Background

Modern IT-systems facilitate interactive work, are highly interconnected and make use of various data-sources. The rising complexity of tasks performed by such systems goes hand in hand with a rising complexity of the underlying architecture. This makes IT-systems susceptible to faults, which may even produce  – due to the high degree of interconnectedness – wide-ranging break-downs. Therefore, it is necessary to protect IT-Systems against such risks and make them more resilient. Specifically, in critical areas (e.g., where human life is at stake) this is absolutely vital.

Project content

Conventional IT-Security mainly focuses on protective measures against attacks on a system. By contrast, cyber-resilience is more broadly defined. Resilient systems are designed in a way, that makes it possible to foresee certain system-failures and react accordingly. The main aim is not to fully restore the original state of the system but to introduce adjustments that accomplish both putting the system back in operation and making it more robust. In short, resilient IT-systems are able to adapt and work properly under different conditions.

Despite its potential cyber-resilience is underrepresented in software-development. The situation is even worsened by the fact that common software tools are not well-suited for implementing it. Unsurprisingly, it is also plays a minor role in trainings and educational courses. For this reason – to give it the attention it deserves –  a boot camp training on cyber-resilience is developed in the current project. This training course includes lessons on resilient design and the tools needed to implement resilience. The course is mainly focused on topics relevant to the health sciences but the contents can be easily transferred to other areas as well.

Goals

The demand for qualified personnel being familiar with cyber-resilience is on the rise and this trend is likely to continue. The main aim of this project is to meet these needs by offering a boot camp training focusing on cyber-resilience in the health-care sector. More precisely, participants in the boot camp gain the opportunity to acquire competences to develop and operate resilient IT-systems. In particular, the participants learn:

• basic concepts of IT-security, as far as they are relevant for cyber-resilience.
• background knowledge on cyber-resilience and important concepts such as “resilience by design” and “resilient software development”.
• the basics of medical software.
• techniques and competences to evaluate and implement cyber-resilience and competences to assess risks.

Methods

The bootcamp training is grounded in the concepts of accelerated learning and organised in teaching blocks. Knowledge accumulated in a previous data-science boot camp course is integrated as well. The boot camp training is divided into five phases.

In Phase Null participants get to know each other and knowledge gaps are levelled out. In Phase One basic concepts are introduced. These concepts are discussed in greater depth in Phase Two and linked to issues relevant in medicine and issues regarding interdisciplinary collaboration. In the third phase important concepts such as “resilience by design” are introduced. In addition, best-practise examples as well as the most important tools are presented. Teaching the participants to apply the competences they acquire to different problems is major concern of the bootcamp. To refine these competences participants carry out a practical project on their own. In Phase Four methods (e.g., chaos engineering)  that help to test the resilience of IT-systems are taught. Finally, the boot camp training  is evaluated.

Results

Participants of the boot camp training acquire competences on cyber-resilience. They are familiar with the basic terminology and important concepts, are able to apply their knowledge flexibly to solve different problems and are skilled at designing robust and adaptive systems. They can identify weak spots in a system, make suggestions for improvement and take the necessary steps to counter potential risks. On top of that the participants are able to share their expertise and explain the methods they have learned to those with less experience in this area. Overall, the boot camp training is an important to step to popularize cyber-resilience and make IT-systems more fail-safe.