Ubiquity, Dependency, Complexity
We depend on complex systems daily for food, water, energy, communications, transportation, health care, banking, and more. The ubiquity of these systems belies their complexity, and from the outside it’s easy to forget how much effort goes into maintaining and securing them.
Behind the scenes it’s another story. The challenge of anticipating system vulnerabilities, envisaging unintended consequences, and building and sustaining resilience is constant, and most system owners and operators know better than to let down their guard. Still, complexity can be difficult to untangle, and traditional, linear ways of thinking are usually insufficient. That’s where we come in.
Proactive Risk Avoidance Course
After several years of teaching the Becoming Odysseus red teaming course to industry and government clients, we’ve retired the name to highlight the expanded content in our new proactive risk avoidance course.
What the Course Is:
Most complex systems of interest today involve not just technology but also people, processes, and highly variable situational interfaces and dynamics. Many assessment approaches and methods address technology, fewer address people and processes, and fewer still address the risks associated with the full system. We’ve designed the proactive risk avoidance course to help managers and staff better understand how these complex socio-technical systems work, how they function, how they fail, and how we can better protect them. It’s part systems thinking, part systems engineering, part risk assessment, and part red teaming.
What the Course Is Not:
It’s not a course on pentesting or offensive security, although we believe it provides important context for both offensive and defensive security.
The course includes five primary modules:
- Thinking in Systems: Understanding, managing, and protecting socio-technical systems. Yes, technology is more complex than ever, but the modern systems we build and manage involve much more than just technology; they include people and organizations as well–a combination which often yields emergent and unintended behaviors. Addressing this complexity and emergence requires knowledge of systems engineering, systems analysis, and systems thinking, all of which we address in this module.
- Thinking in models and views: Representing the complex territory to be managed and protected. Most complex enterprise systems of systems are too complex for one person to fully comprehend in detail, hence the need to model the system using a variety of views. This skills is as much art and science and, among other things, involves the ability to simplify representations of the system in useful ways that aren’t too simple.
- Thinking in Games: Exploring issues of strategy and perception within complex systems. Game theory provides an excellent framework for understand strategy. One branch of game theory—hypergame analysis—is particularly useful for analyzing situations involving incomplete knowledge, deception, and stratagem. In addition to discussing hypergame analysis in this module, we also discuss the differences between traditional Eastern and Western perspectives.
- Thinking in Risk: Placing risk—especially subjective risk—in perspective. We tend to think of quantitative approaches to risk as axiomatic and objective, forgetting that risk formulas were invented, not discovered. In situations involving incomplete knowledge and human perspectives and emotions, risk is not something we can easily quantify, hence the need to consider other options.
- Thinking in Resilience: Establishing the proper culture and ethos for superior performance. Even the best analysis ultimately falls short in organizations that resist acknowledging their own shortcomings. In this module, we discuss not just the sorts of resistance analysts might encounter but also a variety of principles and approaches that can help organizations listen and learn.
The course is available online or at your site for groups of five or more. We teach the course in a one-day and a two-day format. Both the one- and two-day versions include the same modules; the two-day course includes additional and expanded exercises. We’re also able to tailor the modules and exercises for bespoke sessions. Contact us directly to schedule the course for your team.
We’re also available to work with you to implement the principles proactive risk management. We have experience in a broad range of system types. Contact us to learn more about our approach and what we can do for you.