Organisational Information Security: A Viable System Perspective

Girish Bhagwan Gokhale University of South Australia Girish.Gokhale@postgrads.unisa.edu.au David A Banks University of South Australia David.Banks@unisa.edu.au

ABSTRACT
Information Systems support and help develop business management at all levels by providing support for policy and decision making as well as control & coordination of the operations. The disruption or destruction of these information systems can cause serious disruption to, or loss of, businesses. As systems increasingly come under threat from both internal and external agents there is a need to establish vigorous and dynamic responses to protect information assets. If an organisation is viewed, metaphorically, as an entity that seeks to continue to live and grow in a world full of potential threats it must have a mechanism that is capable of dealing with recognising threat and communicating particularly dangerous threats to a point that is capable of taking immediate remedial action. This paper uses Beers Viable System Model (VSM) as a lens to view such threats and particularly identifies the algedonic signal as a particularly useful notion for incorporation into organisational security structures where corporate complacency may have set in.

Keywords Information Security, Security Standardisation, Capability Maturity Model, Viable System Model, Algedonic Signal

INTRODUCTION
Organisations exist in a sea of data and information, some significant, much less so. Sifting the important from the unimportant and the threatening from the non-threatening can be an almost overwhelming process. As threats come and go, sometimes, as for Y2K, widely portended as calamitous but eventuating as a non-event, there is a natural tendency for individuals to eventually become de-sensitised and less reactive to new events that are labelled as threats. Security can become to be seen as the role of others rather than the role of all members of the organisation, that is, a prevailing notion of security as a defensive force patrolling the surrounding environment rather than a shared responsibility. As a result of such desensitising and not my bailiwick effects (Stoll, 1990) an organisation may lose its ability to recognise and respond with urgency to actual threats that may cause it substantial damage. For an organisation to act as an entity that seeks to continue to live and grow in a world full of potential threats it must have a mechanism that is capable of recognising threat and communicating particularly dangerous threats to an agent that is capable of taking immediate remedial action. In effect it needs an automatic Look out! or even an Ouch! signal that triggers a significant focus on a threat to survival and takes action until that threat is mitigated or removed. Beer refers to this as the pain-pleasure (algedonic) mechanism with automatic actions being based on this perception of the pain or pleasure (Beer, 1972). We argue that modern organisations need an embedded and automatic security monitoring mechanism that is capable of immediately over-riding all other processes in the event of a severe threat to survival, and triggering a response at an organisational level where appropriate and immediate action can take place. Traditional security approaches are often criticised for focusing only on the operational security rather than taking a broader view of the long-term viability of the organisation as a whole. (Dhillon & Backhouse 2001; Lueg 2001). These approaches have, however, enriched the information systems security field (Dhillon & Backhouse 2001) and helped develop metrics such as ISO 17799 (ISO 17799: What is it? 2002). However, a narrow focus on metrics and designated security management components of an organisation may lead to a risk of Corporate Complacency, that is, a belief that the organisation has formal structures in place that provide it with protection against threats even though this belief is incorrect. The paper discusses how a Viable System

Model (VSM) perspective may help to avoid Corporate Complacency in its information security environment by taking a homeostatic view.

INFORMATION SECURITY & THREATS

Information and the technological systems that support the input, processing, storage and communication to users represent assets of an organisation. These assets and their associated vulnerabilities, threats, risks and controls are the subjects of qualitative risk analysis and they may be identified as the variables of the risk assessment (Myerson 2002). The inter-relationship of these variables is presented in figure 1, below, with a Viable System connotation as perceived by authors. The probability of a threat exploiting vulnerabilities is known as risk. The safeguards used to control the impact of the risks are devised by the management of the organisational system. Stafford Beer developed the Viable System Model (VSM) with the principles of NeuroCybernetics (Beer 1972, 1979, 1985). A System is considered to be viable if it is able to survive in a particular sort of environment. There are limits, outside which the system may not be expected to survive, but it is able to deal with environmental changes of particular kinds. The viable system maintains itself in a homeostatic manner itself and exhibits survival, self-production, and identity through coherence between its component sub-systems. This is essentially a systems approach to address organisational complexity. The Viable System Approach has at its heart the recognition of Management Control structures and processes best suited to cope with the environmental changes.

