Page 155 - Kaleidoscope Academic Conference Proceedings 2021
P. 155

SECURITY VULNERABILITY EXPRESSIONS:
               A TECHNOLOGY FOR EMPOWERING NOVICE PRACTITIONERS AROUND THE
                              WORLD WITH SECURITY MATURITY CAPABILITIES

                                                     Jacques Francoeur


                                                 Security Inclusion Now, USA



                              ABSTRACT                            regulatory authorities and are developed by consensus
                                                                  and frequently under political governance processes.
           The evolution of security over several decades by advanced
           countries has generated vast amounts of valuable security     Many  frameworks,  similar  objectives  and
           knowledge (“Knowledge”) contained in standards,        correctness: Even with  attempts to normalize
           regulations and guidance (“Frameworks”) published in the   definitions across SDOs, there are still many differing
           form of documents and spreadsheets. Knowledge captured in   definitions of similar security objectives. This raises the
           this form is very difficult to consume and adapt, especially   question,  which  one is correct?  The challenge of
           by novice practitioners. If this barrier could be removed, it   correctness or selecting the “correct” one among the
           would release its enormous locked-in value to the rest of the   many choices is there is no intellectual/scientific basis
           world who desperately need it. A model and enabling    for promulgating one framework more  correct  than
           software application (“Technology”) is proposed for novice   another.
           practitioners to  quickly ingest existing, readily available
           knowledge contained in frameworks; thereby enabling easy     Many  frameworks,  different objectives and
           access, search, visualization, navigation, and consumption   completeness: There are many highly specific security
           of the frameworks and their maps. This technology will be   control frameworks that fall in scope when objectives
           made available as open source to the world.            are committed to. No one framework can be considered
                                                                  complete in relation to the specific  digital system
            Keywords – Security control expressions, security control   requiring protection  as  one has  no knowledge of  the
                frameworks, security control objectives, security   other; therefore, there is no guarantee that all potential
                         vulnerability expressions                vulnerabilities will  be identified.  This is a critical
                                                                  challenge for high assurance protection, overseeing the
                1.  TACTICAL SECURITY CHALLENGES                  one obscure vulnerability ultimately responsible for a
                                                                  compromise. The information contained in frameworks
           The  body of knowledge  contained in  frameworks in    represents a significant amount  of  fragmented and
           documents and spreadsheets can be characterized as follows:   unorganized valuable  security knowledge  that
                                                                  practitioners must suffer  the  burden of  researching,
              In words: Security control objectives (Objectives) are  interpreting,  reconciling,  and  validating  the
               worded  descriptions of some “security  value to be  applicability and then the efficacy of an implemented
               delivered to some value creation” in general agnostic  security control.
               terms,  with definitions.  These objectives  are not  the
               actual implemented, environment-specific control. As    Inherent  framework reference limitation: When a
               a result,  many frameworks, encompassing identical  spreadsheet of rows and columns is used to present a
               objectives, are  worded differently,  created from  framework and the mappings with other objectives in
               different perspectives  for different purposes  with  other frameworks, one framework is the anchor
               varying degrees of expertise. This range of objective  reference  (on the “left” of the spreadsheet). The
               subjectivity requires substantial effort to reconcile and  framework mappings to other objectives are provided
               then to choose the “right” one. If mandated, it is one of  in columns. It is now easy to find all the mappings’
               the right ones. Others may be more useful in terms of  identifiers to other frameworks for a given objective of
               their articulation.                                the anchor framework. However, having the objective
                                                                  identifier still  requires finding  the applicable
              In frameworks: Different  frameworks are not  only  framework, finding the objective, and relating it back
               worded differently but are structured differently. They  to the anchor objective. This is a painful process and
               differ  radically in the  way they decompose       the ability to compare  objective descriptions in
               control/protection concepts and their underlying scope.  different frameworks is a challenge.
               Authoritative frameworks and guidance are issued by
               Standards Development Organizations  (SDOs)  and




           978-92-61-33881-7/CFP2168P @ ITU 2021           – 93 –                                   Kaleidoscope
   150   151   152   153   154   155   156   157   158   159   160