Cybersecurity Lessons from "The Grammar of Systems | From Order To Chaos & Back" (Part 3/3)
This is the final part of this series.
I will cover the last 11 laws and principles from the book and will follow this structure:
I'm looking forward to your comments and hope others will share their interpretation of these laws and principles in their domain of expertise.
The part was challenging. Many of the principles sound "logical" but I couldn't think of how they could be relevant to cybersecurity. That doesn't mean it isn't, it just means I couldn't see the connection at the time.
23. Redundancy of Potential Command Principle
"Your ability to be effective in complex situations depends on the bringing together the right mix of information."
?"in any complex decision network, the potential to act effectively is conferred by an adequate concatenation of information."
?"…our ability to act effectively depends on the decisions we make, and the quality of those decisions depends on bringing together the right set(s) of information."
?The Hoverstadt corollary from the Redundancy of Potential Command Principle is: "everything being equal, organisations will take the decisions they have the information to take."
?Notes
The first problem I see in cybersecurity is ignoring that we are dealing with a complex system from the start. That leads to simplifications in the form of "just do …" or "they should just have done …".
?Ignoring that we are dealing with complex systems leads to making decisions with bad models (ignoring complexity) and flawed information. The poster boy is probably the heat map or risk matrix. It's a flawed model that uses highly subjective guesswork disguised with numbers.
24. Root Structuring Theorem
"Structuring a system to have the same number of sub-systems at each level reduces its complexity."
?"complexity decreases as the number of sub-systems approaches the square root of the number of system elements."
?"all other factors being equal, the optimal level of structuration of a system to reduce the likelihood of becoming incipiently unstable will be when the number of sub-systems is the square root of the number of elements."
?"Root Structuration Theorem does help guide you to how many sub-systems we should be looking for in deciding the structure."
Notes
I can't think of an example in cybersecurity.
But for example, if we had 100 systems all talking to each other via APIs a more stable system would be one that is split into ten sub-systems. The elements of a group talk to each other, but the groups are connected through a bus, middleware, etc. So instead of 100 elements talking to each other we now have 10 sub-systems talking to each other.
?25. Structural Viability Theorem
"A system has optimal viability when its change rate / environmental change rate is similar to that of its sub-systems"
?"…systems need to be able to change at a rate that matches the rate of change in their environment."
?"That in turn mean that different sub-systems of our system might need to be able to change at different rates."
Notes
We are likely going to experience this in organizational systems. For example, the business has a need for change that operations can't meet. Or the other way around that operations realizes that certain changes must happen quickly while the business is unable to support this swift change. As a result, the system made out of these sub-systems suffers for example cybersecurity objectives will not be met.
26. Steady State Principle
"Stability of the system depends on the level of stability of its sub-systems and vice versa."
?"if a system is in a state of equilibrium (a steady state), then all sub-systems must be in equilibrium. If all sub-systems are in a state of equilibrium, then the system must be in equilibrium."
"And the static vs. dynamic mental trap is that we tend to think that equilibrium equals statis, when actually it means a dynamic balance."
?"…the Steady State Principle asks you to think about organizational systems as sets of interdependent sub-systems all changing at different rates and the rippled of change that creates.
?Notes
None
27. Law of Sufficient Complexity
"The system does what it does because it is what it is."
?"A complex system constitutes its on simplest behavioral description."
"Which means that, if the system remains the same, with the same structure, and inputs, then it's likely to carry on doing the same thing."
?"if you are what you've always been you'll do what you've always done."
?"The Law of Sufficient Complexity speaks to the need to change the systems structure if you want its behaviors to change."
?"…if the system doesn't itself change, it behaviors aren't likely to."
?"…attempts to change the behavior of a complex system without changing how it's constituted are likely to fail. The nature of the system will reassert itself at some point."
?"..if you just want the system to do what it reliably does, then you can operate in Black Box mode, you don't need to know how it does what it does. But if you want it to do something different, then you really do need to understand why it does what it does, which in turn, as the Law of Sufficient Complexity says, depends on how it's constituted."
?Notes
None
领英推荐
28. Fractal Principle
"Systems replicate their own form."
?"Where a system creates new sub-systems, those tend to be a reflection of its own systemic structure and hence fractals."
?Notes?
This reminded me of Conway's Law
"Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure." —Melvin E. Conway
?The similarities between different levels of a system support creating stability.
If the systems we create don't work is that a reflection of a broken system that created them?
29. Relaxation Time Principle
"A system that is repeatedly shocked at shorter intervals than its recovery tome may never stabilize."
?The Relaxation Time Principle states that "a system can only stay stable if the system's relaxation time is shorter than the mean time between disturbances."
?"So the relaxation time is the time necessary for the system to relax back to its stable state after it has been disturbed. If it gets disturbed again before it's had a chance to settle down, it doesn't get back to stable and if this happened repeatedly, then it may never stabilize."
