Information Security Risk Assessment on Complex Information System

This paper analyzes the necessity of risk assessment for complex information systems in the context of increasingly complexion. According to the characteristics of complex information systems and the existed risk assessment methods, the method to assess the risk of complex information systems is discussed. A risk assessment method is proposed from the perspective of the asset grouping, association identifying and multi-level computing. It may be of some guidance and reference to solve the problems of security risk assessment in complex information systems.

The monograph reveals the basics of complexity theory and methods for assessing complexity. The concept of complexity consideration is based on the analysis of complexity as a common attribute in processes and systems. The monograph describes the main methods for assessing different types of complexity. The concept of considering complexity in this monograph is also based on the fact that complexity is a comparative characteristic. It is given on a relative scale of difficulty. Therefore, complexity must be defined on a relative scale of “simplicity-complexity.” This concept motivates the consideration and analysis of the concept of “simplicity” as a complement to the concept of “complexity”. These concepts set the scale of complexity. The monograph provides a comparative analysis of the related concepts of simplicity and complexity. Three methods for assessing complexity are described: expert assessment of complexity, assessment of complexity using mathematical metrics, comparative assessment of complexity based on the theory of comparative analysis. The monograph contains a taxonomy of the main types of complexity. The content of the main types of complexity is revealed in detail: descriptive complexity, system complexity, modeling complexity, computational complexity. algorithmic complexity, deterministic complexity. Specific cognitive difficulties are described in detail. For cognitive complexity, special assessment methods are used. An interpretation of the concept of cognitive filter is given. Complexity is associated with the concept of complex systems. In most monographs on complex systems, the complexity aspect has not been considered or is viewed in a simplified manner. This monograph examines complexity as a characteristic of complex systems and the basis for their classification. Emergence is described as a characteristic of the complexity of systems and complex processes. The monograph contains a taxonomy of complex systems with characteristics of the complexity of different systems. Complex data systems have been explored. An analysis of organizational complex systems is given. Various types of complex ergatic systems have been described. An analysis of complex technical systems is given. Self-developing complex systems are described. autopoiesis of a complex organizational and technical system has been studied as a principle of systems development. Cyber-physical systems are described as an example of the development of complex systems. The monograph is intended for specialists in the field of computer science, systems analysis, artificial intelligence and philosophy of information.

With the development of science and technology, the demand for automation and intelligence has nearly penetrated every corner of society. Single software and specific needs of information systems can no longer meet the growing needs of people. A complex information system composed of various systems, smart devices, and software emerged. The security of such complex information systems is becoming increasingly important. Attacks on complex information systems have become an important factor in harming national security, political stability, economic lifeline, and citizen security. Risk factors are weak links in the information system that may be threatened to cause damage, and the risk factors are transformed into damage to assets under certain conditions. Although the existing vulnerability management specification standards contain relevant content of risk assessment, the scope is not enough to support and cover the assessment of risk factors in information systems. In this paper, we comprehensively investigate and analyze the vulnerability standards of various vulnerability classification for information systems, and propose a classification standard for the analysis and grading of risk factors of complex information systems, which can provide a reference for the classification of information system risk factors in finance, public communications, and energy industries.

With the rapid development of high integrations in large complex systems, such as aircraft, satellite, and railway systems, due to the increasingly complex coupling relationship between components within the system, local disturbances or faults may cause global effects on the system by fault propagation. Therefore, there are new challenges in safety analysis and risk assessment for complex systems. Aiming at analyzing and evaluating the inherent risks of the complex system with coupling correlation characteristics objectively, this paper proposes a novel risk assessment and analysis method for correlation in complex system based on multi-dimensional theory. Firstly, the formal description and coupling degree analysis method of the hierarchical structure of complex systems is established. Moreover, considering the three safety risk factors of fault propagation probability, potential severity, and fault propagation time, a multi-dimensional safety risk theory is proposed, in order to evaluate the risk of each element within the system effecting on the overall system. Furthermore, critical safety elements are identified based on Pareto rules, As Low As Reasonably Practicable (ALARP) principles, and safety risk entropy to support the preventive measures. Finally, an application of an avionics system is provided to demonstrate the effectiveness of the proposed method.

Task Force on Strategic Research Direction: Basic Science Subgroup key science topics report.

