SABSA thinking is based heavily on systems engineering concepts. We see the enterprise itself as a system of systems, hierarchically complex, with layered tiers of sub-systems and component interactions at every level of decomposition and abstraction. Systems are designed to have certain functionality to meet the system requirements, and in SABSA we articulate these requirements and functional properties through a series of Business Attributes. However, there are often properties of complex systems that were not designed, but which we discover once we operate and use the system. These are called ‘emergent properties’.
An emergent property is unexpected during the design phase, but emerges once we operate the system. The Attributer sees the most generic emergent property as being ‘entropy’, the level of disorder in a system. All systems have a certain level of entropy. The second law of thermodynamics tells us that the entropy of a given system undergoing a real process will tend to increase over time (increasing disorder) and that to correct this tendency we must do ‘work’ to restore the desired order. This law of physics applies to all systems at all levels of scale, from the universe itself down to any natural or man-made microsystem. For best results we consider a system in the context of its eco-system – the system and its environment.
For those of you that have kept a garden, it is a familiar experience. You do work on your garden to make it orderly. You trim the hedges, mow the lawns, pull the weeds, deadhead the roses, sweep the paths and it looks great. You go away on two weeks holiday and when you return it looks like a jungle again. The natural processes have created chaos out of order, and you need to do a whole lot of work again to restore the order. That’s the second law of thermodynamics in action.
The attribute ‘emergent’ is not part of our design requirements, but is one that we will experience anyway, and therefore we must design to handle it. Examples of unwanted emergent properties are unsafe system behaviour and insecure system behaviour. These behaviours arise from unforeseen interactions between system components. They are not properties of the components themselves, and only emerge during component interactions. For example, a transport network carries traffic of some type either physical (such as cars and lorries) or logical (such as digital packets in a communications network). The components of the network are the traffic items, the transmission paths and the routing mechanisms. An unwanted emergent property of a network is ‘traffic congestion’.
In computer systems we see countless examples. A disk storage system will become fragmented and periodically will need work to defragment the disk. A computer system can be configured with all the parameters set to meet a standard configuration, but in time this will degrade as minor changes are made, applications are run, patches are applied, and so on. It needs periodic review and reconfiguration to keep it to the standard settings.
When we turn to the subject of cyber security, the potential for degradation and entropy increase is well beyond previous experience with physically contained computer systems. Operating a secure cyber system in the eco-system called cyberspace is very challenging. Cyberspace is a complex system of systems that grows and changes all the time. It definitely has a time dimension and is therefore subject to the second law, but it has no physical spatial dimensions or restrictions. The potential for emergent properties is infinite. We have never before faced this challenge and most people are struggling to get their minds around the concept of cyberspace and hence cyber security.
Whilst we focus on securing the components of cyberspace we will never get control over cyber security. Only be stepping back and taking a systems engineering view, including the concept of emergence, will we ever stand a chance of being successful. This requires a complete change in mind-set. It requires SABSA thinking.