LEMOS, F.L.BIANCHI, P.H.2020-10-292020-10-29LEMOS, F.L.; BIANCHI, P.H. A systemic approach to information and cyber security. In: INTERNATIONAL CONFERENCE ON NUCLEAR SECURITY, February 10-14, 2020, Vienna, Austria. <b>Proceedings...</b> p. 1-6. Disponível em: http://repositorio.ipen.br/handle/123456789/31576.http://repositorio.ipen.br/handle/123456789/31576Design Based Threat, or DBT, is a common principle for physical and cyber protection, which is based on threat assessments. The protection, cyber or physical, will be planned based on the type of the identified threat. While we acknowledge the importance of the DBT, we argue that following this line of reasoning may limit our ability to grasp other vulnerabilities the system may have due to the following assumptions: a) The system will behave according to the way we think it should, based on a predetermined fashion. b) If each component of the system is reliable, then the system will be reliable. Systems theory assumes that accidents are a result of systemic factors, and does not have a single root-cause, generally a failure, that starts a chain of events leading to the accident. Moreover, systems theory assumes that security and safety are emergent properties of a system that result from the interactions between the components of that system. Therefore, accidents are a problem of control of the interactions between the components of the system rather than a problem of failures of components. In the systemic approach a cyber security system is treated as part of the whole socio-technical complex system, where humans are components of the system and interact with the computerized controls. The organizational culture permeates the entire system affecting decisions and, consequently, the interactions between the components. Weak safety and security cultures will eventually contribute for the system to migrate to hazardous states leading to losses or accidents. The paper analyzes the roles of organizational, safety and security cultures, as underlying factors that can lead to the deterioration of the hierarchical control structure, which is supposed to keep the interactions between the components of the system within desirable constraints.1-6openAccesscyberneticssecurityrisk assessmentinformation systemsorganizational modelsmanagementTexto completo de evento