Spheric Labs

TM

TM

State-of-Security
Assessment &Certification
Techniques & Tool
Development

What is being measured for what?

Before anything can be measured for anything, the "what is being measured" must be defined first and then the "what it is being measured for," second and lastly, to what level of confidence?

In an Enterprise Security Control Framework

First, What is being measured?

In the Security Space, the "what is being measured" involves two basic relationships:‚Äč

The relationship between Security Delivered by a Security Asset performing a Security Technique and the  Protection Received by a Business Asset performing a business function

The relationship between a Threat Payload executing an Attack Exploit against the Attack Surface of a Business Asset

Defining these Relationhips 

We have defined the conceptual nature of two core relationships but in order to measure these relationships, models are required.  These two relationships have three basic elements - Threat | Target | Security.

 

The following will build the building blocks of these relationships and assemble them into Expressions. 

Generic Expression Backbone

The expression backbone is common to all three context-specific expressions outlined below. The backbone is expressed as follows: Software 

Security Expression Backbone

The Security Expression backbone is identical to the generic backbone except for the applied "security delivered" context.

Target Expression Backbone

The expression backbone is common to all three context-specific expressions outlined below. The backbone is expressed as follows: Software 

Threat Expression Backbone

The expression backbone is common to all three context-specific expressions outlined below. The backbone is expressed as follows: Software 

?

?

?

?

?

?

?

?

?

Spheric Shield

Security Control Expression Models