Systems thinking for safety and security

The fundamental challenge facing security professionals is preventing losses, be they operational, financial or mission losses. As a result, one could argue that security professionals share this challenge with safety professionals. Despite their shared challenge, there is little evidence that recent advances that enable one community to better prevent losses have been shared with the other for possible implementation. Limitations in current safety approaches have led researchers and practitioners to develop new models and techniques. These techniques could potentially benefit the field of security. This paper describes a new systems thinking approach to safety that may be suitable for meeting the challenge of securing complex systems against cyber disruptions. Systems-Theoretic Process Analysis for Security (STPA-Sec) augments traditional security approaches by introducing a top-down analysis process designed to help a multidisciplinary team consisting of security, operations, and domain experts identify and constrain the system from entering vulnerable states that lead to losses. This new framework shifts the focus of the security analysis away from threats as the proximate cause of losses and focuses instead on the broader system structure that allowed the system to enter a vulnerable system state that the threat exploits to produce the disruption leading to the loss

Idea-caution before exploitation:the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities

The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed

When Ambients Cannot be Opened

International audienceWe investigate expressiveness of a fragment of the ambient calculus, a formalism for describing distributed and mobile computations. More precisely, we study expressiveness of the pure and public ambient calculus from which the capability open has been removed, in terms of the reachability problem of the reduction relation. Surprisingly, we show that even for this very restricted fragment, the reachability problem is not decidable. At a second step, for a slightly weaker reduction relation, we prove that reachability can be decided by reducing this problem to markings reachability for Petri nets. Finally, we show that the name-convergence problem as well as the model-checking problem turn out to be undecidable for both the original and the weaker reduction relation. The authors are grateful to S. Tison and Y. Roos for fruitful discussions and thank the anony mous ferees for valuable comments. This work is supported by an ATIP grant from CNRS

The ethics of uncertainty for data subjects

Modern health data practices come with many practical uncertainties. In this paper, I argue that data subjects’ trust in the institutions and organizations that control their data, and their ability to know their own moral obligations in relation to their data, are undermined by significant uncertainties regarding the what, how, and who of mass data collection and analysis. I conclude by considering how proposals for managing situations of high uncertainty might be applied to this problem. These emphasize increasing organizational flexibility, knowledge, and capacity, and reducing hazard

Reducing number entry errors: solving a widespread, serious problem

Number entry is ubiquitous: it is required in many fields including science, healthcare, education, government, mathematics and finance. People entering numbers are to be expected to make errors, but shockingly few systems make any effort to detect, block or otherwise manage errors. Worse, errors may be ignored but processed in arbitrary ways, with unintended results. A standard class of error (defined in the paper) is an ‘out by 10 error’, which is easily made by miskeying a decimal point or a zero. In safety-critical domains, such as drug delivery, out by 10 errors generally have adverse consequences. Here, we expose the extent of the problem of numeric errors in a very wide range of systems. An analysis of better error management is presented: under reasonable assumptions, we show that the probability of out by 10 errors can be halved by better user interface design. We provide a demonstration user interface to show that the approach is practical. To kill an error is as good a service as, and sometimes even better than, the establishing of a new truth or fact.(Charles Darwin 1879 [2008], p. 229

Towards applying a safety analysis and verification method based on STPA to agile software development

This paper presents a novel agile process model "S-Scrum" based on the existing development process "Safe Scrum" and extended by a safety analysis method and a safety verification approach based on STPA (System-Theoretic Process Analysis)

From ‘shallow’ to ‘deep’ policing:‘crash-for-cash’ insurance fraud investigation in England and Wales and the need for greater regulation

The policing of insurance fraud has traditionally been dealt with beyond the criminal justice system as a private matter between the claimant and the insurer with only a few iconic cases referred to the criminal justice system each year. The growth of insurance fraud, particularly ‘crash-for-cash’ fraud, and the disinterest of the police, has led to a change in the response of the insurance industry. This paper will argue that this response can be characterised as a shift from the traditional ‘shallow’ to a ‘deeper’ form of policing which sees greater focus upon criminal and quasi-criminal outcomes. This paper explores some of the private and innovative methods the industry has developed and illustrates what greater private criminal investigation might look like at a time when police privatisation has become a higher profile issue. The paper argues the shift to ‘deeper’ policing necessitates greater regulation of the private investigation of crime and outlines a number of proposals to address this gap which require further consideration and debate

Comparing Petri Net and Activity Diagram Variants for Workflow Modelling:A Quest for Reactive Petri Nets

Petri net variants are widely used as a workflow modelling technique. Recently, UMLa ctivity diagrams have been used for the same purpose, even though the syntax and semantics of activity diagrams has not been yet fully worked out. Nevertheless, activity diagrams seem very similar to Petri nets and on the surface, one may think that they are variants of each other. To substantiate or deny this claim, we need to formalise the intended semantics of activity diagrams and then compare this with various Petri net semantics. In previous papers we have defined two formal semantics for UMLact ivity diagrams that are intended for workflow modelling. In this paper, we discuss the design choices that underlie these two semantics and investigate whether these design choices can be met in low-level and high-level Petri net semantics. We argue that the main difference between the Petri net semantics and our semantics of UML act ivity diagrams is that the Petri net semantics models resource usage of closed, active systems that are non-reactive, whereas our semantics of UMLact ivity diagrams models open, reactive systems. Since workflow systems are open, reactive systems, we conclude that Petri nets cannot model workflows accurately, unless they are extended with a syntax and semantics for reactivity

Between mediatisation and politicisation: The changing role and position of Whitehall press officers in the age of political spin

Despite widespread critiques of ‘political spin’, the way governments engage with the mass media has attracted relatively little empirical attention. There is a small but growing body of research into bureaucracies’ responses to mediatisation from within which have identified tensions between bureaucratic and party political values, but this has not included the United Kingdom. There are concerns that the traditional dividing line between government information and political propaganda has come under increasing pressure as a higher premium is placed on persuasion by both journalists and politicians battling for public attention in an increasingly competitive market. Within Whitehall, the arrival of Labour in 1997 after 18 years in opposition was a watershed for UK government communications, allowing the government to reconfigure its official information service in line with the party political imperative to deploy strategic communications as a defence against increasingly invasive media scrutiny. Public relations, in government as elsewhere, has grown in scale, scope and status, becoming institutionalised and normalised within state bureaucracies, but how has this affected the role, status and influence of the civil servants who conduct media management? Within the system of executive self-regulation of government publicity that is characteristic of Whitehall, government press officers must negotiate a difficult path between the need to inform citizens about the government’s programme, and demands by ministers to deploy privileged information to secure and maintain personal and party advantage in the struggle for power. Taking 1997 as a turning point, and through the voices of the actors who negotiate government news – mainly press officers, but also journalists and special advisers – this article examines the changing role and position of Whitehall press officers in what has become known as the age of political spin, finding that profound and lasting change in the rules of engagement has taken place and is continuing