Competition 2009
Interdependency, Risk and Complexity
Business now relies on information infrastructures that are interlinked and interdependent. We need to understand how to predict and mitigate these risks with a view to aid reaction and recovery within these infrastructures.
United Kingdom organisations depend upon reliable and accurate electronic information to make critical decisions about almost every aspect of their business. The dependence upon these systems that deliver services to UK business and society is greater than it has ever been and is set to increase in the coming years. These critical services may manifest as key information systems for transport routes, financial communication gateways or business process automation, which underpin the economic wellbeing of the United Kingdom. These vital systems are often today owned by private organisations.
The current way which organisations approach security can in be recognised as an underlying market failure which consists of fire fighting security problems, silo'd implementation of technologies, uncontrolled application development practices and a failure to address systemic problems. Organisations tend to deal with one problem at a time that results in the deployment of point solutions to treat singular problems. This failure is typical of an uncontrolled marketplace evolving with little or no co-ordination.
The security of information is concerned with the risks to information being compromised either by disclosure (confidentiality), unreliability (integrity) or being unreachable (availability), collectively this is known as information risk.
Complex systems exist in all aspects of society ranging from stock market analysis to climate change, and information systems and infrastructures are no exception. As an information system matures it typically converges with others to add a richer functionality. This reliance upon extrinsic factors to deliver a service adds extra layers of complexity and interdependency, which are not fully understood and are to some degree uncontrollable.
The way in which these hidden interdependencies pervade our everyday lives is staggering and, in some cases, may go unchecked for many years until an incident occurs that revels the true nature of the interdependences' impact. The UK would benefit significantly if it was to be the first to establish a service sector building upon the analysis of these risks. Complex systems and interdependencies have been studied since the mid 20th century, but have been the domain of theoretical academic research in areas of sociology, biology and physics and not applied to information systems due to the simplistic way these systems were previously linked. This is now no longer the case. The current practice of decomposing complex information systems into their individual components discounts their relationships and interconnectedness. This separation between systems does not address the fundamental principles of risk identification and mitigation required for today's connected world.
The methodologies that exist are inadequate and do not reveal the true holistic nature of the risks. Frameworks, tools and techniques for identifying and understanding the interdependent nature of cumulative risk within large complex infrastructures also do not exist with any degree or usability or prospect of commercialisation today.
We expect consortia applying to this competition to be highly interdisciplinary and industry lead.
Technology Strategy Board has an indicative £5M to invest over a 3 year period.
Timescales
Competition opens 16th March 2009
Optional Briefing Day 1st April 2009
Expressions of Interest deadline 23rd April 2009
Feedback provided by 11th May 2009
Feedback discussion in week beginning 11th May 2009
Applicants briefing (compulsory) 20th May 2009
Registration of intent to submit (compulsory) 18th June 2009
Deadline for receipt of full applications 25th June 2009
Decision and feedback to applicants 24th July 2009
Impacts
- Understanding and subsequent improved management of complex information infrastructures leading to enhanced security
- Internal business risk identification
- Establishment of new service/consultancy sub-sector for interdependent risk analysis
- Development of tools, methodologies and techniques for both business and government to procure
- Increased awareness of hidden risks leading to mitigation of them
- Increase of risk identification so more mitigations are procured
- More effective use of resources
- New/improved predictive services and models, with Knowledge Transfer to other areas, e.g. traffic management
- Superior models for sales and marketing forces, for example utilisation of social networks (web 2.0/3.0) for more effective viral and guerrilla marketing
- Internal business risk identification
- Improved financial risk modelling