Organisation / System

Attack Threats Environment Risk Loss

Control

Interaction

System Boundary / separation between Security & Access

Vulnerability

Figure 1: The Systemic View of Inter-relationship of Risk Assessment Variables [Authors perception] (Introduction to Security Risk Analysis 2004; Beer 1985; Myerson 2002) Information security threats such as, denial of service and malicious code (e.g. Viruses), are ever-present online threats; however active or passive dissemination of certain information is also emerging as a potential threat to confidentiality, integrity and accessibility of assets of organisations (Lueg 2001). Some of the key findings of the AusCERT survey for year 2004 (AusCERT 2004) are, Electronic attacks on organisations harming confidentiality, integrity and availability of network data or systems have increased (49% in 2004 compared to 42% in 2003). A majority of these attacks originated externally (88%) compared with only 36% internally. Infections from viruses, worms or trojans were the greatest cause of financial losses and accounted for 45% of the total losses for 2004.

A similar survey in UK sponsored by UK government noted that, Greater connectivity has raised the exposure of businesses to security threats resulting in increased computer security breaches (PricewaterhouseCoopers 2004). The advent of internet & e-commerce may foster the dynamic business activity further revealing newer vulnerabilities of the businesses. Hutchinson & Warren (2002) analysed the vulnerabilities of the organisations employing Viable Systems Model (VSM) as diagnostic tool. They categorised attack strategies on vulnerabilities of organisation as, Attacks on the fundamental operating units

Information

Attacks on the coordinating functions Attacks on controlling functions Destruction of the brains and senses of the organisation

Understanding of such attack-strategies and vulnerabilities has increased the effectiveness of the countermeasures through heightened approaches to information security (Hutchinson & Warren 2003). A VSMinformed approach to information security may help further by identifying the need for an over-riding algedonic signal that operates at a more holistic level .

