7/31/2019 Gobannk

1/6

Organisational Information Security: A Viable System Perspective

Girish Bhagwan Gokhale

University of South AustraliaGirish.Gokhale@postgrads.unisa.edu.au

David A BanksUniversity of South AustraliaDavid.Banks@unisa.edu.au

ABSTRACT

Information Systems support and help develop business management at all levels by providing support forpolicy and decision making as well as control & coordination of the operations. The disruption or destruction

of these information systems can cause serious disruption to, or loss of, businesses. As systems increasinglycome under threat from both internal and external agents there is a need to establish vigorous and dynamicresponses to protect information assets. If an organisation is viewed, metaphorically, as an entity that seeks to

continue to live and grow in a world full of potential threats it must have a mechanism that is capable ofdealing with recognising threat and communicating particularly dangerous threats to a point that is capable oftaking immediate remedial action. This paper uses Beers Viable System Model (VSM) as a lens to view such

threats and particularly identifies the algedonic signal as a particularly useful notion for incorporation intoorganisational security structures where corporate complacency may have set in.

Keywords

Information Security, Security Standardisation, Capability Maturity Model, Viable System Model, AlgedonicSignal

INTRODUCTIONOrganisations exist in a sea of data and information, some significant, much less so. Sifting the important fromthe unimportant and the threatening from the non-threatening can be an almost overwhelming process. Asthreats come and go, sometimes, as for Y2K, widely portended as calamitous but eventuating as a non-event,

there is a natural tendency for individuals to eventually become de-sensitised and less reactive to new eventsthat are labelled as threats. Security can become to be seen as the role of others rather than the role of allmembers of the organisation, that is, a prevailing notion of security as a defensive force patrolling the

surrounding environment rather than a shared responsibility. As a result of such desensitising and not mybailiwick effects (Stoll, 1990) an organisation may lose its ability to recognise and respond with urgency toactual threats that may cause it substantial damage.

For an organisation to act as an entity that seeks to continue to live and grow in a world full of potential threatsit must have a mechanism that is capable of recognising threat and communicating particularly dangerous

threats to an agent that is capable of taking immediate remedial action. In effect it needs an automatic Lookout! or even an Ouch! signal that triggers a significant focus on a threat to survival and takes action untilthat threat is mitigated or removed. Beer refers to this as the pain-pleasure (algedonic) mechanism with

automatic actions being based on this perception of the pain or pleasure (Beer, 1972). We argue that modernorganisations need an embedded and automatic security monitoring mechanism that is capable of immediatelyover-riding all other processes in the event of a severe threat to survival, and triggering a response at an

organisational level where appropriate and immediate action can take place.

Traditional security approaches are often criticised for focusing only on the operational security rather than

taking a broader view of the long-term viability of the organisation as a whole. (Dhillon & Backhouse 2001;Lueg 2001). These approaches have, however, enriched the information systems security field (Dhillon &Backhouse 2001) and helped develop metrics such as ISO 17799 (ISO 17799: What is it? 2002). However, a

narrow focus on metrics and designated security management components of an organisation may lead to a riskof Corporate Complacency, that is, a belief that the organisation has formal structures in place that provide it

with protection against threats even though this belief is incorrect. The paper discusses how a Viable System

7/31/2019 Gobannk

2/6

Model (VSM) perspective may help to avoid Corporate Complacency in its information security environmentby taking a homeostatic view.

INFORMATION SECURITY & THREATS

Information and the technological systems that support the input, processing, storage and communication to

users represent assets of an organisation. These assets and their associated vulnerabilities, threats, risks andcontrols are the subjects of qualitative risk analysis and they may be identified as the variables of the riskassessment (Myerson 2002). The inter-relationship of these variables is presented in figure 1, below, with a

Viable System connotation as perceived by authors. The probability of a threat exploiting vulnerabilities isknown as risk. The safeguards used to control the impact of the risks are devised by the management of theorganisational system. Stafford Beer developed the Viable System Model (VSM) with the principles of Neuro-

Cybernetics (Beer 1972, 1979, 1985). A System is considered to be viable if it is able to survive in a particularsort of environment. There are limits, outside which the system may not be expected to survive, but it is able todeal with environmental changes of particular kinds. The viable system maintains itself in a homeostatic

manner itself and exhibits survival, self-production, and identity through coherence between its componentsub-systems. This is essentially a systems approach to address organisational complexity. The Viable SystemApproach has at its heart the recognition of Management Control structures and processes best suited to cope

with the environmental changes.

Figure 1: The Systemic View of Inter-relationship of Risk Assessment Variables [Authors perception](Introduction to Security Risk Analysis 2004; Beer 1985; Myerson 2002)

Information security threats such as, denial of service and malicious code (e.g. Viruses), are ever-present onlinethreats; however active or passive dissemination of certain information is also emerging as a potential threat toconfidentiality, integrity and accessibility of assets of organisations (Lueg 2001). Some of the key findings of

the AusCERT survey for year 2004 (AusCERT 2004) are,

Electronic attacks on organisations harming confidentiality, integrity and availability of network dataor systems have increased (49% in 2004 compared to 42% in 2003).

A majority of these attacks originated externally (88%) compared with only 36% internally. Infections from viruses, worms or trojans were the greatest cause of financial losses and accounted for

45% of the total losses for 2004.

A similar survey in UK sponsored by UK government noted that, Greater connectivity has raised the exposureof businesses to security threats resulting in increased computer security breaches (PricewaterhouseCoopers2004). The advent of internet & e-commerce may foster the dynamic business activity further revealing newervulnerabilities of the businesses.

Hutchinson & Warren (2002) analysed the vulnerabilities of the organisations employing Viable Systems

Model (VSM) as diagnostic tool. They categorised attack strategies on vulnerabilities of organisation as,

Attacks on the fundamental operating units

Organisation / System

Vulnerability

Control

Informatio

n

Attack

Threats

Envirnmen

t

Interaction

Loss

Risk

SystemBoundary /

separationbetween

Security &

Access

7/31/2019 Gobannk

3/6

Attacks on the coordinating functions Attacks on controlling functions Destruction of the brains and senses of the organisation

Understanding of such attack-strategies and vulnerabilities has increased the effectiveness of the counter-

measures through heightened approaches to information security (Hutchinson & Warren 2003). A VSM-informed approach to information security may help further by identifying the need for an over-ridingalgedonic signal that operates at a more holistic level .

SECURITY MATURITY & VIABLE SYSTEMS

The software security engineering - capability maturity model (SSE-CMM) can be used to work out the phasesto define, implement, measure, control & improve the processes in the organisation through 5 capability levels(SSE-CMM: Model Description Document Version 3.0 1999; Shere & Versel 1994). Information Security mayfind some useful implications from SSE-CMM especially the way dynamic complexity is handled while the

process capability matures. An organisational security capability equivalent to SSE-CMM level 1 mayperform the basic security practices just like a primitive organism reacting to the environmental stimuli withtrial-error method. This mechanism is a basic component of learning. As SSE-CMM level 5 also contains

SSE-CMM level 1 maturity (SSE-CMM: Model Description Document Version 3.0 1999), similarly theprimitive level of learning mechanism is also found in highly organised organisms but with much improvedquality.

Algedonic Signals

The underlying drivers for Beers non-analytical pain-pleasure based switching system (Beer 1972, pp171-91)

can be recognised in the neurological aspect of algedonic system in human nervous system. The peripheralsignals coming into the spinal cord from the sensors located in different organs are carried into mid-brainthrough communication channels. As human beings we feel pain the moment we step on broken glass no

matter what else are we doing and our response is reflexive rather than considered. The neurological pathdiscussed above is also known as Reticular Formation (Lindsay & Bone 1997, pp. 196, 200, 441). It is alsoresponsible for the involuntary activities essential for life i.e. working of circulation system, respiratory

systems, etc and also responsible for waking us up from sleep. The stimulations that signal pain start fromthese sensors but the mere presence of a signal may be insufficient to lead to action. The awareness of pain isbrought about by projection from thalamus (mid-brain) to cerebral cortex (Lindsay & Bone 1997, pp. 196, 200,

441), effectively an interpretive action. Thus a discrete event may have differing effects on differentindividuals, depending on the pain/pleasure tolerance levels and the frequency of repetition of the trigger event.Repeated low-level signals may even be blocked by the interpretive process but a major, potentially life

changing, event will be channelled round the interpretive process via the autonomic nervous system. In thesame way, senior management needs to be immediately informed of major threats to survival via a specialemergency channel rather than constantly bombarded by signals that may extinguish conscious decision

processes Algedonic signals also assist VSM System 5 to maintain the Homeostasis between System 4 Outside & Then (Beer, 1972) and System 3 Inside & Now (Beer 1972). Algedonic signals make theSystem 5 aware of the anomalies in the autonomy governed by System 3 and then System 5 reacts to it byinstructing System 4 to regulate it with respect to the foreseen trend. This mechanism produces the Conscious

input to the system under the focus and is essential to be maintain the viability of the system underconsideration. (Beer, 1972).

Homeostasis

Viable systems have the attribute of autonomy inside & now focusing on these issues which can be equatedto the process maturity of SSE-CMM level 3. Here, the organisation has the cognitive capability of maintaining

a balance between threats and defensive actions. In VSM, System 3 governs autonomy and implements theoperational security i.e. Corporate Vigilance. VSM subjects that autonomy to a homeostasis with respect tothe environment. This is where VSM builds the capability within the organisation to know from the

environment What is to be measured? and this know-how may be implemented through the autonomy. VSMmay help to promote current practice maturity to the higher CMM levels. The SSE-CMM level 4 ischaracterised by statements, management can not measure it until they know what it is and managing with

measurements is only useful when right things are measured (SSE-CMM: Model Description DocumentVersion 3.0 1999, p. 44). SSE-CMM level 3 may have all capabilities to measure but may not know what tomeasure. The concept of algedonic signals may make the senior management more aware of what is to be

7/31/2019 Gobannk

4/6

measured. However, this triggers the senior management to oversee the homeostasis between the environmentand autonomy. Consequently, the system 4 may curb the unnecessary operational security by regulating system3. The inhibitory role of system 4 is triggered by algedonic signals curbing excess Corporate Vigilance. This

is again viewed by the systems below system 4 as Corporate Complacency but it is essential for Viability.Again imagine, reticular formation keeps alerting brains forever and we will succumb to perpetualinsomnia. This is how the Homeostasis and Algedonic Signals make Corporate Complacency and

Corporate Vigilance complementary to each other. The limitations specified in the previous section foster theCorporate Complacency whereas VSM approach plugs in the algedonic signals to break through theCorporate Complacency. This is implemented through Operational Security Control.

Security Control

There are different types of control in practice (Introduction to Security Risk Analysis 2004). VSM has

implications for different type of controls as follows,

Deterrent control reduces possibility of a premeditated attack. The VSM oriented approach providesawareness of the trends of the threats in the environment through System 4. Similarly, the reportingrelationship of the security heads may integrate the activities of primarily IT, operations and corporate

auditing group. (Beer 1972, 1979, 1985; NCSP 2004) This helps the development of the DeterrentControl originating from System 5. Primarily it comes from Strategic Level as Policies and

Procedures.

Corrective control alleviates the consequences of attack. The VSM based security governance providesalgedonic signals as the emergency security reporting of the current security breaches by the securityheads such as CISO, CIO, CRO may be in financial terms to CEO. In this particular role the security

heads may act as enablers i.e. Reticular Formation during pain and not as the more usual inhibitorfor the lower systems. (Beer 1972, 1979, 1985; NCSP 2004) This may invoke the Business ContinuityPlanning. Accordingly, the System 3 may investigate or litigate any security breaches and start the

mitigation of the risk impact. Primarily Corrective Control comes from the Tactical Level.

Preventive control defends vulnerabilities against the attack. The System 3 the in-charge of theInside & Now in the VSM based security governance implements the Security Policies andProcedures. The Operations Level System 2 & 1 are enforced with the access controls and are

assessed through system-audits to protect the vulnerabilities. (Beer 1972, 1979, 1985; NCSP 2004) Aperiodic Comprehensive Risk Assessment is major activity at this level.

Detective control identifies attacks and activates corrective or preventive controls. The Systems 2 and1 implement the Active Security Monitoring in an organisation e.g. Intrusion Detection, Antivirus

Software, General Security Awareness which helps in the detection of attacks. Depending upon theseverity of attack it might activate Corrective or Preventive Controls. When the severity is gaused asbeing potentially fatal the algedonic activity comes into action. (Beer 1972, 1979, 1985; NCSP 2004)

Corporate Governance & Culture

Information security should essentially encompass all abstraction levels in any organisation i.e. strategic,

tactical as well as operational. It can be argued that many organisations tend to restrict information security tooperations. The corporate Governance Task Force report for year 2004 in US emphasised the importance of

embedding information security into the corporate governance structure and recommended implementation ofsecurity reporting to CEO of the organisation. This recommendation also throws light on the need to identifyinformation security as an integral part of core business operations (NCSP 2004). Accordingly it also links theinformation security to the controlling policies and procedures of the business governance in a dynamic way.

The organisational culture impacts upon the efficacy of operational information security in the organisation.This also reveals the relationships between the human factors like corporate culture and the informationsecurity in an organisation. VSM offers a Cybernetic Eye to look at the information security in an organisation

to implement it systemically by understanding how crucial it is to the business.

The AusCERT survey for year 2004 stated some key finding about the readiness of organisations to protect

and manage IT security systems (AusCERT 2004) as,

Readiness improved in three aspects as1. Use of information security policies & procedures2. Use of information security standards

7/31/2019 Gobannk

5/6

3. Experienced, trained & qualified staff More support and understanding from senior management is desired Most common challenge is to change user attitude and keeping update of threats & vulnerabilities Insufficient efforts against the changing nature & scope of vulnerabilities

The AusCERT survey has very strong implications towards the overall security reporting activity within anorganisation. The work of Hutchinson & Warren (2002) can be used as a basis for diagnosis and correlation.

Firstly, the lack of support from senior management may be due to discrepancies in Strategic level of reporting

which in turn may be due to attacks on controlling functions and destruction of brain or senses of theorganization. The VSM based approach emphasizes reporting at System 4 level. This integrates the IT,Business Operations, System Audits and the environmental trends to alert Senior Management to devise theDeterrent Control discussed earlier

Secondly, insufficient efforts in identifying the changing nature and scope of vulnerabilities may be due to

discrepancies in the Ttctical level of reporting which in turn may be due to attacks on the co-ordinatingfunctions and the controlling functions. The VSM approach inherits a feedback-based learning system. Theusual feedback path is the Audit function of the System 3. This provides autonomous response through

preventive control discussed earlier and the feedback in an emergency is the Algedonic Signal which brings

corrective control also discussed earlier. Moreover, by emphasizing the balance of the external and the internalvariety for survival, VSM stresses on the pacing up of these feedback mechanisms, as discussed above, with

increasing change in the nature and scope of vulnerabilities. The wider the Information Security spreads acrossthe governance structure the faster the feedback mechanism acts.

Thirdly, the challenges in changing user attitude and keeping an update of threats & vulnerabilities may be dueto discrepancies in the operational level of reporting which in turn may be due to attacks on the fundamentaloperating units and the co-ordinating functions. VSM approach not only stresses corporate security governance

but also highlights the human factor i.e. information security awareness is required to increase in order tochange the current culture. This change may improve the detective control discussed earlier.

