Risk-based model for tracking complexity in system vulnerability analysis

摘要

We describe a method for tracking model complexity in system vulnerability analysis. The method builds on the collection of risk scenarios describing known vulnerabilities of systems and system components. We introduce the concept of an interaction as a mapping between a risk scenario and one or more system components. An interaction is direct when the mapping is obvious. An interaction is indirect when the mapping can make use of nonobvious relationships among system components. Indirect interactions characterize the rippling effects of a risk scenario and are used to identify the nonobvious interdependencies. With the above foundation, the method extends traditional process control charts to track evolving knowledge of scenarios and systems. The charts signal the emergence of anomalous variation in emerging knowledge of system vulnerability. The method is applied iteratively to avoid situations of surprise in an emerging model (scenarios and systems) of system vulnerability. An application of the method is discussed.