Page 159 - Kaleidoscope Academic Conference Proceedings 2021
P. 159

Connecting physical and virtual worlds




           Force is represented by 1 compliance actor: External Control.  5th Actor  relationship: Internal  Controls validate  the
           The 6 actors fall into 2 groups (Figure 8): Internal/External   compliance requirements of External Controls. Internal
           actors and Passive/Active, as follows.             Controls “validate” External Controls or conversely External
           Internal actors: It is assumed that the organization has full   Controls “are validated by” Internal Controls.
           control over value creation and preservation, that is control
           over 2 Value Creation actors (Value Asset, Value Process)   These actor relationships can be observed in Figure 4 and
           and 2 Value Preservation (Internal Control, Security Asset)   Figure 5.
           actors. External actors: It is assumed that the organization
           has no control over Value Risk (Threat Vectors) and Value   The expression  model established the “horizontal”
           Assurance  (External Control), that is the evolution of the   relationships between actors which can be cited as follows:
           threat and regulatory space.                       “Value Assets enable Value Processes, threatened by Threat
           Active actors: Actors who are directly involved in the attack:  Vectors, mitigated by Security Assets, fulfilling Internal
           Threat  Vector, Value  Asset and Security Asset actors.   Controls, and evidenced for compliance to External Control
           Passive actors: Actors who are not directly involved in the   requirements.” The expression model (Figure 9) can
           attack: Value Process, Internal Control and External Control   represent all scenarios of threat-to-target; and corresponding
           Actors. Passive actors (Value Process and Internal Control,   policy  protection  commitments;  security  delivery
           External Control) determine the resource level available to   mechanisms; evidence  of  compliance to the  required
           active actors (Threat Vector, Value Asset, Security Asset) to   assurance level.
           mitigate.
                                                              Currently, objectives contained in frameworks on the same
                                                              security topic are similar but different using different words
                                                              to describe what security value is to be delivered to value
                                                              creation. Since security controls and security control
                                                              expressions are both statements of this type, these statements
                                                              are agnostic to whether it is mandated by regulation “Shall
                                                              Do”, recommended  by standard  “Should do”,  funded by
                                                              management “Committed to”,  or  delivered by a vendor’s
                                                              products and services “Can  do.” The ability to  normalize
                                                              across these stakeholders improves clarity.


                 Figure 9 – Security control expression model   In Figure 10, the expression model is compared directly to
                                                              the fundamental word-based model of a security control, that
           The 5 relationships between the 6 actors illustrated in Figure   is a requirement to deliver some form of security value to
           9  define the  security control expression by a series  of   some form of value creation.
           sequence interdependent relationships as follows:


           1st Actor relationship: For one Value Process there are
           many enabling Value Assets. Value Assets “enable” Value
           Processes, or  conversely a  Value Process “is enabled  by”
           Value Assets.

           2nd Actor  relationship:  Threat Vectors threaten Value
           Assets or  conversely Value  Asset “threatened by” Threat
           Vector. Internal Control is the internal policy protecting the
           Value Asset.

           3rd Actor relationship: Internal Control “Policy Protects”
           Value Assets or conversely Value Assets “are protected by”
           Internal Controls. The Threat Vector likelihood and impact   Figure 10 – Control objective versus expressions
           severity  on the Value  Asset enables  one to make policy
           decisions as to appropriate risk reduction investments.    Figure 11 divides the expression model (Figure 9) down the
                                                              middle into 3 actors on the right (Value Process, Value Asset
           4th Actor  relationship: Security  Assets execute security   and Threat Vector), representing Business Impact Analysis
           techniques that deliver security value to Value Assets and   and 3 actors on the left (Internal Control, Security Asset and
           fulfill  Internal Control requirements. Security  Assets   External Control), representing protection design and
           “implement” Internal  Controls or  conversely Internal   compliance validation. Expression  models contain  2 core
           Controls are implemented by Security Assets.       simplifying symmetries (Figure 11):









                                                           – 97 –
   154   155   156   157   158   159   160   161   162   163   164