Efficiency vs. security: information technology consolidations-resilience, complexity, and monoculture

Abstract

Governmental organizations commonly seek to cut costs and increase efficiency through consolidation and standardization of information technology (IT) infrastructure. This may result in vulnerabilities not typically considered by policymakers, due to concentration and homogenization of critical assets, elimination of redundancy and surge capacity, and tightly coupled systems. This thesis reviewed the potential vulnerabilities that may exist in consolidated IT systems due to the effects of complexity, self-organized criticality, and monoculture, and shows that efficient systems carry inherent vulnerabilities. Because we cannot mitigate every possible threat, hazard, or vulnerability, IT professionals should focus on system resilience. Resilience of a system is counter-proportional to the product of vulnerability and spectral radius; therefore, any increase in vulnerability, spectral radius, or both decreases resilience. A reduction in overall vulnerability can compensate for increased self-organization and other losses of resilience through a variety of recommended actions. Many of those actions come with a cost-organizations will have to determine the tradeoffs they are willing to make between efficiency and security.