Spheric Academy

TM

TM

Unified Security Model

- USM -

1 integrated system!

What is the Unified Security Model

Defining the essence of the Security Problem Space

In an Enterprise Security Control Framework

Risk | Value| Protection Model

The Unified Security Model (USM) is a single system that representations the entire Security Problem Space

The model defines a simple relationship that is universally present in all sub-models:

  • Valuegold in color, represents something that has perceived value

  • Risk, red in color, represents the risks created by cyber threats to Value

  • Protection, blue in color, represents some form of security protecting Value against threats

In the USM illustration, the Protection arrow is inside the Value box since it has a cooperative relationship with the Value, while the Risk arrow is outside the Value since it does not have such a relationship.

In order to be a single integrated system, the USM architecture must be connected from high levels to low detailed levels:

  • Risk - Threat - Attack - Exploit

  • Value - Target - Vulnerability

  • Protection - Security - Countermeasure

This interconnection provides the ability to rate and assess at increasingly more detailed lower levels for higher precision with the ability to aggregate upwards into higher level Indices.

Target | Security
Expression Model

Defining the relationship between Target and the Security delivered

Security delivered as protection to the Target can be modeled as illustrated below "Security to Target" protection." Both the Target and Security sides are symmetric in terms of backbone: software, data, and hardware. The only difference is the context of what the data, software, and hardware are doing - either executing software with security versus business purpose; either using data required by Security or the data required by the business application. Finally, the networked device is a host to the security or business software. 

  • Target to Security Relationship

Threat | Target Expression Model

Defining the relationship between the nature of the Target and potential Exploits

Threat applied to Target can be modeled as illustrated above as a "Threat to Target" risk. As in the case of the Target | Security expression model previously discussed, both the Threat and Target sides are also symmetric in terms of backbone: software, data, and hardware. Note, the Target in both the Target | Security & Threat | Target expression models is the same Target.

  • Threat to Target Relationship

Threat | Target | Security Expression Model

Combining the two models into one 

The common Target to both previously outlined expression models allows the two to be combined into a single Threat | Target | Security Expression model.  This is, in fact, the natural complete form of a "security control."

 

The security countermeasures are designed to mitigate the specific attack exploit of a Target with a  vulnerability. 

  • Threat to Target Relationship

  • Security to Target Relationship

Protection
Assurance
Expression
Model

What is the Security providing Protection to the Target becomes the threat Target?

The upper row of the image represents the Threat | Target | Security Expression previous covered with the added clarification of Target required by a new threat distinction - Threat to the Security providing protection to the Target: Security Threat to Target Security

The upper row represents the following relationships:

  • Target Threat to Target 

  • Target Security to Target 

The lower row represents the new distinction. 

  • Security Threat to Target Security

  • Threat Security to Security Threat

This model requires not only that the Target be adequately protected but also that the security be itself resistant to attack and that Target attacks are actively detected and denied

Spheric Shield

Security Control Expression Models