europa.eu/eli/dir/2016/1148/oj. García de Soto, B., Ž. Turk, A. Maciel, B. Mantha, A. Georgescu, and M. S. Sonkor. 2021. “Data used for ‘Understanding the significance of cybersecurity in the construction industry: Survey findings’.” Open Science Framework (OSF). Accessed September 16, 2021. https://doi.org/10.17605/OSF.IO/SWVCD. ISO. 2020. Organization and digitization of information about buildings and civil engineering works, including building information modelling (BIM)—Information management using building information modelling—Part 5. ISO 19650-5:2020. Geneva: ISO. ISO/IEC. 2013. Information technology – security techniques – information security management systems – requirements. ISO/IEC 27001:2013. Geneva: ISO/IEC. Klinc, R., and Ž. Turk. 2019. “Construction 4.0–Digital transformation of one of the oldest industries.” Econ. Bus. Rev. 21 (3): 393–410. https://doi.org/10.15458/ebr.92. Mantha, B. R. K., and B. García de Soto. 2019. “Cyber security challenges and vulnerability assessment in the construction industry.” In Proc., Creative Construction Conf., 29–37. Budapest, Hungary: Budapest Univ. of Technology and Economics. https://doi.org/10.3311/ccc2019-005. Mantha, B. R. K., and B. García de Soto. 2020. “Assessment of the cybersecurity vulnerability of construction networks.” Eng. Constr. Archit. Manage. 28 (10): 3078–3105. https://doi.org/10.1108/ECAM-06-2020-0400. Mantha, B. R. K., and B. García de Soto. 2021. “Cybersecurity in construction: Where do we stand and how do we get better prepared.” Front. Built Environ. 7 (May): 612668. https://doi.org/10.3389/fbuil.2021.612668. Mutis, I., and A. Paramashivam. 2019. “Cybersecurity management framework for a cloud-based BIM model.” In Advances in informatics and computing in civil and construction engineering, edited by I. Mutis and T. Hartmann, 325–333. Cham, Switzerland: Springer. NIST. 2018. Framework for improving critical infrastructure cybersecurity v1.1. Gaithersburg, MD: NIST. Turk, Ž., B. García de Soto, B. R. K. Mantha, A. Maciel, and A. Georgescu. 2022. “A systemic framework for addressing cybersecurity in construction.” Autom. Constr. 133 (Jan): 103988. https://doi.org/10.1016/j.autcon.2021.103988.