Class Test Revision Flashcards

1
Q

What is the aim of systems and problem-solving?

A

To help you identify, understand, and reduce criminal risks in systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a system?

A

Systems are the combination of interacting elements organized to achieve one or more stated purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How can we describe systems?

A

Systems can be simple and complex. In which simple systems has few elements, interactions and well-defined behaviour with little change over time; whereas complex systems is the opposite.

With many elements, interactions, probabilistic behaviours and evolution over time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How can systems theory help security?

A

It can help by providing a holistic framework to understand and address security challenges by considering the interaction of various components and their impact on the overall system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why do systems matter for security? (Give 6 reasons)

A
  1. Systems can facilitate crime
  2. Systems can be (mis)used for crime
  3. Crime takes place within (eco)systems
  4. Systems can reduce crime
  5. Systems can be (mis)used to reduce crime
  6. Crime reduction takes place within (eco)systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the difference between static and dynamic systems?

A

Static - The state of the system does not change, given the problem definition.
Dynamic - Any of the system’s properties changes, whether it concerns the content, structure, or attributes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is emergence?

A

Emergence is the properties of the whole that the properties of constituent elements cannot solely explain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What crime or security risks are there to occur in a system commonly?

A

Unauthorized access may tamper with the elements of the system. Serious consequences not only for the system but also for the stakeholders involved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the difference between the content of a system and its structure?

A

Content of a system - the specific elements within the system
Structure - the way these elements are organized and interconnected to form the system as a whole

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are models, and why do we use them?

A

Model - In the POV of a given problem definition, a model is a simplified system to study another system.

We use them to help us understand what a system should do, actually does, and what a system might do in the future.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How is abstraction used in modeling?

A

An abstraction denotes the essential characteristics of an object and thus provides crisply defined conceptual boundaries, relative to the perspective of the user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How can we model systems?

A

Functional, behavioural, structural

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

In follow up to the ‘why models are used’ can you explain what are models for in a categorical manner? Mention 3.

A

Prescriptive - this is what a system should do
Descriptive - this is what a system actually does
Predictive - this is what a system might do in the future

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How do we assess the usefulness of models?

A

All models are wrong, but some are useful.

Some models have the ability to accurately represent real world phenomena and their practical applicability is useful for providing insight.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a good model?

A

The justification is solely and precisely that is expected to work – that is, correctly to describe phenomena.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How can you tell if it is a good model?

A

A model can only be good (or bad) concerning a particular problem.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the 3 stages of abstraction?

A

Classification (group similar objects based on shared characteristics)

Aggregation (combines multiple elements into a single representation and reduces detail)

Generalization (identifies common patterns among various instances, making complex information more manageable)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the downside of abstraction?

A

Loss of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the systems hiearchy?

A

Systems of systems –> Systems –> Subsystem –> Element

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Name 3 type of models and their definition

A

Function(al) model - Captures the purpose(s) of the system in terms of the services/functions it provides to stakeholders in its operational environment

Behavioral model - Captures the interaction between system elements during the provision of its functionality

Structural model - Captures the architecture of the system in terms of the elements and their connections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What do activity, sequence, and state diagrams represent in behavioral models?

A

activity diag - flows of behavior
sequence diag - interaction/communication
state diag - possibilities

22
Q

Why is the behavioral model typically not linear?

A

Because there are decision points, loops, and branches.

23
Q

What do we mean by risk?

A

Risk is the effect of uncertainty on objectives. It can be positive, negative, or both and can address, create, or result in opportunities and threats.

24
Q

How much risk is too much?

A

In terms of organization; the organziation should specify the amount and type of risk that it may or may not take, relative to objectives.

25
Q

How can we understand risk?

A

Through risk management frameworks such as but not limited to ANSI, BS, ISO, NCSC, NIST Special Publication and etc.

26
Q

How can we respond to risks?

A

By using the risk management process.

27
Q

What is Kaplan and Garrick’s triple of risk elements?

A
  1. What events can happen?
  2. How likely are they to happen?
  3. What are the consequences if they do?
28
Q

How is security and safety risk different?

