Complex systems are currently a controversial issue which many authors and researches have discussed in their attempt to relate to its complexity. Mitchell (2006), for instance affirms that, “What has transformed historically and what has resulted in the topic being fascinating is the key technique for the study of complex systems is a simulation. It’s also because of this, powerful machines, particularly clusters, made way for empirical insight into this topic (p. 119).” The primary framework for the complex systems as a course is that it is impossible to illustrate, or comprehend the behavior of a system by only being aware of the behavior in operation, and functionality of the individual components. The reason is that fragments of the behavior of the entire SoSs is also in connections that are established among the components (Heylighen, 2008, p. 86).
The objective of this work is to bring an argument that the information systems are complex systems of systems and in situations when risk assessments are undertaken, the risk is performed for the very simplified system. This means that it does not put into consideration the complexity of the underlying information background. I will also describe the risk assessment approach that does not completely disregard tcomplexity integral in the system, but on the contrary, considers it as the most significant aspect. The paper is going to explore what is meant by complex systems and offer the prevailing methods to risk assessments. Also, in the discussion will be why risk assessment is complex and the reason why the complexity should not be detached. An analysis of the risk management will also be done on the principle risk management should be regarded as being linked to the complexity theory. Afterward, will be a conclusion of the work.
Complex Systems of Systems
It is not easy to come up with an exact and precise definition of the term complex systems. Thus, the common method used is to stipulate the key attributes and or components of the complex systems. Ottino (2008) explains, “To determine if some of the systems are complex or not, the existence of the components is looked at, and if most of them are available, then the system is regarded as a complex system. The complex systems have a framework that is composed of the linked, likely heterogeneous components. The link could be either symmetric or transform as time moves.”
Estimation of the complexity of some of the systems is an important quantity. For example, if there is the development of a system, and that design is modifying with time, then the expectation could be that the estimation of complexity will rise. There is the likeliness that to some extent we measured the complexity of an actual system and then the disparities between measured and approximated value will near zero marks as the design gets better. The similar behavior and application are dependent on the estimation (Newman, 2003). However, it is not easy to come across an estimation of complexity despite the numerous proposals.
Risk Assessment
It forms part of the entire security process which has the role of guarding information resources of individuals and firms. There are various methods, but in this essay, the focus will be on the use of the NIST’s risk assessment approach. To determine risk, there are nine phase procedures, but for this study, seven steps will be used. Shalizi (2006) states, “The first step is system characterization, followed by threat identification, vulnerability identification, control examination, likelihood determination, impact analysis, and lastly risk determination. In the system characterization, the intention is to pinpoint the components, traits and the boundaries of the system in the risk management process. The threat identification step is to state the likely threats sources which are categorized as natural, artificial or environmental. The objective for vulnerability identification is to mark the weaknesses of the system (p. 48).” In the control analysis phase, the intention is to acknowledge all of the existing controls. In the likelihood determination phase, every ascertained vulnerability a probability that is practiced by some threat is analyzed. Eventually, the risk determination involves output from all of the other steps is aggregated, and risk is determined for every grouping of vulnerability and cause of the threat. This makes it possible for risks to be rated and resources to be focused on the most significant or greatest risks (Shalizi, 2006, p. 63).
Complexity of Risk Assessment
The analysis will look at how risk assessment should be performed by debating that the information system for which risk assessment is undertaken is a complex system. Consequently, this implies that the risk assessment performed for a complex system and that any technique that describes how risk assessment should be performed has to put into consideration this fact. To begin with, the information system is composed of resources. The resource can be explained as anything that has any relation to the information that should be secured. Stonebumer, Goguen& Feringa (2002) notes, “Resources undertake a lot of interactions in various and very complex means, which are subsequent, the important components of any organization. Thus, this is the first element of the complex system; information system has internal setting”.
Next, features of complex systems are that the system has a trend that is not viewed in its individual parts. This is referred to as emergent behavior, and it is hard to come across. The attacks on a complex system are depended on the various security breaches of several components so that a target could be compromised. This could be regarded as an emergent activity. Also, the SoSs can continuously adapt to inputs and changes (Larsen-Freeman & Cameron, 2008). As the last attribute, the complex systems have some uncertainty. This can be related to the notion that as any person who handles security issues is aware that absolute security does not exist. This leads to a summary that the information system which is the basis for any SoSs, is a complex system and so has to be regarded I the same way.
Complexity Based Risk Management Method
The technique proposed in this paper is on the basis that information system in a complex SoS in which the linkage between the components have a key role and therefore have to be considered. The risk assessment is a complex approach that also has to be performed in a close by as likely real time. Thus, this approach has to not to be hard to automate. In his work, Shalizi (2006) explains, “The design of the information system which is applied in the creation of risk assessment will not easily be the same as the actual system, and thus there is a high chance of errors (p. 110).”Conversely, it has to aim to be one, and the modifications in design could be estimated by considering the complexity of the model. Lastly, the values of the resources have to be taken freely of any other person’s subjective perception. This implies that if two people perform the same task, then the outcome will be similar by using the assumption that they both employed a similar underlying design.
The idea forming risk management approach proposed in this paper is: first, state all the resources and establish a connection between the same. Second, for the resources, consider the vulnerabilities, threats, and controls. Third, assess where there are security risks by examining how the threats can blowout in the system. Next, include controls to minimize the highest risks. Lastly, enhance model by putting extra resources, connections, and more information.
Conclusion
In this essay, the argument was that the information system in a complex SoSs, and by extension, that risk management procedure is individually a complex method as it is related to the complex system. This has effects on the prevalent approaches because it implies that there no possibility of reducing the system to primary components and regard them differently as this technique can greatly be different from the actual situation. The implication of this also is that the some components could not be included, and others could be exaggerated.
Also, there was a presentation on the novel of risk management procedure that puts into considerations complexity and does not attempt to simplify things in cases that they are complex. The risk management bears with it a great extent of automation, which increases its objectivity and also very significant, fast, permitting it to function with real time. Nonetheless, a lot of work has to be performed so that the method could be beneficial in practicality. For example, the precise interaction between the dependency of the resources and controls has to be ascertained. Besides, the spreading of the threats in the system should also be analyzed empirically.
References
Stonebumer, G., Goguen, A., and Feringa, A., (2002, July). NIST Special Publication: Risk Management Guide for Information Technolgy System. Retrieved from National Institute of Standards, U.S.: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Heylighen, F. (2008). Complexity and self-organization, in Encyclopedia of Library and Information Sciences. Taylor & Francis.
Larsen-Freeman, D., & Cameron, L. (2008) Complex systems and applied linguistics Oxford University Press
Mitchell, M. (2006). Complex systems: Network thinking. Artificial Intelligence, 1194 – 1212.
Newman, M. E. (2003, March). The structure and function of thecomplex. Retrieved from Arxiv Website: http://arxiv.org/abs/
Ottino, J. G. (2008). Foundations for Complex Systems Research in the Physical Sciences and Engineering. NSF Workshop.
Shalizi, C. R. (2006). Methods and techniques of complex systems. Complex Systems Science in Biomedicine, 33-114.