In 2011. I wrote a small position paper in which I argued that IT (or ICT if you wish to be trendy) systems are complex systems. That paper is a consequence of risk assessment process I had to do and it summarized what I was thinking about risk analysis at that time. Then, as well as now, I firmly believe that risk analysis, as it is currently done, isn't a right way to go to achieve security of IT. Too many possibilities, too subjective, too dependent on specific situation and environment, too slow, no way of testing it, not to mention measuring how good it is, etc. Just to be clear, it is not that I'm for abolition of risk assessment, because currently it is the only thing we have, but I strongly believe that we should and could much better.
This post updates on the paper. I decided not to write a new version, but to add to it using blog.
First, let me say that in the paper I missed one important component, people. People are very important part of IT systems that is strongly intervened with it, as users, administrators, even attackers. In general, any person that comes into connection with the system, is part of it. I tinkered with that thought for some time now, but after I watched Igor Nikolic's talk on TEDxRotterdam, I was certain. So, based on that I can very confidently claim that IT system is a complex system. Now, this can look like I invented a hot water as there is a long known fact that people are the weakest link in the security. But, despite this fact people and technology we treated, and are treated, separately. Not only they are treated separately, but even specific persons and components of IT are treated separately (as in risk assessment process).
I'll also mention two references that I think are related and important for this topic. The first one is Complexity and Emergent Behaviour in ICT Systems. That one was written in 2004. and it beat me for 8 years. :( Ah, well, I suppose I should have done research a bit more thoroughly. But then, after reading it,it doesn't seem to me that there is overlap between what I'm claiming and what they do. Nor we are talking about the same things. They are definitely talking about complexity of ICT systems, but for them, ICT systems are large scale systems. I haven't had impression that they are talking about information systems of companies. Well, overlap could happen if we are talking about large enterprises, but I'm talking about information systems of all sizes. They talk a lot about complex systems in general, and they also survey research about complex systems in general.
The second reference is analysis of supposedly emergent phenomena on the Internet: Internet Failures: an Emergent Sea of Complex Systems and Critical Design Errors?. This one is interesting because it dissects whether certain perceived behavior is or is not emergent behavior. I agree with the conclusions of that paper. Especially about failure of root DNS not being emergent behavior. :)
Showing posts with label complex systems. Show all posts
Showing posts with label complex systems. Show all posts
Tuesday, September 4, 2012
Thursday, March 10, 2011
Search for complexity measure and where it took me...
Well, I got very interested in complex systems lately. So, I decided to write a paper for a local conference in which I tried to join information security with complexity. A part of this endeavor made me to Google for a paper that describes complexity measure. Well, I found many interesting things, but not what I was looking for, at least not yet. Still, I wanted to preserve some of those interesting pages and materials for a later reference.
The first page, and indeed it was the first page in google search, I stumbled upon Cosma Shalizi's page about Complexity Measures. Well, I have to say that he seems to have very good pages. What generated my next interest was his critique of Wolfram's book A New Kind of a Science. Actually, on the page about Complexity Measures there is a list of Disrecommended stuff, part of which is aforementioned book.
This also took me briefly to Wikipedia's page about Jacques Derrida and then to the page about Slavoj Žižek. But the only thing that made me go to Slavoj's page on Wikipedia was the fact that his name sounds like he's from some former Yugoslavia republic, which turned out to be true; he's from Slovenia. But, let me go back to Derrida. Derrida was obviously philosopher that developed critical theory of deconstruction. To be honest, I don't understand yet what it is about, at least not enough to write something meaningful, so I'll try again later.
Still, Derrida wasn't the end of my wondering, since, while reading critique of Wolfram's book, I took a detour into tag system, then to more broad models of computation, and finally to Turing machine. Well, Wikipedia, as usual, has very good text about it and it is now also on my todo list.
Somewhere along the way I also checked the Wikipedia page about Kolmogorov, and subsequently about Per_Martin-Löf because he's mentioned as extending Kolmogorov complexity measure into very interesting direction. Also, I checked page about randomness. Supposedly, on this page truly random data can be obtained which is collected from some atmospheric measurements, but again, I'm not certain that it is the truth. Cosma Shalizi has many other interesting pages, one of which is his critique of using gzip for complexity measure. Last, but not least, I also stumbled on Cellular automata FAQ because Wolfram's book claims that universe is certain kind of CA and that the existing approach of using complex formulas to describe it is wrong.
I wrote this blog entry for two reasons. First one is to save links in order to check them again. And the second reason is that I wasn't aware of the controversy surrounding Wolfram's book.
The first page, and indeed it was the first page in google search, I stumbled upon Cosma Shalizi's page about Complexity Measures. Well, I have to say that he seems to have very good pages. What generated my next interest was his critique of Wolfram's book A New Kind of a Science. Actually, on the page about Complexity Measures there is a list of Disrecommended stuff, part of which is aforementioned book.
This also took me briefly to Wikipedia's page about Jacques Derrida and then to the page about Slavoj Žižek. But the only thing that made me go to Slavoj's page on Wikipedia was the fact that his name sounds like he's from some former Yugoslavia republic, which turned out to be true; he's from Slovenia. But, let me go back to Derrida. Derrida was obviously philosopher that developed critical theory of deconstruction. To be honest, I don't understand yet what it is about, at least not enough to write something meaningful, so I'll try again later.
Still, Derrida wasn't the end of my wondering, since, while reading critique of Wolfram's book, I took a detour into tag system, then to more broad models of computation, and finally to Turing machine. Well, Wikipedia, as usual, has very good text about it and it is now also on my todo list.
Somewhere along the way I also checked the Wikipedia page about Kolmogorov, and subsequently about Per_Martin-Löf because he's mentioned as extending Kolmogorov complexity measure into very interesting direction. Also, I checked page about randomness. Supposedly, on this page truly random data can be obtained which is collected from some atmospheric measurements, but again, I'm not certain that it is the truth. Cosma Shalizi has many other interesting pages, one of which is his critique of using gzip for complexity measure. Last, but not least, I also stumbled on Cellular automata FAQ because Wolfram's book claims that universe is certain kind of CA and that the existing approach of using complex formulas to describe it is wrong.
I wrote this blog entry for two reasons. First one is to save links in order to check them again. And the second reason is that I wasn't aware of the controversy surrounding Wolfram's book.
Subscribe to:
Comments (Atom)