2 different frames or metaphors for #CyberSecurity
Security as a Quality Management issue thus a problem of robustness
Security as a Safety issue thus a problem of resilience
They’re fundamentally different, may even be at odds but how ?
🧵
A Quality Management metaphor leads us down elements of testing, predictability and reliability in that we aim to be effective at dealing with predicted threats which represent a finite configuration of what our industries expect. We aim for “maintaining process integrity inside
Of known design, training and procedural parameters” (Dekker) so I prepare for a number of scenarios, ways I can foresee and threat model for and (not just operationally, but also reqs gathering, testing, training,sdlc and even threat intel) increasing the robustness of my system
All well and good, but from Complexity science we know that “robust constraints tend to fail catastrophically when design conditions are exceeded” @snowded
But this is also a cautionary tale. If you don’t have the capacity to deal with expected adverse conditions,
You have no business thinking or prioritising adaptive capacity because the “knows” can get you down and keep you there.
So until you get to the point where your robustness is sound, this is the metaphor that is most appropriate and which can be argued for economically