Notes
In business continuity, we talk about the recovery time objective (RTO). The relaxation time is likely larger than RTO. Imagine a disaster, you recover and meet your RTO, and then immediately a second disaster occurs. Not many organizations will be able to deal effectively with the second disaster. But was there more time between the two disasters then the situation would likely be different.
Another scenario could be with a new manager taking over and then being replaced by another one shortly after.
?The point is that too frequent changes without periods of stabilization are bad.
30. Scaling Stasis Principle
"The more complex a systems is, the more constraints it has."
"Each extension of the boundary with the environment subjects the system to more stimulus from outside and typically a higher variety of stimuli. As these stimuli ripple through the system they put more demands on the interdependencies between sub-systems."
"At the same time, the increase in the number of interdependencies within the system constrains its ability to adapt."
Notes?
When systems become larger they increase in complexity. With the growth, the system interacts more with its environment, and interdependencies in the system grow as well. The increase in interdependencies makes it more difficult for the system to adapt. If one constraint is not able to adapt the system faces problems.
?An organization in a merger or expansion phase will observe an increase in interactions and dependencies. Any part that can't adapt might get dropped from the system (either by a conscious action or by the other parts avoiding and working around it.)
?Keep it simple.
31. Conant-Ashby Theorem
"The ability to deal with any situation depends on how good your model of it is."
?"Every good regulator of a system must be a model of that system."
?"'regulator' means anything or anyone that is trying to guide, control or direct a system."
?"The logic goes something like this. Since the system we're trying to manage is typically more complex than we are (in a human system, it's usually got more people in it, each with a degree of free will), we have to simplify it in order to understand it - and that is a model, a simplification that holds the key elements, relationships and dynamics of the system and ignores a lot of extraneous detail.?The model is the encapsulation of our understanding of the system and we use it (consciously or not) to work out what the system is doing and what we could / should do about it."
?"With no model or inadequate models, you intervene at random, and the results will be … random."
Notes
This is about the importance of modeling.
"modeling - building, checking and maintaining models - is not a luxury, it's absolutely essential to our understanding and to our effectiveness."
?What many don't realize is that we are always using models. If we aren't using formal models we are using mental models. Without mental models, we would not be able to make daily decisions. The challenge is for us to realize when we need to replace mental models with formal models.
32. Feedback Dominance Theorem
"Loops with strong feedback will take you where they take you, irrespective of the size of the input."
?"for high gain amplifiers, the feedback dominates the output over wide variations in input."
?"..whatever the initial starting conditions, if the feedback is strong enough (high enough gain) the outcome will be the same."
?Notes
Note
?33. Principle of Emergence
"The whole is more than the sum of its parts."
?"Emergence is a property of a system that is not a property of the parts of the systems on their own."
?"To see emergence, you have to look primarily at the system as a whole rather than the parts, hence the rejection of reductionism in systems practice."
Notes
This is probably one of the most famous principles of systems, but surprisingly too frequently ignored in the domain of cybersecurity.
We are constantly occupied with studying the parts and ignoring that security is not created by just implementing these parts.
?Security emerges out of the relationships and the interactions of all its parts. A higher state of security does not emerge because we implemented a firewall, but because of how that firewall connects and interacts with all the relevant parts of the system.
?This thinking also requires us to recognize and understand the larger system (or systems) that allowed security to emerge. When you recognize that an organization reached a level of security you covet then the objective should be to recognize the system that generated this security. It isn't just because they hired the new CISO or implemented certain technologies.
If you fancy a reference list of the laws and principles you can get it here.
Engineering Student | Cyber Security Enthusiast | Content Writer | Digital Marketer | Founder of NF LifeStyle | Innovating at the Intersection of Technology and Fashion
4 个月Great writing sir, You should start your own blogging website to give the knowledge all over the world which also helps to make you extra money...
Head of Cyber Security @ QAFCO | CISSP, GICSP, GRID, GCIH, ISO 27001 LA
2 年Here is why I have a problem with Adam's Law: for it to make sense, first there must exist a well-defined concept of "low risk component" which I can't find anywhere. To me, a component's risks can only be stated in the context of the system they fit in. We all know that a low risk airplane tire is not necessarily a low risk car tire, it comes intuitively to human thinking, or at least engineering thinking, I guess. If you try to consider risks to components in isolation from their containing systems then those risks by definition have nothing to do with said system. A very simplistic example, is the risk of the aforementioned airplane tire sitting on a table falling to the ground or burning in the warehouse. The concept is so obviously ridiculous. You might say, how about the risk of the tire sitting in the warehouse bursting under pressure, and I would say that that risk is defined by the tire's function in the parent system, otherwise bursting under pressure might be a desirable effect as in rupture disks for example.
Head of Cyber Security @ QAFCO | CISSP, GICSP, GRID, GCIH, ISO 27001 LA
2 年Thank you for providing me with the best reading recommendations.