Vanguard Magazine

14 FEBRUARY/MARCH 2018 www.vanguardcanada.com C4isr cover the defenses in place and to detect vulnerabilities. They act repeatedly and adapt dynamically to defenders' efforts to resist. Their attacks are usually distributed, and they may involve diversions and cam- ouflage. Mission failure risks are not all linked to external phenomena or adversaries. Rath- er, some risks are related to a deficient state of the DES, that is, to incapacities origi- nating from failed design, construction er- rors, implementation flaws, partner short- comings and/or operational weaknesses – all symptoms of lacking governance. In- capacities are usually latent or hidden until some event to which the DES should be able to respond makes them emerge. The current problems with the Canadian gov- ernment pay system are a good example of this type of mission failure. To sum up, mission failure risk sources can be classified in four broad categories: operational surges, hazards, threats and in- capacities. Each of them give rise to different types of incidents (unexpected events that require reactive actions) that, when the DES is not adequately prepared and protected, can lead to disruptions with significant con- sequences. Disruptions are incidents that cannot be treated sufficiently quickly and ef- ficiently to avoid subsequent damages. The anatomy of disruptive processes Analytics can be leveraged to study the be- haviour of plausible incidents and disrup- tions, and to derive risk exposure measures. The way risk events materialize in time is illustrated in Fig. 2. Arrows are used to in- dicate event arrival dates (say cybersecurity breaches). The height of the vertical line associated to arrows reflects the severity of the disruption in an appropriate metric. Depending on the context, the metric used could be capacity lost (downtime), the number of work-hours needed to solve the problem, the time to recovery, the num- ber of exposed records, etc. These severity variables can then be exploited to compute the magnitude of ensuing cost-benefit loss. Analytics can also help classify recurrent risk events into incident types – useful for control and decision making. Behavioral data can be accumulated on the location, timing, and severity of the incident types identified, and used to estimate the follow- ing factors: • The probability distribution of interar- rival times • The distribution of the number of inci- dents (or disruptions) during a time pe- riod (frequency) • The distribution of the severity of dis- ruptions An example of a failure frequency distribu- tion for a computer network is displayed in Fig. 3. The probability function shown is known as the Poisson distribution. It has been verified that this distribution is a valid model of risk event arrivals in many contexts, such as service queues, equip- ment breakdowns, accidental and natural hazards, and nontargeted cybersecurity incidents. When evidence confirms that arrivals or severity follow a known prob- ability distribution (like the Poisson), stan- dard statistical techniques can be used to estimate its parameters (mean, variance, etc.). Otherwise, an empirical distribution (a histogram plotted from available data) can be used. For emerging incidents, or for very rare risk events, little data on their frequency and severity may be available. When this is the case, frequency and severity distributions can be estimated subjectively – for example, by providing a mean value and a most likely inclusion interval. In project management, PERT distributions for activity durations have long been estimated this way. The FAIR (Factor Analysis of Information Risk) methodology supported by The Open Group also recommends this approach (see Technical Standard C13G, 2013). Figure 1: Defence Enterprise System Architecture Cube Figure 2: Risk Events Arrival and Severity Process Time Arrival dates Interarrival time Number of arrivals in a given time period (say a year) – 4 in this case Severity

• Cover