samrat.io
Home Projects

Projects

For my academic project, I decided to conduct research into Dependency Modelling and Risk-Resillience. With my aim being to dissect the problem of scale of dependencies within large organisations.


I first sought to replicate simple Dependency Modelling techniques, by presenting dependencies in the Parent-Child relationship. This was so I can implement a control to compare different modelling techniques to.

Simple Model

Risk Model based upon a simple Security Survey.
With the length and colour of the lines indicating a higher risk for these dependencies.
This was built using the ete4 library.
etetoolkit.org

I then proceeded to create Dependency Model which factors Risk-Resillience by introducing a Security Management Survey implemented as a Spreadsheet (exported as CSV).

Users were presented with a list of dependencies within their organisation and are invited to give Confidence scores out of 5 (1 - Lowest, 5 - Highest).

These scores were then normalised so as to be used for calculating Bayesian Probability of Risk to systems.

With this organisations can now project their Risk Assessments as part of their Dependency Modelling.
Bayesian Model

An advanced version of the previous Model which now calculates total risk to each of the System's Dependencies.
Blue - Low Risk, Yellow - Medium Risk, Red - High Risk
(Length of lines in proportion of Risk and for Clarity).

In-depth Security Survey

This is the Security Survey which is implemented in Excel.
It takes in confidence scores for each of these categories and normalises them into giving a Bayesian Probability of Risk.
(Extended Dependency Modelling Technique for Cyber Risk Identification in ICS - Rotibi et al.)

However, I still saw the critical problem of scale with this approach. In larger organisations, they can start out with dependencies easily in the thousands.

Not to mention how adding new dependencies would affect modelling, as all new relationships would have to be mapped onto each other once again.

Especially as assuming in the best case, that each Parent dependency only has two Child dependenciees. This would be an exponential growth that is being modelled, which in the long term is unsustainable.

Thus, I deconstructed this problem and realised fundamentally that this a problem in Management first, Security second. The real question being asked was how to manage all these dependencies in order to achieve Security.

In order to tackle this, I looked towards Cybernetics - specifically in Management Cybernetics, with the Viable System Model (VSM) by Stafford Beer.

This is because the VSM is a recursive modelling technique which is designed to take a Systematic approach to modelling relationships. Where each dependency is grouped into Five different systems, all coming together to make one viable system.

System Function Example in Information Security
1 Operations Firewall, Intrusion Detection System (IDS)
2 Coordination Incident Response Team (IRT), Security Incident Management
3 Control Security Policy Enforcement, Access Control Systems
4 Intelligence Threat Intelligence Platforms, Vulnerability Scanning
5 Policy Governance, Risk, and Compliance (GRC) Framework