Cyber Safety A Systems Thinking and Systems Theory Approach to Managing Cyber Security Risks

If we are to manage cyber security risks more effectively in today's complex and dynamic Web 2.0 environment, then a new way of thinking is needed to complement traditional approaches. According to Symantec's 2014 Internet Security Threat Report, in 2012 more than ten million identities that included real names, dates of birth, and social security were exposed by a single breach. In 2013 there were eight breaches that each exposed over ten million identities. These breaches were recorded despite the fact that significant resources are expended, on managing cyber security risks each year by businesses and governments. The objective of this thesis was twofold. The first objective was to understand why traditional approaches for managing cyber security risks were not yielding desired results. Second, propose a new method for managing cyber security risks more effectively. The thesis investigated widely used approaches and standards, and puts forward a method based on the premise that traditional technology centric approaches have become ineffective on their own. This lack of efficacy can be attributed primarily to the fact that, Web 2.0 is a dynamic and a complex socio-technical system that is continuously evolving. This thesis proposes a new method for managing cyber security risks based on a model for accident or incident analysis, used in Systems Safety field. The model is called System-Theoretic Accident Model and Processes (STAMP). It is rooted in Systems Thinking and Systems Theory. Based on a case study specifically written for this thesis, the largest cyber-attack reported in 2007 on a major US based retailer, is analyzed using the STAMP model. The STAMP based analysis revealed insights both at systemic and detailed level, which otherwise would not be available, if traditional approaches were used for analysis. Further, STAMP generated specific recommendations for managing cyber security risks more effectively.