To facilitate architecture development of largescale and complex systems, we have proposed an architecture engineering methodology and defined seven kernels of architecture engineering (i.e., opportunity, Stakeholder, Need, Architecture, Team, Work and Way-of-Working) which must be considered during the process of developing an architecture. Each kernel has five or six different states that can indicate the progress and health of architecture development. To further improve practicability of the defined seven kernels and their 36 states in architecture development, a reference guide is suggested based on our engineering experience in practice, which contains more than 100 items helping to check kernel states and move them forward. Using the reference guide, we conducted an application of architecture development of a complex business information system. Results show that the proposed guide can be effectively used to help architecture engineers to determine and push on the state of architecture development. Architecture development can be proceeded clearly, timely and smoothly. Moreover, all the team members can work well together.

The article presents a novel approach to risk assessment in complex information systems, which takes into account the structural relationships between threats, vulnerabilities, and system components. The primary focus is on developing a formalized model that enables the construction of a simplicial complex of dependencies among potential threats and vulnerabilities, as well as identifying their impact pathways on the integrity, availability, and confidentiality of the system. The use of a simplicial complex model is proposed to represent these interconnections and to determine critical nodes that are most vulnerable to compound attacks. The methodology allows for quantitative risk evaluation by calculating threat levels, the probabilities of vulnerability exploitation, and their impact on the system. A key feature of the approach is the consideration of not only individual vulnerabilities but also their interactions, which significantly enhances the accuracy of risk assessment. The results of modeling and applied analysis confirm the effectiveness of the proposed method in identifying the most critical security elements and in justifying protection priorities under limited resource conditions. The proposed method can be integrated into information security management systems to improve the protection level of complex technical infrastructures.

This introductory chapter provides an overview and a brief history of complexity science, which is the study of complex systems. All living systems and all intelligent systems are complex systems. Complexity science is relatively new but already indispensable. Many of the most important problems in engineering, medicine, and public policy are now addressed with the ideas and methods of complexity science. However, there is no agreement about the definition of 'complexity' or 'complex system', nor even about whether a definition is possible or needed. The conceptual foundations of complexity science are disputed, and there are many and diverging views among scientists about what complexity and complex systems are. Even the status of complexity as a discipline can be questioned given that it potentially covers almost everything. The origins of complexity science lie in cybernetics and systems theory, both of which began in the 1950s. Complexity science is related to dynamical systems theory, which matured in the 1970s, and to the study of cellular automata, which were invented at the end of the 1940s. By then computer science had become established as a new scientific discipline.

Chapter 2 - Theory of complexity, origin and complex systems

In popular dialogues, describing a system as "complex" is often the point of resignation, inferring that the system cannot be sufficiently described, predicted nor managed. Transport networks, management infrastructure and supply chain logistics are all often described in this way. Academic dialogues have begun to explore the collective behaviors of complex systems to define a complex system specifically as an adaptive one; i.e. a system that demonstrates 'self organising' principles and 'emergent' properties. Based upon the key principles of interaction and emergence in relation to adaptive and self organising systems in cultural artifacts and processes, this paper will argue that complex systems are cultural systems. By introducing generic principles of complex systems, and looking at the exploration of such principles in art, design and media research, this paper argues that a science of cultural systems as part of complex systems theory is the post modern science for the digital age. Furthermore, that such a science was predicated by post structuralism and has been manifest in art, design and media practice since the late 1960s.

The following news item is taken in part from the July 27, 2011 issue of Science titled ''9 Billion?,@ by Leslie Roberts.

Information Systems (IS) have a critical role, and organizations encounter difficulties in managing increasing IS complexity. Interventions often fail to yield the desired results. The research question of this dissertation is: "How can organizations manage the complexity of their IS landscape?". This dissertation contributes to enhancing the insight into what causes the unexpected effects of interventions aimed at managing IS complexity. IS complexity is often conceptualized in different ways. These different interpretations are often used interchangeably, leading to different conclusions concerning the impact of interventions. By conceptualizing IS complexity as different forms of complexity, we gain insights into the underlying components, interactions, and patterns within complex systems. IS complexity can be categorized into the material realm and the cognitive realm. The material realm includes structural and dynamic forms of complexity. Structural complexity involves the number and diversity of components and their interactions. Dynamic complexity refers to the continuous evolution and changes of a system’s form and function, reflected in the emergent behavior of the system. The cognitive realm relates to the subjective form of complexity and the capabilities of individuals trying to understand and work with the system. With the outcome of the literature review and the analysis of the empirical studies it is possible to develop a typology of IS complexity. This typology aids in identifying and explaining the interrelations between these forms. With that insight this typology provides a lens to understand what the effects are of interventions to manage IS complexity in each of these forms. The effects of different interventions to manage IS complexity indicated both decreases and simultaneous increases of complexity. Analyzing these shifts deepens our understanding of IS complexity that goes further than only an input-output relation between interventions and IS complexity; it is about unpacking the emergent casual pathways that unfold as the effect of these interventions. I observed two types of effects: 1) shifts within the forms of complexity and 2) interactions between forms of complexity. The idea of shifting complexity emphasizes the multidimensional and context-dependent nature of IS complexity. Organizations can develop more effective strategies to manage complexity. The idea of shifting complexity supports in unpacking the relationship between interventions and the complexity of IS landscape. Recognizing these shifts improves the manageability of IS complexity by analyzing the impact of interventions to manage the complexity of an organization’s IS landscape.

