Week 3 Flashcards
What can systems be decomposed into?
1) elements - e.g. a football team - the elements are the team, the manager, the spectators etc.
2) interconnections - in the football team, the interconnections are the strategy, the rules of the game.
3) purpose - difficult to determine for any given system. Depending on the perspective, system purpose could be different from what the individuals has documented.
as well as hierarchies of subsystems. Eg the Target case with Firos. If the subsystems feel as though the higher ups aren’t servicing them, it can lead to disintegration.
What is a system?
Its a set of things, people, cells, molecules etc that are interconnected in such a way that they produce their own pattern of behaviour over time
What is operation cat drop?
The mosquito example in 1945-1960.
WHO want to control the spread of malaria in Borneo. WHO wanted to spray DDT in people’s homes.
Over a 21 month period, the percentage of mosquitos carrying malaria dropped from 36% to 2% by spraying DDT.
But then people started suffering from rat bites and their homes falling down.
The reason for this was a particular type of caterpillar started to eat through homes that were not covered in DDT. Previously, wasps were controlling the caterpillar population. But wasps started being killed off my DDT, so weren’t able to control the caterpillars anymore. There was a knock on effect on the food chain where rats started thriving (particularly due to cats being killed off). Cats ended up being dropped into Borneo to deal with the rat issue.
This signifies the dangers of implementing solutions (i.e. DDT) without fully understanding what it would do.
What was the story of mosquitos in Brazil?
Mosquitos in Brazil either feed off of humans or cattle. Focus was on the population of mosquitos that fed off humans which led to a 68% increase in population. Now we have a knock on effect of larger population.
One problem is resolved, but other problems arise.
What are stabilising feedback loops?
Stabilising feedback loops are goal-seeking loops, resistant to change, seek to balance elements.
Reinforcing feedback loops emphasise the direction of change.
What are the limitations of systems thinking?
People intensive systems are hard to decompose and understand.
Human elements are difficult to model and fully understand.
We may think a system is failing, but it is succeeding in ways we do not perceive or understand
What is cyber space?
The complex environment resulting from the interaction of people, software, and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form.
What is an example of cyber space?
The internet. Cyber space and the internet are not interchangeable though. In the UK/EU they are though.
What is a cyber system?
Cyber systems are dependent or make use of a cyber space. Cyber systems are often referred to as critical infrastructure.
What are cyber physical systems?
They are specific cyber systems that control and react to the physical environment. e.g. distributions of clothes
How does cyber security tie in with cyber systems and cyber threats?
cyber security is the defence of cyber systems from cyber threats. Cyber threats can be thought of as any threat that makes use of a cyber space.
What is information security?
Information security is concerned with the protection of information assets. It is the preservation of confidentiality, integrity and availability of info.
What is Critical Infrastructure Protection (CIP)?
Safeguarding infrastructure crucial to modern society from interruption and destruction. Critical Infrastructure goes beyond cyber.
What is safety?
Safety can be defined as being free from unacceptable risk to human life, injury or damage
What is safety?
Safety can be defined as being free from unacceptable risk to human life, injury or damage
What is risk?
The possibility that human actions or events leads to consequences that have an impact on human value.
These are the union of malicious and non-malicious risk.
What is risk assessment?
Taking concerns and start to gather evidence and data to the things we care about. Then we have to focus on certain ones that we deem the most critical.
1) observations and perceptions
2) reasoning and evidence
3) prioritise and rank
What are the important stages in risk assessment?
1) context - appreciating the environment (is it a university, power plant, who are their stakeholders etc etc ).
2) identification - trying to gather all the potential concerns
3) analysis - really looking at the concerns that have been identified. Strengthen them with evidence or discard.
4) evaluation - if some risks are similar or we can aggregate any.
5) treatment - what are we going to do to mitigate against this risk. Technical tools/technical infrastructure.
What are the key points for the “Context” stage in risk assessment?
We need to consider:
- the external context eg national laws, critical infrastructure.
- the internal context - the factors that influence how an organisation manages risk and attains objectives. This could be the staff, stakeholders, customers.
- the attack surface
- the target of assessment
What are the aims of a risk assessment?
To mitigate against risk and reduce the likelihood of undesirable incidents. Comply with legal requirements. Communicate to several internal and external stakeholders about risk.
Why would we want to limit scope?
Improves communications between various individuals if we have a clear documentation of scope, focus and assumptions
What is a risk matrix used for?
Displaying the consequence versus likelihood of an event. We have to define the value explicitly, e.g. “rare” is less than 20 years etc.
What is the attack surface?
There could be a remote or a physical attack
what are the key points for the “identification” stage in the risk assessment?
Think of it in terms of malicious/non-malicious attacks.
Think in terms of technical systems and non-technical elements (gathering articles, newspapers etc). It’s not about determining the likelihood of risks at this stage; it’s just about getting more info and tailoring it to what we’re interested in.
How do we identify malicious threats?
Identify where the threats are coming from.
Understand the potential threats the adversaries represent and the attack surface.
focus on the assets to determine vulnerabilities.
Predict potential incidents stemming.
1) source - who is going to initiate an attack and why.
2) threat
3) vulnerabilities
4) incident - what incidents stem from these threats.
How do we identify non-malicious threats?
The opposite of malicious threats.
1) incident
2) vulnerabilities
3) threat
4) source
What do we do in the “analysis” phase of risk assessment?
Assess the threat, likelihood, estimate
Incident, asset, likelihood, consequence.