CRACS — Cyber Risk Assessment for Coupled Systems
TEAM: Jason R C Nurse (University of Oxford), David De Roure (University of Oxford), Sadie Creese (University of Oxford).
Partners: Fujitsu Labs Europe, NSC
Risks to critical infrastructure, in companies or countries, are currently assessed using methodologies which were established prior to the pervasive (and often automated) coupling of digital, cyberphysical and social systems. As systems complexity and automation increases, we create new opportunities for failures, or emergent behaviours, which have knock-on effects through multiple coupled systems.
By simply extending existing risk assessment methodologies to embrace IoT we could be blind to these new risks arising in the IoT ecosystem. These may relate to cyber-attack, but equally to new social processes which emerge at the scale of the population in real time (e.g. viral effects in social media), and to the “natural disasters” inherent in accidental failure of IT systems. Analysing the risks inherent in these coupled systems will also provide insights into risk mitigation—where we deliberately want cracks to appear in order to decouple systems.
This project will conduct scoping work to identify the new risks in coupled systems and explore the development of new methodologies, by working with multiple stakeholders. A series of focus group meetings will be held, each hosted by a stakeholder who brings particular risk case studies and lenses. The methodologies to be explored include the “social machines” lens onto socially and digitally couple systems, and the use of simulation tools.
Outputs thus far:
- Nurse, J.R.C., Creese, S., & De Roure, D. (2017). Security Risk Assessment in Internet of Things Systems. IT Professional, 19(5), 20-26.
The project will hold three scoping workshops as follows:
- University of Oxford – launch, established risk assessment, new lenses
- Fujitsu Labs Europe – risk in the human centric intelligent society; e.g. how to build services on an information infrastructure known to be unreliable or even hostile
- NSC – training and simulation; e.g. role of simulation in assessment and mitigation