Page 158 - Kaleidoscope Academic Conference Proceedings 2021
P. 158
2021 ITU Kaleidoscope Academic Conference
rd
for which policy objective commitments-to-protecting value is born, represented by orange. The 3 Force Influence is
assets are made; for which security mechanisms-to-mitigate the Preservation Force “is validated by” the Assurance Force,
threats-to-vulnerabilities must be implemented; and tested or conversely Assurance Force “validates” Preservation
with the intent to collect sufficient evidentiary artifacts to Force.
meet assurance requirements.
A security control, in its most elemental form is a worded
statement of “security value to-be-delivered-to value
The author will indicate five prior ITU publications related creation.” It is a matter of perspective. Figure 7 illustrates the
to the technology. Vulnerability expressions were not notion that delivery of security is from the perspective of
previously published and constitute new material.
security operations and receiving protection is from the
perspective of value creation. If one assumes that “Security
3.1 Unified security model
Delivered is not necessarily the same as Protection Received”
It is assumed that the reader has reviewed and understood the (Figure 7), a simple relationship emerges by which the
Technical Report entitled “Unified Security Model, a neutral deliver versus receive value must be validated through
integrated system approach to cybersecurity” [2] published testing and verification. This fundamental assumption of
by ITU-T Standardization, Study Group 17 Security, in inequality is the genesis of the expression model.
2020. Additional directly related ITU publications which
include related work can be found in references [3] through
[7]. The author is aware of similar relational thinking work
published in ISO/IEC 27034-5-1 Application Security
Series Part 1-5, Application Security Control structure using
graphs in XML schema.
The foundation of vulnerability expressions is based on the
Unified Security Model (USM), which is in turn founded on
a simple 4 digital force model (Figure 6). The USM
represents “all matters security” by these 4 digital forces Figure 7 – Security versus protection
engaged in 3 force “influences” relationships, as follows:
3.2 Security control expression model
The 4 digital forces of Figure 6 are represented by 6 security
actors, each having specific roles and properties designed on
enabling the digital force (Figure 8) they represent.
The Security Control Expression (“Expression Model”) is a
high-level relationship model of 6 actors engaged in 5
relationships, representing 4 digital forces, described as
follows:
Figure 6 – 4 digital force model
Start: When a new cybersecurity universe is born, it is empty.
A Value Creation Force is born, represented by the color
gold in the center of Figure 6. Where there is value, there will
be risk. Consequently, a Value Risk Force is born,
st
represented by red. The 1 Force Influence is Risk Force
“threatens” Creation Force, or conversely Creation Force “is
threatened by” Risk Force. The owner of the Value Force
will seek to minimize the loss to value and invest in its
preservation. A new Value Preservation Force is born,
nd
represented by blue. The 2 Force Influence is Creation Figure 8 – Actors representing forces
force “is protected by” the Preservation Force, or conversely
Preservation Force “protects” Creation Force. The owner of The Value Creation Force is represented by two value
the value who has invested to minimize loss through the actors: Value Process and Value Asset. Value Risk Force is
investment of value preservation, will seek assurances of the represented by 1 risk actor: Threat Vector. Value
efficacy of the preservation. A new Value Assurance Force Preservation Force is represented by 2 security actors:
Internal Control and Security Asset. Value Assurance
– 96 –
