Page 159 - Kaleidoscope Academic Conference Proceedings 2021
P. 159
Connecting physical and virtual worlds
Force is represented by 1 compliance actor: External Control. 5th Actor relationship: Internal Controls validate the
The 6 actors fall into 2 groups (Figure 8): Internal/External compliance requirements of External Controls. Internal
actors and Passive/Active, as follows. Controls “validate” External Controls or conversely External
Internal actors: It is assumed that the organization has full Controls “are validated by” Internal Controls.
control over value creation and preservation, that is control
over 2 Value Creation actors (Value Asset, Value Process) These actor relationships can be observed in Figure 4 and
and 2 Value Preservation (Internal Control, Security Asset) Figure 5.
actors. External actors: It is assumed that the organization
has no control over Value Risk (Threat Vectors) and Value The expression model established the “horizontal”
Assurance (External Control), that is the evolution of the relationships between actors which can be cited as follows:
threat and regulatory space. “Value Assets enable Value Processes, threatened by Threat
Active actors: Actors who are directly involved in the attack: Vectors, mitigated by Security Assets, fulfilling Internal
Threat Vector, Value Asset and Security Asset actors. Controls, and evidenced for compliance to External Control
Passive actors: Actors who are not directly involved in the requirements.” The expression model (Figure 9) can
attack: Value Process, Internal Control and External Control represent all scenarios of threat-to-target; and corresponding
Actors. Passive actors (Value Process and Internal Control, policy protection commitments; security delivery
External Control) determine the resource level available to mechanisms; evidence of compliance to the required
active actors (Threat Vector, Value Asset, Security Asset) to assurance level.
mitigate.
Currently, objectives contained in frameworks on the same
security topic are similar but different using different words
to describe what security value is to be delivered to value
creation. Since security controls and security control
expressions are both statements of this type, these statements
are agnostic to whether it is mandated by regulation “Shall
Do”, recommended by standard “Should do”, funded by
management “Committed to”, or delivered by a vendor’s
products and services “Can do.” The ability to normalize
across these stakeholders improves clarity.
Figure 9 – Security control expression model In Figure 10, the expression model is compared directly to
the fundamental word-based model of a security control, that
The 5 relationships between the 6 actors illustrated in Figure is a requirement to deliver some form of security value to
9 define the security control expression by a series of some form of value creation.
sequence interdependent relationships as follows:
1st Actor relationship: For one Value Process there are
many enabling Value Assets. Value Assets “enable” Value
Processes, or conversely a Value Process “is enabled by”
Value Assets.
2nd Actor relationship: Threat Vectors threaten Value
Assets or conversely Value Asset “threatened by” Threat
Vector. Internal Control is the internal policy protecting the
Value Asset.
3rd Actor relationship: Internal Control “Policy Protects”
Value Assets or conversely Value Assets “are protected by”
Internal Controls. The Threat Vector likelihood and impact Figure 10 – Control objective versus expressions
severity on the Value Asset enables one to make policy
decisions as to appropriate risk reduction investments. Figure 11 divides the expression model (Figure 9) down the
middle into 3 actors on the right (Value Process, Value Asset
4th Actor relationship: Security Assets execute security and Threat Vector), representing Business Impact Analysis
techniques that deliver security value to Value Assets and and 3 actors on the left (Internal Control, Security Asset and
fulfill Internal Control requirements. Security Assets External Control), representing protection design and
“implement” Internal Controls or conversely Internal compliance validation. Expression models contain 2 core
Controls are implemented by Security Assets. simplifying symmetries (Figure 11):
– 97 –