SECURITY MATURITY & VIABLE SYSTEMS

The software security engineering - capability maturity model (SSE-CMM) can be used to work out the phases to define, implement, measure, control & improve the processes in the organisation through 5 capability levels (SSE-CMM: Model Description Document Version 3.0 1999; Shere & Versel 1994). Information Security may find some useful implications from SSE-CMM especially the way dynamic complexity is handled while the process capability matures. An organisational security capability equivalent to SSE-CMM level 1 may perform the basic security practices just like a primitive organism reacting to the environmental stimuli with trial-error method. This mechanism is a basic component of learning. As SSE-CMM level 5 also contains SSE-CMM level 1 maturity (SSE-CMM: Model Description Document Version 3.0 1999), similarly the primitive level of learning mechanism is also found in highly organised organisms but with much improved quality. Algedonic Signals The underlying drivers for Beers non-analytical pain-pleasure based switching system (Beer 1972, pp171-91) can be recognised in the neurological aspect of algedonic system in human nervous system. The peripheral signals coming into the spinal cord from the sensors located in different organs are carried into mid-brain through communication channels. As human beings we feel pain the moment we step on broken glass no matter what else are we doing and our response is reflexive rather than considered. The neurological path discussed above is also known as Reticular Formation (Lindsay & Bone 1997, pp. 196, 200, 441). It is also responsible for the involuntary activities essential for life i.e. working of circulation system, respiratory systems, etc and also responsible for waking us up from sleep. The stimulations that signal pain start from these sensors but the mere presence of a signal may be insufficient to lead to action. The awareness of pain is brought about by projection from thalamus (mid-brain) to cerebral cortex (Lindsay & Bone 1997, pp. 196, 200, 441), effectively an interpretive action. Thus a discrete event may have differing effects on different individuals, depending on the pain/pleasure tolerance levels and the frequency of repetition of the trigger event. Repeated low-level signals may even be blocked by the interpretive process but a major, potentially life changing, event will be channelled round the interpretive process via the autonomic nervous system. In the same way, senior management needs to be immediately informed of major threats to survival via a special emergency channel rather than constantly bombarded by signals that may extinguish conscious decision processes Algedonic signals also assist VSM System 5 to maintain the Homeostasis between System 4 Outside & Then (Beer, 1972) and System 3 Inside & Now (Beer 1972). Algedonic signals make the System 5 aware of the anomalies in the autonomy governed by System 3 and then System 5 reacts to it by instructing System 4 to regulate it with respect to the foreseen trend. This mechanism produces the Conscious input to the system under the focus and is essential to be maintain the viability of the system under consideration. (Beer, 1972). Homeostasis Viable systems have the attribute of autonomy inside & now focusing on these issues which can be equated to the process maturity of SSE-CMM level 3. Here, the organisation has the cognitive capability of maintaining a balance between threats and defensive actions. In VSM, System 3 governs autonomy and implements the operational security i.e. Corporate Vigilance. VSM subjects that autonomy to a homeostasis with respect to the environment. This is where VSM builds the capability within the organisation to know from the environment What is to be measured? and this know-how may be implemented through the autonomy. VSM may help to promote current practice maturity to the higher CMM levels. The SSE-CMM level 4 is characterised by statements, management can not measure it until they know what it is and managing with measurements is only useful when right things are measured (SSE-CMM: Model Description Document Version 3.0 1999, p. 44). SSE-CMM level 3 may have all capabilities to measure but may not know what to measure. The concept of algedonic signals may make the senior management more aware of what is to be

measured. However, this triggers the senior management to oversee the homeostasis between the environment and autonomy. Consequently, the system 4 may curb the unnecessary operational security by regulating system 3. The inhibitory role of system 4 is triggered by algedonic signals curbing excess Corporate Vigilance. This is again viewed by the systems below system 4 as Corporate Complacency but it is essential for Viability. Again imagine, reticular formation keeps alerting brains forever and we will succumb to perpetual insomnia. This is how the Homeostasis and Algedonic Signals make Corporate Complacency and Corporate Vigilance complementary to each other. The limitations specified in the previous section foster the Corporate Complacency whereas VSM approach plugs in the algedonic signals to break through the Corporate Complacency. This is implemented through Operational Security Control. Security Control There are different types of control in practice (Introduction to Security Risk Analysis 2004). VSM has implications for different type of controls as follows, Deterrent control reduces possibility of a premeditated attack. The VSM oriented approach provides awareness of the trends of the threats in the environment through System 4. Similarly, the reporting relationship of the security heads may integrate the activities of primarily IT, operations and corporate auditing group. (Beer 1972, 1979, 1985; NCSP 2004) This helps the development of the Deterrent Control originating from System 5. Primarily it comes from Strategic Level as Policies and Procedures. Corrective control alleviates the consequences of attack. The VSM based security governance provides algedonic signals as the emergency security reporting of the current security breaches by the security heads such as CISO, CIO, CRO may be in financial terms to CEO. In this particular role the security heads may act as enablers i.e. Reticular Formation during pain and not as the more usual inhibitor for the lower systems. (Beer 1972, 1979, 1985; NCSP 2004) This may invoke the Business Continuity Planning. Accordingly, the System 3 may investigate or litigate any security breaches and start the mitigation of the risk impact. Primarily Corrective Control comes from the Tactical Level. Preventive control defends vulnerabilities against the attack. The System 3 the in-charge of the Inside & Now in the VSM based security governance implements the Security Policies and Procedures. The Operations Level System 2 & 1 are enforced with the access controls and are assessed through system-audits to protect the vulnerabilities. (Beer 1972, 1979, 1985; NCSP 2004) A periodic Comprehensive Risk Assessment is major activity at this level. Detective control identifies attacks and activates corrective or preventive controls. The Systems 2 and 1 implement the Active Security Monitoring in an organisation e.g. Intrusion Detection, Antivirus Software, General Security Awareness which helps in the detection of attacks. Depending upon the severity of attack it might activate Corrective or Preventive Controls. When the severity is gaused as being potentially fatal the algedonic activity comes into action. (Beer 1972, 1979, 1985; NCSP 2004)

Corporate Governance & Culture Information security should essentially encompass all abstraction levels in any organisation i.e. strategic, tactical as well as operational. It can be argued that many organisations tend to restrict information security to operations. The corporate Governance Task Force report for year 2004 in US emphasised the importance of embedding information security into the corporate governance structure and recommended implementation of security reporting to CEO of the organisation. This recommendation also throws light on the need to identify information security as an integral part of core business operations (NCSP 2004). Accordingly it also links the information security to the controlling policies and procedures of the business governance in a dynamic way. The organisational culture impacts upon the efficacy of operational information security in the organisation. This also reveals the relationships between the human factors like corporate culture and the information security in an organisation. VSM offers a Cybernetic Eye to look at the information security in an organisation to implement it systemically by understanding how crucial it is to the business. The AusCERT survey for year 2004 stated some key finding about the readiness of organisations to protect and manage IT security systems (AusCERT 2004) as, Readiness improved in three aspects as 1. 2. Use of information security policies & procedures Use of information security standards

3.

Experienced, trained & qualified staff

More support and understanding from senior management is desired Most common challenge is to change user attitude and keeping update of threats & vulnerabilities Insufficient efforts against the changing nature & scope of vulnerabilities

The AusCERT survey has very strong implications towards the overall security reporting activity within an organisation. The work of Hutchinson & Warren (2002) can be used as a basis for diagnosis and correlation. Firstly, the lack of support from senior management may be due to discrepancies in Strategic level of reporting which in turn may be due to attacks on controlling functions and destruction of brain or senses of the organization. The VSM based approach emphasizes reporting at System 4 level. This integrates the IT, Business Operations, System Audits and the environmental trends to alert Senior Management to devise the Deterrent Control discussed earlier Secondly, insufficient efforts in identifying the changing nature and scope of vulnerabilities may be due to discrepancies in the Ttctical level of reporting which in turn may be due to attacks on the co-ordinating functions and the controlling functions. The VSM approach inherits a feedback-based learning system. The usual feedback path is the Audit function of the System 3. This provides autonomous response through preventive control discussed earlier and the feedback in an emergency is the Algedonic Signal which brings corrective control also discussed earlier. Moreover, by emphasizing the balance of the external and the internal variety for survival, VSM stresses on the pacing up of these feedback mechanisms, as discussed above, with increasing change in the nature and scope of vulnerabilities. The wider the Information Security spreads across the governance structure the faster the feedback mechanism acts. Thirdly, the challenges in changing user attitude and keeping an update of threats & vulnerabilities may be due to discrepancies in the operational level of reporting which in turn may be due to attacks on the fundamental operating units and the co-ordinating functions. VSM approach not only stresses corporate security governance but also highlights the human factor i.e. information security awareness is required to increase in order to change the current culture. This change may improve the detective control discussed earlier.

CONCLUSION
The Viable Systems Model (VSM) approach provides a framework to understand the complexity of organisational information security. VSM may also act as a vehicle, framework or perspective with which to better consider issues of Corporate Complacency and Corporate Vigilance. VSM inherently provides an overriding alerting mechanism in the form of Algedonic Signals. This mechanism provides organisations with their self-awareness and also keeps it beating & breathing. Moreover, it maintains the whole system in a state of alert (security breach & its consequences) without running the risk of de-sensitisation due to the overuse of low-level alarms. The VSM perspective of information security may help elevate current practice from Well-defined SSE-CMM level 3 to Optimised SSE-CMM level 5 and also help emphasise the need to ensure that information security is tightly linked core business functions. The Viable System perspective of the organisational information security may also help by enhancing the corporate security coherence, thus fostering the viability of the organisations. We have not addressed the detailed or practical possibilities of analysing information security around the Viable Systems Model, out intention being to suggest that this model can provide a useful organic and holistic view of organisations and their pleasure and pain response to the security environment. Translating a view of an organisation as a living organism attempting to survive in a potentially hostile world by using autonomic reactions to threats into practical structures, policies and cultures would not be a simple task. However, given the increasing level of threat and need for rapid response at an organisational level, VSM provides a promising route for exploration.

REFERENCES:
AusCERT 2004, 2004 Australian Computer Crime and Security Survey, Australian Computer Emergency Response Team, viewed 12 July 2004, <http://www.auscert.org.au/download.html?f=114>. Beer, S 1972, Brain of the firm: the managerial cybernetics of organisation, Allen Lane the Penguin Press, London. Beer, S 1979, The heart of enterprise, John Wiley & Sons Ltd, Chichester [Eng.].

Beer, S 1985, Diagnosing the system for organisations, John Wiley & Sons Ltd, Chichester (West Sussex). Dhillon, G & Backhouse, J 2001, 'Current directions in IS security research: towards socio-organisational perspectives', Information Systems Journal, vol. 11, pp. 127-53. Hutchinson, W & Warren, M 2002, 'Information warfare: Using the viable system model as a framework to attack organisations', Australian Journal of Information Systems, vol. 9, no. 2, pp. 67-74. Introduction to Security Risk Analysis, 2004, C & A Security Risk Analysis Group, viewed 12 June 2004, <http://www.security-risk-analysis.com/introduction.htm>. ISO 17799: What is it?, 2002, ISO 17799 Service & Software Directory, viewed 12 June 2004, <http://www.iso17799software.com/what.htm>. Lindsay, KW & Bone, I 1997, Neurology and neurosurgery illustrated; illustrated by Robin Callander ; foreword by J. Van Gijn, 3rd edn, Churchill Livingstone, New York. Lueg, C 2001, 'The Role of Information Systems in Information-Level Security Management', paper presented to Proceedings of the Australasian Conference on Information Systems, Coffs Harbour, NSW, Australia, 57 December 2001. Myerson, JM 2002, 'Identifying enterprise network vulnerabilities', International Journal of Network Management, vol. 12, no. 3, pp. 135-44. NCSP 2004, Information Security Governance: A Call to Action, Corporate Governance Task Force of National Cyber Security Partnership, Washington, D.C. PricewaterhouseCoopers 2004, Executive Summary: Information Security Breaches Survey 2004, Department of Trade and Industry, UK, viewed 12 July 2004, <http://www.pwc.com/images/gx/eng/about/svcs/grms/2004Exec_Summ.pdf>. Shere, KD & Versel, MJ 1994, 'Extension of the SEI software capability maturity model to systems', paper presented to Proceedings of Eighteenth Annual International Computer Software and Applications Conference, 1994, COMPSAC 94. SSE-CMM: Model Description Document Version 3.0, 1999, Carnegie Mellon University, viewed 10 June 2004, <http://www.sse-cmm.org/docs/ssecmmv3final.pdf>. Stoll, C., 1990, The Cuckoos Egg, Pan, London

COPYRIGHT
Gokhale, G B and Banks, D A 2004. The author/s assign the We-B Centre & Edith Cowan University a nonexclusive license to use this document for personal use provided that the article is used in full and this copyright statement is reproduced. The authors also grant a non-exclusive license to the We-B Centre & ECU to publish this document in full in the Conference Proceedings. Such documents may be published on the World Wide Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. Any other usage is prohibited without the express permission of the authors.