Complexity Science in Cyber Security

Computers and the Internet have become indispensable for homes and organisations alike. The dependence on them increases by the day, be it for household users, in mission critical space control, power grid management, medical applications or for corporate finance systems. But also in parallel are the challenges related to the continued and reliable delivery of service which is becoming a bigger concern for organisations. Cyber security is at the forefront of all threats that the organizations face, with a majority rating it higher than the threat of terrorism or a natural disaster.

In spite of all the focus Cyber security has had, it has been a challenging journey so far. The global spend on IT Security is expected to hit $120 Billion by 2017 [4], and that is one area where the IT budget for most companies either stayed flat or slightly increased even in the recent financial crises [5]. But that has not substantially reduced the number of vulnerabilities in software or attacks by criminal groups.

The US Government has been preparing for a “Cyber Pearl Harbour” [18] style all-out attack that might paralyze essential services, and even cause physical destruction of property and lives. It is expected to be orchestrated from the criminal underbelly of countries like China, Russia or North Korea.

The economic impact of Cyber crime is $100B annual in the United states alone [4].

There is a need to fundamentally rethink our approach to securing our IT systems. Our approach to security is siloed and focuses on point solutions so far for specific threats like anti viruses, spam filters, intrusion detections and firewalls [6]. But we are at a stage where Cyber systems are much more than just tin-and-wire and software. They involve systemic issues with a social, economic and political component. The interconnectedness of systems, intertwined with a people element makes IT systems un-isolable from the human element. Complex Cyber systems today almost have a life of their own; Cyber systems are complex adaptive systems that we have tried to understand and tackle using more traditional theories.

2. Complex Systems – an Introduction

Before getting into the motivations of treating a Cyber system as a Complex system, here is a brief of what a Complex system is. Note that the term “system” could be any combination of people, process or technology that fulfils a certain purpose. The wrist watch you are wearing, the sub-oceanic reefs, or the economy of a country – are all examples of a “system”.

In very simple terms, a Complex system is any system in which the parts of the system and their interactions together represent a specific behaviour, such that an analysis of all its constituent parts cannot explain the behaviour. In such systems the cause and effect can not necessarily be related and the relationships are non-linear – a small change could have a disproportionate impact. In other words, as Aristotle said “the whole is greater than the sum of its parts”. One of the most popular examples used in this context is of an urban traffic system and emergence of traffic jams; analysis of individual cars and car drivers cannot help explain the patterns and emergence of traffic jams.

While a Complex Adaptive system (CAS) also has characteristics of self-learning, emergence and evolution among the participants of the complex system. The participants or agents in a CAS show heterogeneous behaviour. Their behaviour and interactions with other agents continuously evolving. The key characteristics for a system to be characterised as Complex Adaptive are:

The behaviour or output cannot be predicted simply by analysing the parts and inputs of the system
The behaviour of the system is emergent and changes with time. The same input and environmental conditions do not always guarantee the same output.
The participants or agents of a system (human agents in this case) are self-learning and change their behaviour based on the outcome of the previous experience
Complex processes are often confused with “complicated” processes. A complex process is something that has an unpredictable output, however simple the steps might seem. A complicated process is something with lots of intricate steps and difficult to achieve pre-conditions but with a predictable outcome. An often used example is: making tea is Complex (at least for me… I can never get a cup that tastes the same as the previous one), building a car is Complicated. David Snowden’s Cynefin framework gives a more formal description of the terms [7].

Complexity as a field of study isn’t new, its roots could be traced back to the work on Metaphysics by Aristotle [8]. Complexity theory is largely inspired by biological systems and has been used in social science, epidemiology and natural science study for some time now. It has been used in the study of economic systems and free markets alike and gaining acceptance for financial risk analysis as well (Refer my paper on Complexity in Financial risk analysis here [19]). It is not something that has been very popular in the Cyber security so far, but there is growing acceptance of complexity thinking in applied sciences and computing.

3. Motivation for using Complexity in Cyber Security

IT systems today are all designed and built by us (as in the human community of IT workers in an organisation plus suppliers) and we collectively have all the knowledge there is to have regarding these systems. Why then do we see new attacks on IT systems every day that we had never expected, attacking vulnerabilities that we never knew existed? One of the reasons is the fact that any IT system is designed by thousands of individuals across the whole technology stack from the business application down to the underlying network components and hardware it sits on. That introduces a strong human element in the design of Cyber systems and opportunities become ubiquitous for the introduction of flaws that could become vulnerabilities [9].

