A Modelling Approach for Interdependency in Digital Systems-of-Systems Security - Extended Abstract

Abstract

There is little doubt that the proper functioning of our modern society depends upon cyberspace, and that the continued growth in appetite for new technology and the potential benefits associated with it shows little sign of abating. Unfortunately the reality of modern information and communications systems involves a complex array of hardware, middleware, software, communications protocols and services, operated by a diverse set of stakeholders (users and providers each with a heterogeneous set of changing motives (including personal, enterprise, or societal gains). Everyday services that we take for granted often rely on complex interdependent systems, with the result that a seemingly unrelated failure in one of the subsystems, invisible to the service consumer, may lead to an all too visible collapse of the service that they expect. In the context of information and network risk management this complexity means that it is currently very difficult to predict how an organisation might be impacted by vulnerabilities being exploited or failures accidentally manifesting elsewhere in a system. Additionally, organisations responsible for subsystems are likely to evolve different risk-management cultures and practice, making their adoption and use of network and information risk controls (and consequences for other interdependent subsystems) difficult to predict.