Security management using system dynamics

Questions and Answers

What is the primary role of system archetypes in security management?

• To quantify all aspects of security vulnerabilities.
• To replace traditional risk assessment methods.
• To automate security incident responses.
• To classify structures responsible for common behavior patterns. (correct)

Which of the following best describes the function of feedback loops in system dynamics?

• They isolate security incidents to prevent cascading failures.
• They represent how actions and their consequences influence each other over time. (correct)
• They provide a snapshot of current system vulnerabilities.
• They create a linear model of security management processes.

In the context of system dynamics, what does a 'balancing' feedback loop indicate?

• That changes in a variable are counteracted as they propagate through the loop. (correct)
• That the system is in a state of equilibrium and requires no intervention.
• That changes in a variable are amplified as they propagate through the loop.
• That the system is inherently unstable and prone to collapse.

Which of the following describes the role of system boundaries in modeling security with system archetypes?

They can mask unintended effects and complexities within an organization. (B)

According to Wolstenholme's classification, what are the four basic types of problem archetypes?

Underachievement, Out of Control, Relative Achievement, Relative Control (B)

In an 'Underachievement' archetype, what is often the recommended approach for a solution?

Unblocking a resource constraint. (A)

What is the key characteristic of an 'Out of Control' system archetype?

Intended control fails to be realized. (A)

Which security scenario exemplifies the 'Relative Achievement' archetype?

An organization's increased investment in threat detection leads to decreased employee trust. (C)

Why is an understanding of intended and unintended consequences important in security management?

It prevents management actions from creating adverse or counterproductive effects. (A)

In a 'Relative Control' archetype, what action does the framework suggest to take?

Define an absolute target and stabilize the overall outcome. (B)

Which of the following is the most accurate description of a CERT?

An organization that studies and models system dynamics for insider threats. (C)

What is the significance of recognizing time delays in reaction times when managing security risks using system archetypes?

It helps anticipate and mitigate unintended consequences of security management actions. (B)

Which of the following actions aligns with addressing the 'Tragedy of the Commons' archetype in security management?

Mandating organization-wide security training and awareness programs. (D)

What key insight does system dynamics modeling offer for information security management when compared to static risk assessments?

System dynamics modeling captures the dynamic interplay between management actions, intended outcomes, and unintended consequences. (A)

What is the main objective of introducing system archetypes to model information security problems qualitatively?

To understand the underlying structures that cause recurring security issues. (B)

In the context of system archetypes, what does 'isomorphic' property refer to?

The similarity in underlying structures across seemingly different security problems. (B)

According to the materials, what should an organization do to effectively address security concerns related to transitioning to e-business?

Recognize and address the potential for reduced scrutiny and increased vulnerabilities in e-business processes. (C)

According to the content, what is the initial step in building a system archetype for security management?

Identifying the intended outcome and the action/intervention intended to achieve it. (C)

Which of the following is a potential unintended consequence of implementing an incident reporting system, as described in the 'Out of Control' archetype?

Decreased incident handling quality as workload increases. (C)

What is one of the potential impacts of misaligned incentives on system security?

The organization responsible for security does not bear the full costs of its failure. (C)

According to the material, what is the next step after qualitatively modeling security using system archetypes?

Moving towards quantitative simulation using system dynamics. (C)

In system dynamics, what does the "||" symbol indicate?

A significant time delay. (C)

The 'solution loop', when building an archetype, helps to address what?

The unintended problems that appear. (A)

Which of the following books was instrumental to the method of system dynamics at CERT, Carnegie Mellon University?

From Modeling to Managing Security (B)

Which of the following correctly describes the 'Relative Achievement' archetype?

Intended achievement is only gained at the expense of another. (C)

Which of the following actions would be considered when addressing the 'Underachievement' archetype through the 'solution loop'?

Realising that resources must be allocated to security to the sufficient extent as to sustain and maximise the possible growth. (B)

Within the 'Out of Control' archetype, what can be said about the 'intended' and 'unintended' outcomes?

Intended outcome: B, unintended result: R (A)

What is the primary reason that system archetypes are said to be 'generic'?

Those four types keep reappearing in different security management cases. (D)

Senior manages tend to think security is...?

Something they don't understand and that the IT manage has to deal with. (D)

When enterprises invest primarily in resources to growth by maximising throughput, the unintended consequence is that..?

Security gets too few resources. (A)

In the 'Totally Generic System Archetype', the 'closed circles' are described as?

Feedback loops (A)

What does it mean when a boundary must be made 'transparent'?

The intention is to remove the masking/hiding of unintended consequences (B)

The 'Relative Control' archetype suggests what action?

That an absolute target is defined to stabilise the overall outcome (A)

What can be indicated when 'the goal erodes'?

It becomes less and less ambitious over time (B)

Which of the following statements is NOT true?

System archetypes increase security vulnerabilities. (C)

Why is it helpful to propose units and suggest measures of security indicators in the archetype?

To Quality assure the archetype (A)

What are 'Quality improvements', 'Security Metrics indicators' and 'The impact of misaligned incentives on information security' examples of?

Things to understand, regarding the principles of quantitative system dynamics models and appreciate their value for information security management (C)

What is required for 'Master[ing] the method to connect security management actions with its intended consequence and its unintended & undesired consequences'?

You must be able to identify time delays that hide the anticipation of unintended consequences of security management actions (D)

Flashcards

System Archetypes

System archetypes classify structures for generic behavior patterns.

Generic Structures in System Archetypes

Actions causing unintended reactions or consequences, delays in reaction times.

System Archetypes Transfer

Transferring understanding of system behavior to new application areas.

Four Archetype Categories

Underachievement, Out of control, Relative achievement, Relative control.

Feedback Loop

A feedback loop consisting of action and its consequence feeding back on the initial action.

Reinforcing Feedback (R)

Change in a variable gets reinforced as it propagates through the loop.

Balancing Feedback (B)

Change in a variable gets counteracted as it propagates through the loop.

Organization Boundaries

Categories such as disciplines, functions, accounting, power and culture.

Underachievement

Intended achievement fails to be realized.

Out of Control

Intended control fails to be realized.

Relative Achievement

Intended achievement is at the expense of another.

Relative Control

Intended control is gained at the expense of others.

Underachievement Solution

Element of achievement action to minimise reaction in other parts.

Out-of-Control Solution

Make direct connection between the problem and reaction.

Relative Achievement Solution

Introduce regulatory action and balancing feedback loop

Relative Control Solution

Define an absolute target and new balancing feedback loop.

Relative Achievement Danger

Security is as strong as weakest link. Some aspects are over others.

Study Notes

• System archetypes and system dynamics are used to model security
• Jose J. Gonzalez is the author and can be contacted at [email protected]

Objective

• Information security management has challenges requiring models to connect management actions with consequences.
• System archetypes can address these challenges.
• System archetypes methodology can model information security problems qualitatively.
• System archetypes can provide insights into typical information security problems.
• Exploring security metrics indicators and potential audits is an application of system archetypes.
• System archetypes serve as building blocks for modeling information security management.
• Security management cases can be simulated.
• Examples of security management cases include exploring the risk landscape, performing what-if analysis using metrics, and testing management strategies.

Learning Outcomes

• Master the method to correlate security management actions with their intended, unintended, and undesired consequences
• Identify time delays that obscure the anticipation of unintended consequences in security management.
• Mitigate unintended consequences of security management actions.
• Learn and apply the four basic types of system archetypes on security management problems.
• System archetypes can provide the ability to identify security metrics indicators.
• System archetypes can provide the ability to search for potential indicators for security audits.
• System archetypes serve as a first step to quantitatively model security management, embedding security management metrics.
• Principles of quantitative system dynamics models and their value for information security management is key
• Appreciate security metrics indicators for management.
• Utilize potential for audits in security management.
• Improve metrics of quality of security management.
• Quantify the impact of misaligned incentives on information security.

Content Outline

• Introduction to system archetypes
• Generic system archetype
• Importance of boundaries
• Classification of archetypes into four categories: underachievement, out of control, relative achievement and relative control
• How boundaries mask unintended effects
• System archetypes applied to security management
• Modeling and simulating security management cases quantitatively

System Dynamics Modeling

• Elements of system dynamics modeling are introduced
• The method was presented in the 2003 book at CERT, Carnegie Mellon University.
• Studies and applications in information security released, such as on insider threat.
• System dynamics modeling has been applied in EU-funded projects.
• One example is Smart Mature Resilience 2015-2018, funded by the H2020 program.

CERT Guide to Insider Threats

• The Security Dynamics Network (SDN) influenced the system dynamics modeling of insider threats.
• The SDN is a group of national laboratories and universities applying system dynamics to explore cybersecurity issues.
• Expert insight, information, and inspiration to develop insider threat models are offered
• Dr. Jose Gonzalez of University of Agder is the founder of CERT

System Archetypes Explained

• System archetypes classify structures responsible for generic patterns of behavior over time.
• These structures represent management actions, unintended reactions, and delays in reaction times.
• System archetypes transfer understanding to new application domains.
• Isomorphic property makes these archetypes powerful tools for mastering dynamic complexity.
• Types of system archetypes originally suggested were related to limits to growth, shifting the burden, eroding goals, escalation, fixes that fail, etc.
• All archetypes fall into four core categories.

Classification of System Archetypes

• Wolstenholme (2003) showed that all archetypes have a problem archetype and a solution that mitigates the unintended consequence in the problem archetype
• Wolstenholme showed that problem archetypes can be expressed as one of four types: Underachievement, Out of control, Relative achievement, Relative control
• Wolstenholme also proposed the solution for each problem archetype

Generic Archetype

• Feedback loops are continuous and drive system behavior.

