In a previous blog post we discussed the third round of system and dependency analysis workshops conducted in the context of the CS-AWARE project in the municipalities of Larissa and Rome. In this post we would like to discuss in a bit more detail our experiences of the similarities and differences of conducting the workshop in the context of a mid-sized municipality like Larissa, and a large metropolitan area like Rome. Larissa is a municipality of less than 200 thousand inhabitants, with their IT infrastructure dedicated to support the operations and citizen interactions of the various municipal departments, without providing on-line services that allow citizens administrative interactions with the municipality. Rome on the other hand, with a population of almost 3 million, relies heavily on on-line services to support the various departments with the municipal duties towards their citizens.

This blog post however is not about comparing two municipalities, but our experiences in trying to analyse and understand the individual requirements of two very different municipalities in the context of cybersecurity. First, the soft systems based analysis approach allowed us to have close interactions with the actual users, administrators and managers of the systems within the municipalities, by creating a stable workshop teams that formed the core of the analysis process. Here we have already seen the first major difference between a medium sized and a large sized municipality: While in Larissa a team of less than 10 participants, all employees of the municipality, could cover the majority of topics that are relevant to CS-AWARE in a very detailed manner, the complexity of the organizational and technical set-up of Rome required about 30 participants to bring knowledge of the various relevant aspects of the municipalities systems and networks to our system and dependency analysis workshops.

A second significant difference that we could observe is the in-house handling of system development and maintenance in Larissa, versus the heavy reliance on contracts and consulting to provide various aspects of the systems and services in Rome. We think that this difference is a function of the size of a municipality. In Larissa we observed that the small team of managers and system administrators that not only ensures day to day maintenance and operation of the systems, but also handles much of the required development work related to the services (or interacts with the supplier of the service with a deep technical understanding if larger development tasks are required). In Rome, as is the case with any large organization that relies heavily on outsourcing, much of the system development and maintenance is handled by external providers bound by service level agreements. So any attempt at trying to understand the overall set-up of the municipal systems requires the inclusion of a significant number of the external service providers.

This directly leads to the third major observation we made about the differences in analyzing a medium sized versus a large municipality: It is much easier to build close professional relationships with and among the workshop participants (both between the participants themselves and between the participants and the analysts) in smaller groups than is the case with in large groups. Close professional relationships and the resulting mutual understanding between the participants is a an important factor. This factor enables the sharing of often tacit knowledge, between the participants and determines the quality of information and understanding that the participants are able to contribute. This impacts the ease with which high quality results of the analysis can be ensured. In Larissa, where the workshop participants work with each other on a daily basis and thus already have a close relationships, it was fairly easy to create an environment in which the participants felt comfortable to contribute and share their tacit knowledge. In Rome, where we experienced a diverse set-up of municipal employees at different organizational levels, as well as representatives from suppliers, it took much longer to create an environment of mutual trust and understanding. However once this was achieved, the workshop results did not differ from those of Larissa.

To conclude this blog, we have seen that it is much easier for an analyst to conduct the soft systems based system and dependency analysis that CS-AWARE is proposing. At the same time we have seen that the strength of the soft systems analysis is only really apparent when dealing with a high level of complexity. We have seen that even in those situations, while it is more difficult for the analyst to gather the information and interpret the results, it is possible to achieve the same level of results in approximately the same amount of time. We see this as a fairly strong indicator for the strength of soft systems analysis in the context of cybersecurity.

Thomas Schaberreiter,
University of Vienna