Expressing your Security
What is a Security Control?
Defining a simple value exchange relationship
In an Enterprise Security Control Framework
First, before I define a Security Control Expression,
What is a Security Control
A Security Control is a description of security value delivered by a security asset and protection value received by a corresponding business asset.
If one assumes they are not necessarily the same, loss can be defined and measured in both directions:
Horizontal Protection Loss: the difference between "protection received" and "security delivered" is a loss in protection.
Vertical Confidence Loss: The loss of measurement and communication confidence between "actual implemented controls" that are environment and protocol specific and Standard & Regulatory control objectives that are method agnostic.
Security Delivered versus Protection Received
Target | Security
Defining the relationship between Target and the Security delivered
Security delivered as protection to the Target can be modeled as illustrated below "Security to Target" protection." Both the Target and Security sides are symmetric in terms of backbone: software, data, and hardware. The only difference is the context of what the data, software, and hardware are doing - either executing software with security versus business purpose; either using data required by Security or the data required by the business application. Finally, the networked device is a host to the security or business software.
Target to Security Relationship
Threat | Target Expression Model
Defining the relationship between the nature of the Target and potential Exploits
Threat applied to Target can be modeled as illustrated above as a "Threat to Target" risk. As in the case of the Target | Security expression model previously discussed, both the Threat and Target sides are also symmetric in terms of backbone: software, data, and hardware. Note, the Target in both the Target | Security & Threat | Target expression models is the same Target.
Threat to Target Relationship
Threat | Target | Security Expression Model
Combining the two models into one
The common Target to both previously outlined expression models allows the two to be combined into a single Threat | Target | Security Expression model. This is, in fact, the natural complete form of a "security control."
The security countermeasures are designed to mitigate the specific attack exploit of a Target with a vulnerability.
Threat to Target Relationship
Security to Target Relationship
What if the Security providing Protection to the Target becomes the threat Target?
The upper row of the image represents the Threat | Target | Security Expression previous covered with the added clarification of Target required by a new threat distinction - Threat to the Security providing protection to the Target: Security Threat to Target Security
The upper row represents the following relationships:
Target Threat to Target
Target Security to Target
The lower row represents the new distinction.
Security Threat to Target Security
Threat Security to Security Threat
This model requires not only that the Target be adequately protected but also that the security be itself resistant to attack and that Target attacks are actively detected and denied
Security Control Expression Models
* This work is proprietary to Jacques R. Francoeur, Copyright © 2019 and is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License available @ https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode