Cyber Safety: A Systems Thinking and Systems Theory Approach to Managing Cyber Security Risks

If we are to manage security risks more effectively in today’s complex and dynamic cyber environment, then a new way of thinking is needed to complement traditional approaches. According to Symantec’s 2014 Internet Security Threat Report, in 2012 more than ten million identities that included real names, dates of birth, and social security were exposed by a single breach. In 2013 there were eight breaches that each exposed over ten million identities. These breaches were recorded despite the fact that significant resources are expended, on managing cyber security risks each year by businesses and governments. In this paper we examine why traditional approaches for managing cyber security risks are not yielding desired results, and propose a new approach for managing cyber security risks. This approach is based on a model for accident or incident analysis, used in Systems Safety field. The model is called SystemTheoretic Accident Model and Processes (STAMP). It is rooted in Systems Thinking and Systems Theory. We analyzed the largest cyber-attack at the time, reported in 2007 on a major US based retailer, using STAMP to understand the effectiveness of this approach. Our analysis revealed insights both at systemic and detailed level, which generated specific recommendations. The lessons learned from this analysis can be extended to help us to address the ongoing challenges to cyber security.