Spheric Academy



Expressing your Security

What is a Security Control?

Defining a simple value exchange relationship

In an Enterprise Security Control Framework

First, before I define a Security Control Expression,

What is a Security Control

A Security Control is a description of security value delivered by a security asset and protection value received by a corresponding business asset.


If one assumes they are not necessarily the same, loss can be defined and measured in both directions:

  • Horizontal Protection Loss: the difference between "protection received" and "security delivered" is a loss in protection.

  • Vertical Confidence Loss: The loss of measurement and communication confidence between "actual implemented controls" that are environment and protocol specific and Standard & Regulatory control objectives that are method agnostic. 

Security Delivered versus Protection Received 

Target | Security
Expression Model

Defining the relationship between Target and the Security delivered

Security delivered as protection to the Target can be modeled as illustrated below "Security to Target" protection." Both the Target and Security sides are symmetric in terms of backbone: software, data, and hardware. The only difference is the context of what the data, software, and hardware are doing - either executing software with security versus business purpose; either using data required by Security or the data required by the business application. Finally, the networked device is a host to the security or business software. 

  • Target to Security Relationship

Threat | Target Expression Model

Defining the relationship between the nature of the Target and potential Exploits

Threat applied to Target can be modeled as illustrated above as a "Threat to Target" risk. As in the case of the Target | Security expression model previously discussed, both the Threat and Target sides are also symmetric in terms of backbone: software, data, and hardware. Note, the Target in both the Target | Security & Threat | Target expression models is the same Target.

  • Threat to Target Relationship

Threat | Target | Security Expression Model

Combining the two models into one 

The common Target to both previously outlined expression models allows the two to be combined into a single Threat | Target | Security Expression model.  This is, in fact, the natural complete form of a "security control."


The security countermeasures are designed to mitigate the specific attack exploit of a Target with a  vulnerability. 

  • Threat to Target Relationship

  • Security to Target Relationship


What if the Security providing Protection to the Target becomes the threat Target?

The upper row of the image represents the Threat | Target | Security Expression previous covered with the added clarification of Target required by a new threat distinction - Threat to the Security providing protection to the Target: Security Threat to Target Security

The upper row represents the following relationships:

  • Target Threat to Target 

  • Target Security to Target 

The lower row represents the new distinction. 

  • Security Threat to Target Security

  • Threat Security to Security Threat

This model requires not only that the Target be adequately protected but also that the security be itself resistant to attack and that Target attacks are actively detected and denied

Spheric Shield

Security Control Expression Models

* This work is proprietary to Jacques R. Francoeur, Copyright © 2019  and is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License available @ https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode