Class Test Revision Flashcards
What is the aim of systems and problem-solving?
To help you identify, understand, and reduce criminal risks in systems.
What is a system?
Systems are the combination of interacting elements organized to achieve one or more stated purposes.
How can we describe systems?
Systems can be simple and complex. In which simple systems has few elements, interactions and well-defined behaviour with little change over time; whereas complex systems is the opposite.
With many elements, interactions, probabilistic behaviours and evolution over time.
How can systems theory help security?
It can help by providing a holistic framework to understand and address security challenges by considering the interaction of various components and their impact on the overall system.
Why do systems matter for security? (Give 6 reasons)
- Systems can facilitate crime
- Systems can be (mis)used for crime
- Crime takes place within (eco)systems
- Systems can reduce crime
- Systems can be (mis)used to reduce crime
- Crime reduction takes place within (eco)systems
What is the difference between static and dynamic systems?
Static - The state of the system does not change, given the problem definition.
Dynamic - Any of the system’s properties changes, whether it concerns the content, structure, or attributes
What is emergence?
Emergence is the properties of the whole that the properties of constituent elements cannot solely explain.
What crime or security risks are there to occur in a system commonly?
Unauthorized access may tamper with the elements of the system. Serious consequences not only for the system but also for the stakeholders involved.
What is the difference between the content of a system and its structure?
Content of a system - the specific elements within the system
Structure - the way these elements are organized and interconnected to form the system as a whole
What are models, and why do we use them?
Model - In the POV of a given problem definition, a model is a simplified system to study another system.
We use them to help us understand what a system should do, actually does, and what a system might do in the future.
How is abstraction used in modeling?
An abstraction denotes the essential characteristics of an object and thus provides crisply defined conceptual boundaries, relative to the perspective of the user
How can we model systems?
Functional, behavioural, structural
In follow up to the ‘why models are used’ can you explain what are models for in a categorical manner? Mention 3.
Prescriptive - this is what a system should do
Descriptive - this is what a system actually does
Predictive - this is what a system might do in the future
How do we assess the usefulness of models?
All models are wrong, but some are useful.
Some models have the ability to accurately represent real world phenomena and their practical applicability is useful for providing insight.
What is a good model?
The justification is solely and precisely that is expected to work – that is, correctly to describe phenomena.
How can you tell if it is a good model?
A model can only be good (or bad) concerning a particular problem.
What are the 3 stages of abstraction?
Classification (group similar objects based on shared characteristics)
Aggregation (combines multiple elements into a single representation and reduces detail)
Generalization (identifies common patterns among various instances, making complex information more manageable)
What is the downside of abstraction?
Loss of information
What is the systems hiearchy?
Systems of systems –> Systems –> Subsystem –> Element
Name 3 type of models and their definition
Function(al) model - Captures the purpose(s) of the system in terms of the services/functions it provides to stakeholders in its operational environment
Behavioral model - Captures the interaction between system elements during the provision of its functionality
Structural model - Captures the architecture of the system in terms of the elements and their connections
What do activity, sequence, and state diagrams represent in behavioral models?
activity diag - flows of behavior
sequence diag - interaction/communication
state diag - possibilities
Why is the behavioral model typically not linear?
Because there are decision points, loops, and branches.
What do we mean by risk?
Risk is the effect of uncertainty on objectives. It can be positive, negative, or both and can address, create, or result in opportunities and threats.
How much risk is too much?
In terms of organization; the organziation should specify the amount and type of risk that it may or may not take, relative to objectives.
How can we understand risk?
Through risk management frameworks such as but not limited to ANSI, BS, ISO, NCSC, NIST Special Publication and etc.
How can we respond to risks?
By using the risk management process.
What is Kaplan and Garrick’s triple of risk elements?
- What events can happen?
- How likely are they to happen?
- What are the consequences if they do?
How is security and safety risk different?
Security risks are adaptive. As victims build stronger defences to protect against the latest threats, the threat actors in turn develop new ways of overcoming or bypassing those defences, and so on.
What is the downside of the term “risk”?
Its multiple and ambiguous usages persistently jeopardize the separation of the tasks of identifying and evaluating relevant evidence.
What is the Risk Assessment process in ISO Risk Management?
identification → analysis → evaluation
identification - find, recognize and describe risks that might help or prevent an organization achieving its objectives
analysis - a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness
evaluation - comparing the results of the risk analysis with the established risk criteria to determine where additional action is required
What is risk source?
The element which alone or in a combination has the potential to give risk to risk
What is an event?
It is the occurrence or change of a particular set of circumstances.
What is the likelihood?
It is the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively
What is the consequence of an event?
It is the outcome of an event that can be certain or uncertain and can have positive or negative direct/indirect effects on objectives.
Control
Measure that maintains and/or modifies risk, including any process or practice.
What diagram can help in analysing risk?
Bow tie diagram
What is the difference between absolute and relative risk?
absolute risk describes the chance of an event happening over a specific time
relative risk describes how two risks compare (e.g., how much more or less likely a particular event is in one group compared with another)
What is risk evaluation?
Comparing the results of the risk analysis with the established risk criteria to determine where additional action is required
What are the 4 risk management strategies?
- Avoid risk by eliminating the source
- Transfer a risk by insurance
- Mitigate consequences of risk
- Accept a risk when it is not practicable to do otherwise
How can you mitigate the chance or the consequence of risk?
- Alter environment
- Change procedures
- Add fault tolerance
- Train responders
How can we understand developments in a system over time?
We may have though systems as being static but it changes over time.
New systems emerge or are created, existing systems change and systems die out
How does security relate to the system lifecycle?
Can be relevant to all stages of a system lifecycle.
Can be designed, built, operated and maintained (in)securely.
What is mission analysis?
Mission analysis is a structured process that involves evaluating the objectives and constraints of a particular mission to plan its execution effectively.
What is a system lifecycle?
It represents the conceptualization of a need for the system, its realization, utilization, evolution and disposal
What are the 6 stages of a system lifecycle?
- Concept - where you identify and explore needs + ideas
- Development - where you refine the requirement and build system
- Production - Produce system
- Utilization - Operate system to meet the users’ needs
- Support - to sustain the system capability
- Retirement - where you store or archive the system
What sort of decisions are made at each stage in a lifecycle?
Should we continue?
Should we move on?
Should we return/restart?
Should we pause?
Should we terminate?
Systems are designed, built and maintained using processes. What is the risk management process?
Mission - what is the problem
Stakeholder needs - What do different parties need to do
System requirements - What should a solution do to meet those needs?
Architecture - what should the structure of the solution system be?
Design - How should the elements of the solution system work?
What is difference between stakeholder needs and system requirements in the concept of risk management process for systems
In risk management, understanding stakeholder needs is crucial to ensure that the system addresses their concerns, while system requirements help quantify and design the system to meet those needs.
When can a system be compromised?
Through insecure production and poor operation, hence must be maintained securely.
Furthermore, it can only detect threats known when they were designed.
What is the difference between security and usability?
Security focuses on protecting systems from unauthorized access and damage, while usability concentrates on enhancing the user experience and making systems user-friendly.
Analogy: A computer without a password is usable but not very secure. Whereas a computer that makes you authenticate every hour or so can be very secure but unintuitive (i.e. not many would favour to use it)