Most organisations have multiple layers of defence for their critical systems (layers of firewalls, IDS, hardened O/S, strong authentication etc), but attacks still happen. More often than not, computer break-ins are a collision of circumstances rather than a standalone vulnerability being exploited for a cyber-attack to succeed. In other words, it’s the “whole” of the circum

Posted in Uncategorized | Tagged , , , , , | Comments Off

Giving Great Formal Presentations

For scientists who want to move ahead in their careers, the ability to give a truly great formal science presentation is a vital skill. Being able to give an outstanding presentation is important in all phases of your career. When you are interviewing for a new job, the presentation is almost always a major part of the interview process; often it is the first chance that your prospective coworkers get to see what you can offer. Even when you are comfortable in a stable position, you still need to be able to give a great presentation at a moment’s notice in order to advance your career.
In talking with scientists I have found that this ability can be a highly effective way to get noticed by management in an organization.

In addition, taking the time to prepare formal presentations can help your career in another way. As you take the time to organize your thoughts for a presentation you will find your overall understanding of the material improving. Most people aren’t born with the ability to consistently deliver a great presentation, but learning some basic skills and continuous practice can dramatically improve your presentations.

In any presentation you give, the primary goal is to communicate some idea or concept to your audience. The easiest way to really communicate with your audience is to capture their attention and really engage them in the material. One surefire way to do this is to display an appropriate amount of enthusiasm for your subject matter. If you present with too little energy, your audience will have no reason to pay attention to you. On the other hand, if you bounce around like a motivational speaker after 20 cups of coffee, you will not be taken seriously. The ideal balance is to let yourself express a sincere interest in your material. A second way to get the audience’s attention is to use overheads or slides that are useful and easy to read. Again, balance is the key; your overheads should not be too cluttered with information and graphics or be full of empty spaces. It is important to put time and thought into developing interesting and visually appealing overheads or slides, with each individual overhead communicating a distinct point.

Once you have captured the audience’s attention, you can really engage them in the material. Perhaps the single biggest key to keeping your audience engaged is to aim a little low in terms of the knowledge that you expect the audience to have. In most situations you will not just be presenting to experts in your field, but also to scientists who have only partial knowledge of the details of your field. As soon as you launch into heavy jargon, you run the risk of losing a good chunk of your audience. This method of breaking down your presentation into easy to understand pieces has the added benefit of increasing your own understanding of the material.
Another useful technique for engaging an audience is to organize your presentation into a story. Having a narrative to follow throughout the course of your talk can really help the listener to keep up, even if they are not familiar with the exact field that you are speaking on. On a related note, the more that you can illustrate the technical details with cartoons and other visual representations, the more successful your presentations will be. One well-designed figure that explains a concept or technique can be used in many different presentations, so it is worth your time to develop a distinctive and informative figure.

There are also a number of tricks and techniques that you can use to help your audience stay engaged with what you are saying. The most important aspect of your presentation style is your pacing; your goal is to find a pace of speaking and presenting that does not bore anyone or leave anyone behind. The best way to find this pace is to know your audience and adjust to any feedback you get from the audience during the early part of the talk. One good way to periodically slow down the pace of your presentation and make sure your audience can keep up is to explain what the axes are in the graphs that you are presenting. Graphs can be a wonderful way to illustrate important results or ideas, but they can also be a real barrier to understanding a talk that is a little outside of your area of expertise. Everyone who works in the field automatically knows what the graph is telling them, while those who are less familiar can easily get lost. Taking a moment to define the axes gets everyone on the same page and has the added bonus of helping you maintain a reasonable pace of presentation.

It is also crucial that you look at your audience as much as possible during your talk. When you are facing your audience, not only can they hear you better, but they will also be more motivated to pay attention if they know that you can see them losing focus. Of course, it is also much easier to get feedback from your audience when you are actually looking at them! One little trick to get yourself to look out at the audience is to think of yourself as Vanna White on the Wheel of Fortune. When you are pointing at something on screen, you don’t need to stare at it. Instead you can point like Vanna while facing the audience, allowing your audience can see and hear you.

Incorporating a joke into a presentation can be another way to keep your audience engaged. However, there are some caveats to consider when you are injecting humor into your presentation. The best jokes are delivered with a light touch. If your audience gets it, that’s great, wait a moment and then move on. If the audience doesn’t acknowledge the joke, you need to be able to move ahead with the talk rather than waiting for a laugh that probably won’t come. It goes without saying that you should also be careful not to use jokes with offensive content.

By using these techniques to capture your audience’s attention and keep them engaged, you will be able to deliver outstanding scientific presentations. Of course, the only way to develop the skills you need is to practice giving presentations as much as you can. Only through repeated practice and feedback can you master the art of giving great science presentations.

Posted in Uncategorized | Tagged , , , , , | Comments Off