It is our hypothesis that for a complex system of systems operating in a dynamic, uncertain environment the traditional approach of forward, static security is insufficient. What is required are macroscopic schemata for security that incorporate mechanisms which monitor the overall environment and feed their observations back into the security mechanisms so that they can adjust their ‘posture’ accordingly. Such schemata must also account for system-wide aggregated security risks in addition to risk presented by the individual users and information objects. We propose one such schema in this work.
To illustrate the utility of macroscopic schemata, we use the examples of two recent studies of access control systems and map their results to the proposed schema and distill macroscopic insights that are otherwise lost in details.
We hope that such security schemata will lead to a systematic analysis of security of complex systems akin to what is already available for complex social, biological, and mechanical systems. We hope that macroscopic models based on such schemata will be able to provide, through analysis, large-scale simulations, or by other means, a quantified assessment of the resilience of the security of a system of systems, and in the long run, provide systematic controls that can be used to adjust the security posture of a complex system.
By: Dakshi Agrawal
Published in: RC24759 in 2009
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to reports@us.ibm.com .