Assessing Cloud Risks: A Systems Thinking Approach?

By Olusola Akinrolabu, PhD, CISSP-ISSAP

The world today is experiencing accelerated growth in the number of complex systems that play crucial roles in the social and economic space. The newly developed technologies have an increasing interdependence on pre-existing systems (e.g., cloud and edge computing dependent on the Internet) and produce extremely complex and unpredictable effects. According to Herbert Simon, a complex system is made up of a large number of interacting parts, where the whole is more than the sum of the parts in a practical sense. Therefore, a cloud service is an example of a complex system. The supply chain of a cloud service is made up of many agents (providers, users, components), all of which interact in intricate ways leading to a continual reshaping of the service and its delivery.

Before going any further, we make a distinction between complex, complicated and chaotic systems. Complex systems differ from chaotic ones, in that chaos deals with situations where systems are sensitive to small changes, and rapidly become disorderly and unmanageable. Although, despite appearing to have a random appearance, chaotic systems have some underlying order to them. Complexity deals with systems composed of many interacting agents, who interact in a non-linear way, thereby affecting the probability of later events. Complex systems feature feedback loops and exhibit emergent behaviours. By emergent, we mean properties which are not noticed in isolation but result from the interactions and dependencies between the system components. This provides insights into the robustness of the underlying system. Complicated systems, however, are understood by the sum of their parts. They are complicated because of a large number of parts, not because of the nature of interactions between those parts.

Cloud computing is made up of a dynamic network of interacting components, involved in information exchange, and their relationship is not an aggregation of the individual static entities. As a complex system, the perfect understanding of the individual components of a cloud service does not automatically convey an excellent knowledge of its behaviour. The interactions that take place within a cloud supply chain are non-linear, seeing that a small change along the chain could have a significant effect on the cloud system. Cloud services run in distributed environments, where there are many moving parts, which can fail at any time. Nowadays, information systems are highly dynamic and are characterised by constant technological change. Developing cloud applications which rely on external components to function, therefore requires that the potential risk scenarios be modelled into the development, and mitigation mechanisms are put in place to recover from such failure.

This is why we believe that modelling for cloud risk scenarios requires a systems thinking approach, where each entity involved in the delivery of the service is identified, and the relationships and dependencies between the entities mapped out. Systems thinking enables us to make explicit models to look at the combination of the interdependent component systems that make up a cloud service and study how the state of the cloud system changes as a result of the interactions of these components. Systems thinking like the General systems theory attempts to elucidate deep principles underlying systems whose components are linked by feedback loops.

Systems thinking helps us to express our understanding of a complex system, and it makes use of tools such as causal loop diagrams, stock and flow diagrams, simulation models to show the relationship between entities instead of studying them in isolation. It is a set of synergistic analytic skills used to improve the capability of identifying and understanding systems, predicting possible behaviours and devising modifications to them in order to produce desired effects. Systems thinking helps to see both the forest (i.e. system) and the trees (i.e. components), with the system being more than just a collection of its parts. With the traditional problem-solving (reductionist) approach no longer sufficient in addressing complex systems, the systems thinking approach offers a more generalist approach to problem-solving. Using available data, stakeholders can visually represent complex systems to reflect the conceptualisation of reality. This acts as a memory aid, seeing that stakeholders can offload cognition to an external artefact,  for a more accurate analysis. The approach also helps stakeholders to recognise their limitations and correct their cognitive biases about the system (i.e., cloud service).

While it is still challenging to predict the behaviour of complex systems, the systems thinking approach provides us with thinking skills that are effective in answering questions such as “what to include in a risk assessment or to think about the big picture (10,000 meters). The modelling of complex systems also calls for a broad boundary, where there are few exogenous variables. Cloud system boundaries due to the nature of interactions between cloud components within a system and between the system and its environment, can be highly dynamic in comparison to traditional IT. Therefore, seeing that systems thinking is not a purely technical solution, it is only appropriate for systems thinking modellers to establish an understanding of the cloud service through activities ranging from mapping system interaction, identifying non-linearities, and recognising/challenging boundaries of existing mental and formal models. By so doing, we can use our knowledge of the system’s complexity to improve its performance and assess its risk.