A

Security risks are adaptive. As victims build stronger defences to protect against the latest threats, the threat actors in turn develop new ways of overcoming or bypassing those defences, and so on.

29
Q

What is the downside of the term “risk”?

A

Its multiple and ambiguous usages persistently jeopardize the separation of the tasks of identifying and evaluating relevant evidence.

30
Q

What is the Risk Assessment process in ISO Risk Management?

A

identification → analysis → evaluation

identification - find, recognize and describe risks that might help or prevent an organization achieving its objectives

analysis - a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness

evaluation - comparing the results of the risk analysis with the established risk criteria to determine where additional action is required

31
Q

What is risk source?

A

The element which alone or in a combination has the potential to give risk to risk

32
Q

What is an event?

A

It is the occurrence or change of a particular set of circumstances.

33
Q

What is the likelihood?

A

It is the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively

34
Q

What is the consequence of an event?

A

It is the outcome of an event that can be certain or uncertain and can have positive or negative direct/indirect effects on objectives.

35
Q

Control

A

Measure that maintains and/or modifies risk, including any process or practice.

36
Q

What diagram can help in analysing risk?

A

Bow tie diagram

37
Q

What is the difference between absolute and relative risk?

A

absolute risk describes the chance of an event happening over a specific time

relative risk describes how two risks compare (e.g., how much more or less likely a particular event is in one group compared with another)

38
Q

What is risk evaluation?

A

Comparing the results of the risk analysis with the established risk criteria to determine where additional action is required

39
Q

What are the 4 risk management strategies?

A
  1. Avoid risk by eliminating the source
  2. Transfer a risk by insurance
  3. Mitigate consequences of risk
  4. Accept a risk when it is not practicable to do otherwise
40
Q

How can you mitigate the chance or the consequence of risk?

A
  1. Alter environment
  2. Change procedures
  3. Add fault tolerance
  4. Train responders
41
Q

How can we understand developments in a system over time?

A

We may have though systems as being static but it changes over time.

New systems emerge or are created, existing systems change and systems die out

42
Q

How does security relate to the system lifecycle?

A

Can be relevant to all stages of a system lifecycle.

Can be designed, built, operated and maintained (in)securely.

43
Q

What is mission analysis?

A

Mission analysis is a structured process that involves evaluating the objectives and constraints of a particular mission to plan its execution effectively.

44
Q

What is a system lifecycle?

A

It represents the conceptualization of a need for the system, its realization, utilization, evolution and disposal

45
Q

What are the 6 stages of a system lifecycle?

A
  1. Concept - where you identify and explore needs + ideas
  2. Development - where you refine the requirement and build system
  3. Production - Produce system
  4. Utilization - Operate system to meet the users’ needs
  5. Support - to sustain the system capability
  6. Retirement - where you store or archive the system
46
Q

What sort of decisions are made at each stage in a lifecycle?

A

Should we continue?
Should we move on?
Should we return/restart?
Should we pause?
Should we terminate?

47
Q

Systems are designed, built and maintained using processes. What is the risk management process?

A

Mission - what is the problem

Stakeholder needs - What do different parties need to do

System requirements - What should a solution do to meet those needs?

Architecture - what should the structure of the solution system be?

Design - How should the elements of the solution system work?

48
Q

What is difference between stakeholder needs and system requirements in the concept of risk management process for systems

A

In risk management, understanding stakeholder needs is crucial to ensure that the system addresses their concerns, while system requirements help quantify and design the system to meet those needs.

49
Q

When can a system be compromised?

A

Through insecure production and poor operation, hence must be maintained securely.

Furthermore, it can only detect threats known when they were designed.

50
Q

What is the difference between security and usability?

A

Security focuses on protecting systems from unauthorized access and damage, while usability concentrates on enhancing the user experience and making systems user-friendly.

Analogy: A computer without a password is usable but not very secure. Whereas a computer that makes you authenticate every hour or so can be very secure but unintuitive (i.e. not many would favour to use it)