We have come along way since the early days of the internet when the world was your oyster and the only risk was the risk of not going on-line.
Today the internet is different.
The opportunities are still high but so are are the threats. Instead of looking out for hazards – sites to avoid – the internet itself has become a hazard.
In this post, we explore what it means for the internet to be considered as a hazard and how this might help organizations better contend with risk.
The Hazardous Internet
Recently I heard of an organization in the financial sector conducting a dark launch of new features their were introducing to their on-line platform.
A dark launch is a “safe” way to release production-ready software to a small group without exposing the rest of the user base. This technique provides feedback and performance measurements along with the level of cyber risk.
Within seconds of the launch they detected several bots aggressively attacking their platform. Deploying applications on the net is like putting your hand in a tank of piranha fish.
When it comes to the internet threats are not a probability that may or may not happen. Threats are a certainty and continuous.
Threats are a certainty and continuous.
The internet for all intents and purpose is a hazardous environment where prolonged exposure will lead to possible harm – eventually.
What Is A Hazard?
Organizations need to contend with all kinds of hazards.
For example, when it comes to occupational hazards these will include:
Chemicals - hazardous chemicals
Ergonomic - lifting, pushing, pulling, sitting, standing, lighting, shift work, office, tools, musculoskeletal disorders
Health - pandemics, biological, diseases, disorders, injuries, mould
Physical - temperature, indoor air quality, noise, radiation
Psychosocial - stress, violence / bullying
Safety - driving, electrical, forklifts, garages, ladders, machinery, material handling, platforms, slips, trips & falls, tools
Workplace - confined spaces, scents, indoor air quality, lasers, temperature, ventilation, violence, weather, working alone
Hazards are conditions or actions that may harm a person, business, environment, communities, or anything that we value and want to protect. Hazards are a manifestation of uncertainty – hazards create the opportunity for risk.
Hazards are a manifestation of uncertainty – hazards create the opportunity for risk.
Fortunately, operating safely in hazardous environments is not a new concern. This is the focus of occupational health and safety, process and pipeline safety, aviation & aerospace and functional safety.
Safety in these domains has been studied and practised for decades and long before the internet was introduced. Viewing the internet as a hazard while undesirable in some ways can also be instructive and affords the application of a body of knowledge used in safety domains to help contend with risk.
In these areas the bow-tie analysis is used extensively to help operate safely in the presence of hazards. Can it help with handling the hazardous internet?
Operating In The Presence Of A Hazard
The bow-tie helps us understand two system properties of cyber security: reliability and resilience, which are used to contend with he hazardous internet (i.e. the dragon of uncertainty.) Reliability is a measure of prevention whereas resilience is a measure of recovery.
Reliability is a measure of prevention whereas resilience is a measure of recovery.
Both prevention and recovery controls are needed when working in hazardous conditions, processes, and as it turns out the internet.
Reliability
Reliability is the left hand side of the bow-tie where we find prevention controls.
Reliability concerns itself with "keeping the lights on." Prevention is better than recovering from a breach. That is why safeguarding against continuous threats is the priority for those operating on-line.
The reliability of the system is often defined as “the probability that the system does not fail in a given environment, during a specified exposure time interval.”
Nancy Leveson (leader in systems reliability and safety) states that reliability is a controls problem. This means establishing and managing barriers of defence, safeguards, and other measures that prevent threats from becoming a reality.
The effectiveness of prevention controls is a predictor of reliability.
Resilience
Resilience is the right hand side of the bow-tie where we find recovery controls.
Reliability concerns itself with "restoring the lights after a disruption."
In Eric Hollnagel’s book (Resilience Engineering in Practice, 2010) resilience is defined as,
“the intrinsic ability of a system to adjust its functioning prior to, during, or following changes and disturbances, so that it can sustain required operations under both expected and unexpected conditions."
Hollnagel might say that resilience is an adaptation problem.
The goal of resilience is to recover in the event of a minor disruption. When these occur, loss mitigation and recovery measures are deployed to limit the disruption and restore reliability.
Resilience is needed to contend with risk that cannot be prevented.
Resilience is needed to contend with risk that cannot be prevented.
Resilience is not a substitute for poor planning or unreliability. At the speed that risk becomes a reality you will never have enough time to adapt after the fact if you are not prepared.
The effectiveness of recovery controls is a predictor of resilience.
Reliability And Resilience - Yin and Yang
In practice, you can’t have one without the other.
While it is true that the higher the reliability the less resilience one needs. For example, a system with 100% reliability does not need to recover from failure.
However, when failure does occur, resilience can reduce the effects and limit the disruption which in turn reinforces reliability. Often resilience measures find its way on the reliability side of the risk equation.
Often resilience measures find its way on the reliability side of the risk equation.
As important as the system properties reliability and resilience are they are not sufficient to contend with the hazardous internet.
Some risk is irreducible and cannot be prevented or mitigated. For these, margin is needed in the form of capital reserves, buffers, insurance and other contingencies to address losses.
A comprehensive risk/certainty strategy and plan ensures that uncertainty in all its forms is effectively handled. You need reliability and resilience to contend with reducible risk and for everything else margin.
You need reliability and resilience to contend with reducible risk and for everything else margin.
Summary
Some organizations are still catching up and coming to grips with the fact that the internet is no longer or ever was a safe place to browse or do business. For them, they will do their best (I am sure) as they hope for the best.
Other organizations view the internet differently. They see its potential but realize that it is a hazard that needs to be managed. Unfortunately, the risk cannot be eliminated by removing the hazard so we must learn to operate in the presence of hazards.
Viewing the internet as a hazard while undesirable in some ways can also be instructive and affords the application of a body of knowledge used in safety domains to help contend with hazards – a primary source of uncertainty and risk.
So it's time to learn how to use BOW-TIES, HAZOPS, BARRIER ANALYSIS, STAMP / STA, FRAM, and other tools of the trade. These are not new but might be new to you.