Research Area: Survivable Distributed Systems
Pilot work in 2006 showed that the Survivability Analysis Framework (SAF) offers an effective approach for describing complex socio-technical systems that cross multiple organizations to support the identification of survivability and information assurance gaps. Institutions growing in size and complexity increasingly rely on technology to connect distributed activities among internal and external entities for organizational functionality. Their challenge becomes maintaining privacy, accuracy and availability of critical information and survivability of organization processes in the face of increased out-sourcing and constant change. Data are collected and shared among a broad group of participants, many of whom use systems and practices that are outside of direct organizational control.
Our research will explore a method by which one can analyze and monitor the security and survivability risks within these complex organizational processes, even as changes in the composition of those processes are planned, assembled and evaluated to ensure effective risk management. Organizational processes are subject to continuous assessment and change to meet requirements for controlling costs, increasing market share and to take advantage of new technologies. The complexity of the resulting socio-technical systems can introduce unexpected risks that inadvertently jeopardize an organization's mission. The application of assurance case analysis, a technique widely used in safety analysis, is proposed to provide a way of surfacing the risks within the processes of today and projecting potential risks of future changes. This will allow organizations the opportunity to determine the appropriate actions needed to monitor and mitigate unacceptable risks prior to crises.
This research will incorporate the context of real-world examples taken from within an organization involved in multi-organizational activities. A mission-critical process that involves coordination across a complex socio-technical environment, involving multiple departments, serveral information systems, as well as external entities, will be selected and characterized.