Page 155 - Kaleidoscope Academic Conference Proceedings 2021
P. 155
SECURITY VULNERABILITY EXPRESSIONS:
A TECHNOLOGY FOR EMPOWERING NOVICE PRACTITIONERS AROUND THE
WORLD WITH SECURITY MATURITY CAPABILITIES
Jacques Francoeur
Security Inclusion Now, USA
ABSTRACT regulatory authorities and are developed by consensus
and frequently under political governance processes.
The evolution of security over several decades by advanced
countries has generated vast amounts of valuable security Many frameworks, similar objectives and
knowledge (“Knowledge”) contained in standards, correctness: Even with attempts to normalize
regulations and guidance (“Frameworks”) published in the definitions across SDOs, there are still many differing
form of documents and spreadsheets. Knowledge captured in definitions of similar security objectives. This raises the
this form is very difficult to consume and adapt, especially question, which one is correct? The challenge of
by novice practitioners. If this barrier could be removed, it correctness or selecting the “correct” one among the
would release its enormous locked-in value to the rest of the many choices is there is no intellectual/scientific basis
world who desperately need it. A model and enabling for promulgating one framework more correct than
software application (“Technology”) is proposed for novice another.
practitioners to quickly ingest existing, readily available
knowledge contained in frameworks; thereby enabling easy Many frameworks, different objectives and
access, search, visualization, navigation, and consumption completeness: There are many highly specific security
of the frameworks and their maps. This technology will be control frameworks that fall in scope when objectives
made available as open source to the world. are committed to. No one framework can be considered
complete in relation to the specific digital system
Keywords – Security control expressions, security control requiring protection as one has no knowledge of the
frameworks, security control objectives, security other; therefore, there is no guarantee that all potential
vulnerability expressions vulnerabilities will be identified. This is a critical
challenge for high assurance protection, overseeing the
1. TACTICAL SECURITY CHALLENGES one obscure vulnerability ultimately responsible for a
compromise. The information contained in frameworks
The body of knowledge contained in frameworks in represents a significant amount of fragmented and
documents and spreadsheets can be characterized as follows: unorganized valuable security knowledge that
practitioners must suffer the burden of researching,
In words: Security control objectives (Objectives) are interpreting, reconciling, and validating the
worded descriptions of some “security value to be applicability and then the efficacy of an implemented
delivered to some value creation” in general agnostic security control.
terms, with definitions. These objectives are not the
actual implemented, environment-specific control. As Inherent framework reference limitation: When a
a result, many frameworks, encompassing identical spreadsheet of rows and columns is used to present a
objectives, are worded differently, created from framework and the mappings with other objectives in
different perspectives for different purposes with other frameworks, one framework is the anchor
varying degrees of expertise. This range of objective reference (on the “left” of the spreadsheet). The
subjectivity requires substantial effort to reconcile and framework mappings to other objectives are provided
then to choose the “right” one. If mandated, it is one of in columns. It is now easy to find all the mappings’
the right ones. Others may be more useful in terms of identifiers to other frameworks for a given objective of
their articulation. the anchor framework. However, having the objective
identifier still requires finding the applicable
In frameworks: Different frameworks are not only framework, finding the objective, and relating it back
worded differently but are structured differently. They to the anchor objective. This is a painful process and
differ radically in the way they decompose the ability to compare objective descriptions in
control/protection concepts and their underlying scope. different frameworks is a challenge.
Authoritative frameworks and guidance are issued by
Standards Development Organizations (SDOs) and
978-92-61-33881-7/CFP2168P @ ITU 2021 – 93 – Kaleidoscope