Ubiquity, Dependency, Complexity
We depend on complex systems daily for food, water, energy, communications, transportation, health care, banking, and more. The ubiquity of these systems belies their complexity, and from the outside it’s easy to forget how much effort goes into maintaining and securing them.
Behind the scenes it’s another story. The challenge of anticipating system vulnerabilities, envisaging unintended consequences, and building and sustaining resilience is constant, and most system owners and operators know better than to let down their guard. Still, complexity can be difficult to untangle, and traditional, linear ways of thinking are usually insufficient. That’s where we come in.
Becoming Odysseus Red Teaming Course
We first launched the Becoming Odysseus course over at Red Team Journal and have since taught it many times over the past several years to business and government clients.
What the Course Is:
Most security red teaming today has a highly technical focus. That’s both understandable and necessary. Given the complexity of modern systems, we also believe it’s insufficient. Additional, more systemic approaches to red teaming do exist (levels III and IV), and those are the focus of the Becoming Odysseus course.
What the Course Is Not:
It’s not a course on pentesting or offensive security, although we believe it provides important context for both offensive and defensive security.
The course includes five primary modules:
- Thinking in Systems: Understanding, managing, and protecting socio-technical systems. Yes, technology is more complex than ever, but the modern systems we build and manage involve much more than just technology; they include people and organizations as well–a combination which often yields emergent and unintended behaviors. Addressing this complexity and emergence requires knowledge of systems engineering, systems analysis, and systems thinking, all of which we address in this module.
- Thinking in Models and Views: Representing the complex territory to be managed and protected. Most complex enterprise systems of systems are too complex for one person to fully comprehend in detail, hence the need to model the system using a variety of views. This skills is as much art and science and, among other things, involves the ability to simplify representations of the system in useful ways that aren’t too simple.
- Thinking in Games: Exploring issues of strategy and perception within complex systems. Game theory provides an excellent framework for understand strategy. One branch of game theory—hypergame analysis—is particularly useful for analyzing situations involving incomplete knowledge, deception, and stratagem. In addition to discussing hypergame analysis in this module, we also discuss the differences between traditional Eastern and Western perspectives.
- Thinking in Risk: Placing risk—especially subjective risk—in perspective. We tend to think of quantitative approaches to risk as axiomatic and objective, forgetting that risk formulas were invented, not discovered. In situations involving incomplete knowledge and human perspectives and emotions, risk is not something we can easily quantify, hence the need to consider other options.
- Thinking in Resilience: Establishing the proper culture and ethos for superior performance. Even the best analysis ultimately falls short in organizations that resist acknowledging their own shortcomings. In this module, we discuss not just the sorts of resistance analysts might encounter but also a variety of principles and approaches that can help organizations listen and learn.
- Thinking Like Adversaries: Recognizing asymmetries in perspective and strategy. It’s easy to project your own culture and perspective on your adversary. We look at differences not just between Eastern and Western approaches to strategy but also differences between traditional and non-traditional adversaries.
The course is available online or at your site for groups of five or more. We teach the course in a one-day and a two-day format. Both the one- and two-day versions include the same modules; the two-day course includes additional and expanded exercises. We’re also able to tailor the modules and exercises for bespoke sessions. Contact us directly to schedule the course for your team.