In the nuclear sector, the implementation of digital technologies plays a crucial role in optimizing the performance of installations throughout their entire lifecycle. It contributes to the timely and cost-effective delivery of all phases of the life cycle, including design, procurement, construction, commissioning, and operation, as well as facilitating the transition between these phases. The intricacy of nuclear projects and their digital transformation faces significant challenges related to the large and diverse supply chain lifecycle, which includes entities of varying sizes, durations, and maturity. This increases the complexity of information systems, which often results in fragmented data exchanges and the formation of silos, thereby creating loopholes in information exchanges and negatively impacting project delivery performance.The exponential growth of Complex Information Systems (CIS) has resulted in significant challenges in data management, data governance, and digitalized human-centered activities. To address this complexity and guarantee the lifecycle of these CIS, the emergence of the concept of data lineage—defined as the flowchart of all data manipulations—is a promising approach, for a large array of applications such as maintenance. However, CIS often consist of diverse elements communicating through various protocols and tools, which presents a considerable challenge for accurately modeling these interactions using traditional methods. The present study proposes a methodology based on graph theory for the analysis of data lineage. Moreover, the methodology incorporates the concept of Human System Integration (HSI), which is represented through the TOP (Technology, Organization, and People) model, with the objective of modeling the diverse interrelationships between CIS components. In this study, a maintenance chain of value was selected as a key use case of a real-world CIS system from the nuclear sector. The data flow begins at the stage of design of new components in nuclear power plants and continues through to the deployment of equipment that is active, operational and maintainable within the power plant units. This method permits the visual representation of data flow within the complex information system, thereby facilitating a more suitable data management and a comprehensive understanding of the interaction between its elements.

A Disease Management System (DMS) refers to an integrated healthcare delivery system that provides patient centered care throughout the course of the disease independent of delivery site. A fundamental barrier for the development, implementation and monitoring of a DMS is lack of an appreciation by care providers of the complexity of these systems, and what is required for their maintenance. Foremost in the development of these systems is the presence of information systems that attempt to deal with the temporal, spatial and information needs of the DMS. The Zachman Framework for Information Systems Architecture is used in many industries in the development of information systems. Its choice is based on the recognition of a need for a methodology in the conceptualization and modeling of complex information systems. This paper provides a brief overview of the Zachman Framework and its potential application in DMS development. In particular it will be the focus on the need for "perspective" clarification as the first step in the development of such complex systems. This paper reviews DMS and their potential information needs. The clarification of "perspectives" provides a method toward team building and unification of purpose by decreasing conflict and recognizing the unique contributions that each perspective holder makes.

For various IT systems security is considered a key quality factor. In particular, it might be crucial for video surveillance systems, as their goal is to provide continuous protection of critical infrastructure and other facilities. Risk assessment is an important activity in security management; it aims at identifying assets, threats and vulnerabilities, analysis of implemented countermeasures and their effectiveness in mitigating risks. This paper discusses an application of a new risk assessment method, in which risk calculation is based on Fuzzy Cognitive Maps (FCMs) to a complex automated video surveillance system. FCMs are used to capture dependencies between assets and FCM based reasoning is applied to aggregate risks assigned to lower-level assets (e.g. cameras, hardware, software modules, communications, people) to such high level assets as services, maintained data and processes. Lessons learned indicate, that the proposed method is an efficient and low-cost approach, giving instantaneous feedback and enabling reasoning on effectiveness of security system.