This guide sets out how to conduct a Systems and Dependency Analysis (SDA) in small to medium local public administrations (LPA’s) and small to medium sized enterprises (SME’s). It sets out in easily understandable terms, how to organise and run SDA workshops, create “Rich Pictures” (RP’s)/ CATWOE analysis, and how to use those to analyse your organisation’s systems and networks in the context of cybersecurity monitoring and awareness. The approach used to model the information emerging from the analysis is explained, as is how to create a dependency graph. We have included as examples of the approach, parts of the SDA produced by the municipality of Larissa’s employees in the context of the CS-AWARE project. They show their way of representing their City’s systems.

Our conclusion is that it is entirely realistic to expect that small to medium sized LPA’s and other small to medium sized organizations, using this guide, will be able to undertake their own SDA. We are confident that excellent and reliable results can be obtained by applying these guidelines through identifying key mission-critical systems and the interdependencies between them. By doing so, appropriate points in the network will be identified where traffic can be monitored and anomalous events detected in the context of CS-AWARE cybersecurity awareness monitoring.

While we are confident that small and medium sized LPA’s and organisations will be capable of using these guidelines successfully to conduct their own SDA, our experience both from this project and other instances where the authors have used the Soft Systems Methodology (SSM), is that the complexity of large organisations means that large LPA’s will need assistance and input from experienced analysts to conduct a successful SDA.