Applying Soft Systems Methodology to Complex Problem Situations in Critical Infrastructures: The CS-AWARE Case Study

Modern technology, in addition to all its benefits, creates new threats and attack vectors to individuals and organisations. In the past years, the number of cyber attacks has increased drastically as has the extent of their effects. These circumstances clearly show that a different approach to cybersecurity is required: a holistic, collaborative strategy to improve the security situation for society and the economy as a whole. In the European Union, the legal framework that is currently developing (like the network and information security (NIS) directive), recognises the increasing need for cooperation and collaboration among individual actors to improve cybersecurity. Information sharing is therefore one of the key elements of the NIS directive. In this paper, we present and demonstrate a system and dependency analysis based on soft systems thinking. This approach is able to capture the relations between assets and their internal and external dependencies in the complex systems of organisations. It is applicable to critical infrastructures or other organisations that base their operations on complex systems and interactions. The analysis approach introduced is done in a socio-technological manner; the human aspect of the systems is considered as important as the technical or organisational aspects. The case study presented in this paper, covering the first steps towards the development of a holistic cybersecurity awareness solution, is based on three focus points: an initial threat assessment for local public administrations (LPAs), an analysis of external information sources and an analysis of the piloting scenarios based on the first round of soft systems analysis workshops. The results of which are essential to the development of the solutions implementation framework and further software development. Keywords–Cybersecurity; Critical Infrastructures; System Analysis; Soft Systems Methodology; Socio-technological Analysis; Cyber Situational Awareness; Information Sharing.

[1]  Derek H.T. Walker,et al.  Five case studies applying soft systems methodology to knowledge management , 2001 .

[2]  Peter Checkland,et al.  Systems Thinking, Systems Practice , 1981 .

[3]  Juha Röning,et al.  Socio-technical Security Assessment of a VoIP System , 2010, 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies.

[4]  M. Laakso,et al.  A case for protocol dependency , 2005, First IEEE International Workshop on Critical Infrastructure Protection (IWCIP'05).

[5]  Juha Röning,et al.  Software Vulnerability vs. Critical Infrastructure - a Case Study of Antivirus Software , 2009 .

[6]  Gerald Quirchmayr,et al.  Open Source Intelligence in Disaster Management , 2012, 2012 European Intelligence and Security Informatics Conference.

[7]  Luis C. Dias,et al.  An Application of Soft Systems Methodology in the Evaluation of Policies and Incentive Actions to Promote Technological Innovations in the Electricity Sector , 2016 .

[8]  J. Drexhage Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the reduction of the impact of certain plastic products on the environment , 2002 .

[9]  Djamel Khadraoui,et al.  Risk Assessment in Critical Infrastructure Security Modelling Based on Dependency Analysis - (Short Paper) , 2011, CRITIS.

[10]  Stewart Robinson,et al.  Conceptual modelling for simulation Part II: a framework for conceptual modelling , 2008, J. Oper. Res. Soc..

[11]  Juha Röning,et al.  Graphingwiki - a Semantic Wiki extension for visualising and inferring protocol dependency , 2006, SemWiki.

[12]  Gerald Quirchmayr,et al.  Addressing complex problem situations in critical infrastructures using soft systemsanalysis : the CS-AWARE approach , 2017 .

[13]  Valentina Ferretti,et al.  From stakeholders analysis to cognitive mapping and Multi-Attribute Value Theory: An integrated approach for policy support , 2016, Eur. J. Oper. Res..