CONCLUSION

The Viable Systems Model (VSM) approach provides a framework to understand the complexity oforganisational information security. VSM may also act as a vehicle, framework or perspective with which tobetter consider issues of Corporate Complacency and Corporate Vigilance. VSM inherently provides anoverriding alerting mechanism in the form of Algedonic Signals. This mechanism provides organisations

with their self-awareness and also keeps it beating & breathing. Moreover, it maintains the whole system in astate of alert (security breach & its consequences) without running the risk of de-sensitisation due to theoveruse of low-level alarms. The VSM perspective of information security may help elevate current practice

from Well-defined SSE-CMM level 3 to Optimised SSE-CMM level 5 and also help emphasise the need toensure that information security is tightly linked core business functions. The Viable System perspective of theorganisational information security may also help by enhancing the corporate security coherence, thus fosteringthe viability of the organisations.

We have not addressed the detailed or practical possibilities of analysing information security around the

Viable Systems Model, out intention being to suggest that this model can provide a useful organic and holistic

view of organisations and their pleasure and pain response to the security environment. Translating a view ofan organisation as a living organism attempting to survive in a potentially hostile world by using autonomic

reactions to threats into practical structures, policies and cultures would not be a simple task. However, giventhe increasing level of threat and need for rapid response at an organisational level, VSM provides a promisingroute for exploration.

REFERENCES:

AusCERT 2004, 2004 Australian Computer Crime and Security Survey, Australian Computer Emergency

Response Team, viewed 12 July 2004, .

Beer, S 1972, Brain of the firm: the managerial cybernetics of organisation, Allen Lane the Penguin Press,London.

Beer, S 1979, The heart of enterprise, John Wiley & Sons Ltd, Chichester [Eng.].

7/31/2019 Gobannk

6/6

Beer, S 1985,Diagnosing the system for organisations, John Wiley & Sons Ltd, Chichester (West Sussex).

Dhillon, G & Backhouse, J 2001, 'Current directions in IS security research: towards socio-organisationalperspectives',Information Systems Journal, vol. 11, pp. 127-53.

Hutchinson, W & Warren, M 2002, 'Information warfare: Using the viable system model as a framework toattack organisations',Australian Journal of Information Systems, vol. 9, no. 2, pp. 67-74.

Introduction to Security Risk Analysis, 2004, C & A Security Risk Analysis Group, viewed 12 June 2004,

.

ISO 17799: What is it?, 2002, ISO 17799 Service & Software Directory, viewed 12 June 2004,.

Lindsay, KW & Bone, I 1997, Neurology and neurosurgery illustrated; illustrated by Robin Callander ;foreword by J. Van Gijn, 3rd edn, Churchill Livingstone, New York.

Lueg, C 2001, 'The Role of Information Systems in Information-Level Security Management', paper presentedtoProceedings of the Australasian Conference on Information Systems, Coffs Harbour, NSW, Australia, 5-7 December 2001.

Myerson, JM 2002, 'Identifying enterprise network vulnerabilities', International Journal of NetworkManagement, vol. 12, no. 3, pp. 135-44.

NCSP 2004, Information Security Governance: A Call to Action, Corporate Governance Task Force ofNational Cyber Security Partnership, Washington, D.C.

PricewaterhouseCoopers 2004, Executive Summary: Information Security Breaches Survey 2004, Departmentof Trade and Industry, UK, viewed 12 July 2004,.

Shere, KD & Versel, MJ 1994, 'Extension of the SEI software capability maturity model to systems', paperpresented to Proceedings of Eighteenth Annual International Computer Software and ApplicationsConference, 1994, COMPSAC 94.

SSE-CMM: Model Description Document Version 3.0, 1999, Carnegie Mellon University, viewed 10 June2004, .

Stoll, C., 1990, The Cuckoos Egg, Pan, London

COPYRIGHT

Gokhale, G B and Banks, D A 2004. The author/s assign the We-B Centre & Edith Cowan University a non-exclusive license to use this document for personal use provided that the article is used in full and thiscopyright statement is reproduced. The authors also grant a non-exclusive license to the We-B Centre & ECU

to publish this document in full in the Conference Proceedings. Such documents may be published on theWorld Wide Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. Any other usage is

prohibited without the express permission of the authors.