A systems approach to cybersecurity: the future of digital safety?


The last few years have seen a noticeable increase in the number of cyberattacks on critical infrastructure. Such is the threat posed by these attacks that governments around the world have sat up and taken notice, with various proposals made to try and mitigate the risk.

A recent paper from Austria’s International Institute for Applied Systems Analysis highlights the need for such actions to engage a wide range of stakeholders, all working together to ensure that there aren’t any potential weak spots for attackers to exploit.

It calls for a more holistic assessment of the cybersecurity landscape, with the potential impact of a successful attack represented across multiple dimensions.

ADVERTISEMENT

Connected systems

The growing sophistication of critical infrastructure means that it is increasingly connected, with even the most analog of systems now reliant on an array of sensors and digital networks to maintain and optimize their operations. While this growing sophistication has significantly impacted the systems' efficiency, it has also increased the vulnerability of these systems to cyberattacks.

"With the amount of data inflow today, vulnerabilities have also grown exponentially…Every company should have a security-focused approach that constantly monitors the world of cybersecurity and strengthens its security policies on a regular basis,"

Ashok Chandrasekaran told Cybernews.

Successful attacks can therefore have wide-reaching and sometimes life-threatening consequences. The last few years have seen attacks able to shut systems down, disrupt operations, and even control networks remotely, causing a multi-dimensional array of impacts. This multi-dimension nature means that existing methods of managing cyber threats are often inadequate.

There is a case to make for tools that can successfully distinguish between all of the various elements of cyber risks, with this multi-dimensionality allowing security measures to be designed that can make the most efficient use of often scarce resources.

Risk matrices

A common security approach is to develop a risk matrix that allows for the creation of individual risk scenarios, with each scenario assigned a risk score that allows security teams to prioritize their resources. This can lead to sub-optimal allocation of resources, however, as threats tend to be addressed iteratively in order of priority, with the most threatening first and gradually down the list until your resources have run out. This iterative approach prevents any possible synergies between different attacks and security measures from being considered or taken advantage of.

By combining multiple attack scenarios, the authors believe they can gain a better appreciation of the vulnerabilities they face. They have developed a model based upon Bayesian reasoning to represent the security landscape as a complex system. This, in turn, allows threats to be represented in terms of probability and a real-time assessment of the threats faced produced as well as any exploits that are detected.

ADVERTISEMENT

On top of the Bayesian network was placed a multi-objective model that aims to represent the various dimensions of any potential impact caused by a successful cyberattack. This seemingly creates a more realistic representation than a simple cost-benefit analysis and therefore allowed for more nuanced security objectives to be created.

As cybersecurity becomes more complex and interconnected, such a systemic approach is likely to be crucial if organizations are to effectively tackle threat actors that are willing to create ever more sophisticated methods of attack.