Feedback Loops

• A feedback loop includes action and its consequence feeding back on the original action.
• An enterprise produces throughput by investing resources; this throughput leads to renewed investment.
• Throughput affects security, and security affects throughput.

Reinforcing vs Balancing Feedback

• There are two kinds of feedback: reinforcing (R) or balancing (B).
• Reinforcing feedback: change in a variable gets reinforced as it propagates along the loop.
• Balancing: change in a variable gets counteracted as it propagates along the loop.
• The || sign indicates a significant time delay.

Feedback Loop Exercises

• Consider what happens when an enterprise increases or decreases investments, and how throughput changes.
• Discuss throughput increases/decreases, security changes, and the effect on investments.
• Explain reinforcing/balancing feedback loops in these scenarios.

System Boundaries Defined

• System archetypes indicate that a system boundary is relevant to the problem.
• Organizations have boundaries defined by disciplines, functions, accounting, power, and culture.
• Boundaries exist between the organization and its environment.
• They include physical accounting barriers, managerial barriers, mental barriers, and time delays.
• Important to recognize the existence of barriers when managing security.
• Make barriers transparent ("net curtains") rather than opaque ("heavy drapes").

Archetype Classification

• Underachievement: intended achievement fails (intended outcome: R, unintended result: B).
• Out of control: intended control fails (intended outcome: B, unintended result: R).
• Relative achievement: achievement gained at another's expense (intended outcome: R, unintended result: R).
• Relative control: control gained at the expense of others (intended outcome: B, unintended result: B).

Underachievement Archetype

• A solution utilizes the achievement action to minimize reactions within the organization, usually unblocking the resource constraint

Underachievement Exercise

• Senior managers focus on tangible business goals like throughput; information security is less understood.
• Enterprises invest in growth, leaving security under-resourced.
• Develop an underachievement system archetype to express how maximizing throughput leads to unintended consequences.
• Propose a solution link to address this problem.
• Quality assure the archetype by explaining in terms of a dynamic story and proposing security indicator measurements.

Solution Achieved

• The boundary masking/hiding unintended consequences must be made 'transparent' to solve the problem.

Dynamic Stories

• Neglecting security leads to incidents and downtime, reducing throughput.
• A balancing feedback loop will reduce throughput.
• Allocate resources to security to maximize growth.
• Propose units/measures to show the efficacy of security

Underachievement Illustrated

• Pressure to perform sacrifices security/Transitioning to eBusiness, eRemote, eHealth and other
• Tragedy of the commons: actions to improve individual lots detrimentally affect all
• Limits to success of constraints that act on the long term
• Such as unsustainable growth and long-term risks

Out of Control Archetype

• A solution relies on enabling/strengthening a direct link ("solution link") between the problem and the system reaction.

Out of Control Exercise

• Organizations introduce a security incident reporting system (SIRS).
• Incident reporting leads to incidents rising
• System costs
• Inceasing workload
• Incident handling quality decreases.
• Propose and explain an out-of-control problem archetype expressing how a workload increase leads to incidents decreasing.
• Quality assure the archetype by explaining it in terms of a "dynamic story," and proposing units to measure security indicators

Dynamic Story: SIRS

• Solution link is to allocate resources to incidents, workloads diminished as a result
• The intent is to reduce the number of events that become incidents
• High volume affects workload
• Resources must be kept at high level to handle

Out of Control Illustrated

• Compliance erodes when copings with standards and resources
• Over-reliance and imbalance on security systems
• Misaligned incentives

Relative Achievement Archetype

• a action is how to control an outcome
• The relative target is the objective
• "The relative outcome induces a reaction in another sector of the organisation, which compromises the intended outcome
• The solution lies in defining an absolute target and a new balancing feedback loop to stabilise the outcome”

Acheviment archtype

• An organization invests in detecting malicious insider attacks
• Over-investment can lead to management distrust of workers
• Again, show the archetype in a dynamic and present units of archetype

Relative Achivement Archetype Solution

• A double-edged sword, improve detetction capability
• High Detection capacity but low inter-trust

Dynamic Story

• Over detection can harm trust
• Solve these high-risk and internal trust factors
• Solution: invest in detection, then improve trust
• Conduct security audits

More examples of relative achievement

• Success to the successful
• Solutions tend to get more resources but ones in need may be ignored

Relative Control Archetype

• Solution is found in defining an absolute target and also stabilizing to balance feedback.

Exercise

• There can be issues when handling security incidents
• Find the CSIRT provides corresponding information
• Incidents are at all time high
• Propose and explain the problem archetype

System Atchetypes Summarized

• Intended to have a relation between actions – Unintended consequences May result in only four outcomes Generic that reappears in other systems and cases

Following what atchetypes?

• System archetypes provide qualitative insights. They are very powerful as such To provide accurate numerical values security metrics indicators and improve perform security audits Quantitative simulation allows to model cases with security metrics http://www.systemdynamics.org/