Tuesday, September 4, 2012

IT as a complex system...

In 2011. I wrote a small position paper in which I argued that IT (or ICT if you wish to be trendy) systems are complex systems. That paper is a consequence of risk assessment process I had to do and it summarized what I was thinking about risk analysis at that time. Then, as well as now, I firmly believe that risk analysis, as it is currently done, isn't a right way to go to achieve security of IT. Too many possibilities, too subjective, too dependent on specific situation and environment, too slow, no way of testing it, not to mention measuring how good it is, etc. Just to be clear, it is not that I'm for abolition of risk assessment, because currently it is the only thing we have, but I strongly believe that we should and could much better.

This post updates on the paper. I decided not to write a new version, but to add to it using blog.

First, let me say that in the paper I missed one important component, people. People are very important part of IT systems that is strongly intervened with it, as users, administrators, even attackers. In general, any person that comes into connection with the system, is part of it. I tinkered with that thought for some time now, but after I watched Igor Nikolic's talk on TEDxRotterdam, I was certain. So, based on that I can very confidently claim that IT system is a complex system. Now, this can look like I invented a hot water as there is a long known fact that people are the weakest link in the security. But, despite this fact people and technology we treated, and are treated, separately. Not only they are treated separately, but even specific persons and components of IT are treated separately (as in risk assessment process).

I'll also mention two references that I think are related and important for this topic. The first one is Complexity and Emergent Behaviour in ICT Systems. That one was written in 2004. and it beat me for 8 years. :( Ah, well, I suppose I should have done research a bit more thoroughly. But then, after reading it,it doesn't seem to me that there is overlap between what I'm claiming and what they do. Nor we are talking about the same things. They are definitely talking about complexity of ICT systems, but for them, ICT systems are large scale systems. I haven't had impression that they are talking about information systems of companies. Well, overlap could happen if we are talking about large enterprises, but I'm talking about information systems of all sizes. They talk a lot about complex systems in general, and they also survey research about complex systems in general.

The second reference is analysis of supposedly emergent phenomena on the Internet: Internet Failures: an Emergent Sea of Complex Systems and Critical Design Errors?. This one is interesting because it dissects whether certain perceived behavior is or is not emergent behavior. I agree with the conclusions of that paper. Especially about failure of root DNS not being emergent behavior. :)

No comments:

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive