Вы находитесь на странице: 1из 11

Security Systems Engineering: Using Functional Decomposition to Resolve a Confused Taxonomy

MarcusA.Thompson,MichaelJ.Ryan,andAlanC.McLucas UniversityofNewSouthWales SchoolofEngineeringandInformationTechnology AustralianDefenceForceAcademy NorthcottDrive CanberraACT2600 Australia +61262688111 m.thompson@student.adfa.edu.au m.ryan@adfa.edu.au a.mclucas@adfa.edu.au

Copyright2012byMarcusThompson.PublishedandusedbyINCOSEwithpermission.

Abstract. The specification and design of modern security systems are hampered by terminology that is overlapping and recursive. The definitions offered by prominent standards bodies lack commonality in meaning and interpretation and tend to be specific to electronic or cyber security. Consequently, the current set of security terms and definitions is of little use to stakeholders. This paper begins by examining the definitions and terms applied to security and security systems. A systems engineering approach is then used to analyse the set of terms and to propose a new definition of security, from which a suitable set of security terms is decomposed. Definitions of security services and security mechanisms that have a broad application across the electronic, physical, and personnel security domains are then developed, and examples are provided that illustrate the utility of the set of definitions in security management, requirements engineering, systemsengineering,andsystemdesignmethodologies.

Introduction
In the globalised digital economy, individuals, governments and corporations throughout the world are able to cooperate and exchange information in an instantaneous and inexpensive manner. The ease with which information can be exchanged is due principally to the pervasive nature of the Internet, which was originally designed to facilitate such transfers between known entities whose actionswereassumedtobehonourable. The openness of the Internet has facilitated a massive transformation in the global security environment due to increased opportunities for malicious cyber activities that cross national boundaries. An increased dependence on cyber capabilities and the subsequent exposure to emergingcyberthreatspresentsasignificantchallengetocontemporarysociety.Sincecyberspaceis now the primary domain for global communications and commerce, and is increasingly viewed as a potentialdomainforinterstateconflict,thischallengeislikelytogrowquicklyandcontinually. Because the Internet was not originally designed with security as a priority, most considerations of cybersecurityhave tendedtobeafterthoughts. Whiletraditional securityprocessesandprocedures related to physical and personnel security have existed for thousands of years, the contemporary challenge of cyber security is generally seen to be a novel endeavour. Consequently, there is no

single taxonomy that adequately addresses cyber security or the broader aspects of electronic, physical or personnel securitydefinitions and terms, where they do exist, tend to be domainspecific. Additionally, different standards organisations and various commentators have produced security definitions and terminology that, collectively, are overlapping, recursive, and contradictorypresenting a confusing mix of actions, states and governance functions that lack commonalityinmeaningandinterpretation. This lack of a useful generic set of security definitions considerably hampers the adequate specification and design of modern systems. Consequently, despite the critical nature of security in the design of almost all systemsand the increasing criticality of security systems themselvesthe current set of security terms and definitions is of little use to stakeholders when articulating their requirements,nortosystemsdesignerswhendevelopingsystemrequirements. The aim of this paper is to enhance the practice of security systems engineering by developing a cohesive set of security definitions that are applicable across electronic, physical, and personnel securitydomains.Thepaperinitiallydescribestheoverlapping,recursiveandcontradictorynatureof currentsecuritydefinitionsandterminology.Anewdefinitionforsecurityisthenproposed,andthe utility of this definition is explored in various security applications and scenarios. Further security terms are defined, based on the root definition of security. Finally, the paper uses a functional decompositionapproachtodevelopnewdefinitionsofsecurityservicesandsecuritymechanisms.

Background
Several standards organisations and commentators have proposed definitions and descriptions of security in the context of electronic, physical and personnel security. Notably, the International Organisation for Standardisation (ISO) defines security as the measures used to provide physical protection of resources against deliberate and accidental threats (ISO 1989). Similarly, the International Telecommunications Union (ITU) defines security as minimising the vulnerabilities of assets and resources (ITU 1991). In the specific context of electronic security, a recent Commonwealth Scientific and Industrial Research Organisation (CSIRO) computer security fact sheet states that information is secure if it cannot be intercepted, understood if intercepted, altered or faked either during or beyond an interaction (CSIRO 2009). The Organisation for Economic Cooperation and Development (OECD) described information system security as the protection of the interests of those relying on information systems from harm (OECD 1992). Similarly, the Internet Engineering Taskforce (IETF) define security as measures taken to protect a system, the condition of a system that results from the establishment and maintenance of measures to protect the system, and the condition of system resources being free from unauthorized access and from unauthorized or accidental change, destruction, or loss (Shirey 2010). From a further Australian perspective, Standards Australia defines information security as the security and preservation of confidentiality,integrityandavailabilityofinformation(StandardsAustralia2004). In presenting definitions of security, standards organisations such as the ISO, the ITU, the OECD, the Control Objectives for Information and related Technology (COBIT), the IETF, the US National Institute of Standards and Technology (NIST), and Standards Australia have each described the various constituent elements that comprise security, describing these elements as security services, controlcriteria,orsecurityobjectives,assummarisedinTable1.

Table 1: Security Terminology Listed by Standards Organisations


authorisation confidentiality integrity nonrepudiation accesscontrol availability authentication auditing assurance accountability backups effectiveness efficiency compliance reliability ISO x x x x x ITU x x x x x OECD x x x COBIT x x x x x x x IETF x x x x x x x NIST x x x x x Standards Australia x x x

Several of the terms described above are similar and common to multiple standards organisations. However, others lack commonality and are unique to a single standards organisation. The listed terms also present an eclectic mix of actions, states, and management functions. For example, authentication, nonrepudiation, access control, authorisation and accountability are actions, whereas terms such as confidentiality, integrity and availability relate to the state of a resource. Similarly, assurance, auditing and backups are management actions that could be described as governancefunctions.Thisconfusingmixofactions,statesandgovernancefunctionsissummarised inTable2. Table 2: Security Terminology: Actions, States and Governance Functions
authorisation nonrepudiation accesscontrol authentication confidentiality integrity availability auditing assurance accountability backups effectiveness efficiency compliance reliability Action x x x x State x x x Governance Function x x x x x x x x

The definitions associated with these terms are also collectively overlapping, and at times contradictory. Additionally, each standards organisation has a unique definition for each of terms listed. Some of the standards organisations even have contradictory definitions for the same term. For example, Standards Australia has two different definitions of a security event, both of which are different from the Australian Government definition of a security event (Standards Australia 2004, 2010;AustralianGovernment2009). Beyond the security services, other commonly used terms have recursive and contradictory definitions. For example, the NIST defines a threat as being the potential for an actor to exploit or trigger a specific vulnerability (Stoneburner 2001). Yet the Australian Governments Information Security Manual defines a vulnerability as being a weakness of an asset or group of assets that can be exploited by one or more threats (Australian Government 2009). Defining a threat in terms of a vulnerability, and a vulnerability in terms of a threat is clearly recursive, and further contributes to thecollectivelackofutilityofcurrentsecurityterminology. It follows, therefore, that generic terminology could be developed to describe a broader application ofsecurity,includingelectronic,physicalandpersonnelsecurity.

A Security Systems Engineering View The Need for a Taxonomy


A taxonomy is a classification, especially in relation to its general rules or principles (Oxford 1993). This definition implies that a taxonomy should encompass and classify all aspects of an area of interest into an ordered hierarchy, and be applicable across as general or broad a classification as possible. Philip Rich supports this implication with his argument that a taxonomy is a specific classification scheme that expresses the overall similarities between organisms in a hierarchical fashion, where similar elements are first grouped and then nested into broader categories (Rich 1992).Akeybenefitofthisargumentisthatagoodtaxonomywillgenerateanaggregatedhierarchy of a potentially complex system, which in turn presents a single view of any given scenario. A good definition of security therefore, should be applicable across as broad a classification of security as possible and present a single view of security. This should include consideration of electronic security, physical security and personnel security which together encompass virtually all feasible securityrelatedscenariosfromcybersecurity,throughpersonalsecurity,tonationalsecurity.

Redefining Security Using Functional Decomposition


The ultimate aim of security is to retain a resource of value at some particular nominated state. Whether that is preserving a bank balance, ensuring personal safety, preserving the confidentiality of information in a database, or safeguarding the integrity of a territorial border, the required endstateofsecurityistomaintainthenominatedstateofadesignatedresource.Withthatinmind, anewdefinitionofsecurityisproposedas: Securityisthemaintenanceofthenominatedstateofadesignatedresource. where the nominated state is a specific condition that is determined through an assessment of the intrinsicvalueoftheresourcethatisdesignatedasrequiringsecurity. For security to be maintained, any action that has an effect on the nominated state of a designated resourcemustbeappropriatelyauthorised.Therefore:

Securityisbeingmaintainedwhenanactionhasanauthorisedeffectonthenominatedstate ofadesignatedresource. It follows that security is not maintained when an action has an unauthorised effect on the nominatedstateofadesignatedresource. It should be noted in this definition that the state of security of a particular resource is not preordainedthe owner of the resource must make an assessment of what effects are authorised, on which particular nominated state, of whichever resources are designated to be important. It is immediatelyobvious,therefore,thatgovernancehasasignificantroletoplaybeforeanydesignofa securitysystemcanbeundertaken.Securityisastatethatisdesiredbystakeholders,notonethatis natural and predefined for any system. We return to these issues at the end of this paper when consideringtheconditionsandmeansofsecuritymechanisms. The benefit of the above definition of security is that the following subordinate definitions flow naturally: Threat: A threat is a possible action that may have an unauthorised effect on the nominated stateofadesignatedresource. Vulnerability: A vulnerability is a possible undesirable effect on the nominated state of a designatedresource. SecurityEvent:Asecurityeventoccurswhenathreatisrealised. Security Attack: A security attack is a combination of security events coordinated to achieve aparticularobjective. Security Breach: A security breach occurs when a vulnerability is realised (that is, a threat successfullyexploitsavulnerability). Countermeasure: A countermeasure is a feature or function of a security system that removesvulnerabilitiesorcountersthreats. The base definition of security can be decomposed further by examining the detail of an authorised effect. An action is undertaken by an entity (such as a person, animal, program, or bot), so the definitionofsecuritycouldbeelaboratedtorefertothatentity.However,theelaboration: Securityisbeingmaintainedwhenanauthorisedentityperformsanactiononthenominated stateofadesignatedresource. isnotsufficientbecauseaneffectisauthorisedonlywhentheentityactioncombinationthatcaused theeffectisauthorisedthatis,anauthorisedeffectistheresultoftheauthorisedcombinationofa certainentityundertaking aparticularaction.For example,a companyemployeemaybeauthorised to access a building during normal working hours, but not be authorised to access the building outside those hours. In this instance, the authorised effect is that the company employee can only achieveaccesstothebuildingduringnormalworkinghours.

So, when the term authorised effect is decomposed to include the detail of the entity and of the action, both subordinate terms must inherit a property, the combination of which results in an authorised effect. The necessary property of the entity is that the identity of that entity must be knowntoasufficientdegree(commonlycalledauthentication).Thenecessarypropertyoftheaction isthatitisaccessible(atall,toasingleauthenticatedentity,ortoanumberofentities).So,wecould thenelaborate: Security is being maintained when an authenticated entity performs an accessible action on thenominatedstateofadesignatedresource. This definition is still not sufficient, however. While authorisation might decompose directly into an authenticated entity performing an accessible action, security is not necessarily maintained unless theauthorisedeffectisabletobeattributed toaparticularentityactioncombination.Thisproperty is known as attribution (that is, it is knownto a desired state of certainty that an entity performedanaction)or,inthe negative,asnonrepudiation(thatis,theentitycannotdenythatthe actionwasperformedbythem). So, the authorisation of an effect decomposes into the authentication of an entity; the ability for an action to be attributed to a particular authenticated entity; and the accessibility of an action to that authenticated entity. That is, the effect is the result of an entity performing an action; the authorisationisthecombinationofauthenticationandaccess.Thedefinitionofsecuritycanthenbe completelyelaboratedtobe: Securityisbeingmaintainedwhenanauthenticatedentityisknowntoperformanaccessible actiononthenominatedstateofadesignatedresource. Setting or establishing levels of authentication, attribution, and accessibility are specific functions of governance. Similarly, designating resources of value or importance to be secured, and nominating thestateatwhichthoseresourcesaredesiredtobemaintainedarealsogovernancefunctionswhich will be outputs of threat assessment and risk management processes within an organisation. We return to these issues at the end of this paper when considering the conditions and means of security mechanisms. Security is also necessarily qualified by the temporal, spatial and situational context, as acknowledged by the Standards Australia definition of a security event as being an incident or situation, which occurs in a particular place during a particular interval of time (Standards Australia 2004). These qualifications, therefore, form key contextual considerations as partofanygeneralsecuritygovernancemeasuresandfunctions.

Definition of Security Services and Security Mechanisms


The ISO defines a security service as being a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers (ISO 1989). The IETF described a security service as being a processing or communication service that is provided by a system to give a specific kind of protection to system resources (Shirey 2010). The other standards organisationsmentionedearlierinthispaperdonotprofferspecificdefinitionsforasecurityservice. Both the ISO and IETF definitions of security services are clearly related specifically to electronic security and therefore, require amendment if they are to be suitable for application to a broader suiteofsecurityscenarios.

It is more useful to provide a definition of a security service that reflects more closely the generic natureoftheproposeddefinitionofsecurity: A security service is a process that, alone or in combination with others, maintains the nominatedstateofadesignatedresource. In this context, therefore, since the proposed definition states that maintenance of security is achieved when an authorised action is performed on the nominated state of a designated resource, it follows that authorisation and resource assessment (designating resources and nominating their desiredstates)areappropriatesecurityservices. ISO 74982 describes security mechanisms as being used to provide some of the security services (ISO1989).Inthiscontext,adefinitionforasecuritymechanismisproposedasfollows: A security mechanism is an activity that, alone or in combination with others, contributes to theprovisionofasecurityservice. As previously mentioned, authorisation includes the authentication of an entity, attribution of the conduct of an action, and the accessibility of an action. It is therefore appropriate in a revised taxonomy of security to consider authentication, attribution, and access control as security mechanisms relative to the provision of authorisation as a security service. Similarly, the security service of resource assessment involves the security mechanisms of state nomination and resource designation. Table 3 summarises the preceding discussion as a hierarchical taxonomy of definitions supported by ahierarchyofservicesandmechanisms. Table 3: Summary of Revised Taxonomy of Security Definition Maintenance Security Services an authenticated entity Authentication Securityisthemaintenanceofthenominatedstateofadesignatedresource. anauthorisedactionisperformed Authorisation performan accessible action Access Control onthenominatedstateofa designatedresource ResourceAssessment onthe nominated state State Nomination ofa designated resource Resource Designation

isknownto

Security Mechanisms

Attribution

Table 4 provides an illustration of the correlation between the current security terms presented in Tables 1 and 2, and the summary of the revised security taxonomy illustrated in Table 3. Table 4 demonstrateshoweachofthenongovernancetermslistedin Tables1and2 canbe mappedacross to the revised taxonomy, either directly in the case of authorisation, authentication and access control; or in all other cases, as a constituent element of a security service or security mechanism. The direct and indirect mapping of existing terminology validates the utility of the revised security taxonomyasaclearandmoreorderedmethodofpresentingcommonsecurityterminology.

Table 4: Correlation of Current Security Terminology and Proposed Taxonomy

authorisation confidentiality integrity availability accesscontrol nonrepudiation authentication

Definition Maintenance Security Services

Securityisthemaintenanceofthenominatedstateofadesignatedresource. anauthorisedactionisperformed Authorisation an authenticated entity Authentication performan accessible action Access Control onthenominatedstateofa designatedresource ResourceAssessment onthe nominated state State Nomination ofa designated resource Resource Designation

isknownto

Security Mechanisms

Attribution

Security Mechanisms: Conditions and Means


As noted earlier, setting the required level of each security mechanism is a specific governance function that will be derived from the threat assessment and risk management processes within an organisation. Each mechanism should be described in both functional and physical terms: first in terms of the conditions required by the organisation for that mechanism, and then in terms of the possible physical means by which the mechanism can be implemented. The organisation has the freedom to choose the condition, based on a security risk assessment. For any chosen condition therewillbearangeofoptionsforthemeansofimplementation. Bywayofexample,considerthesecuritymechanismofauthenticationofaholderofabankaccount whenaccessingthataccountonline.Thebankmustfirstdecidewhatconditionsitwishestoplaceon thedegreeofauthenticationtobeenforcedbythesystemhowcertainmustitbeoftheidentityof the person accessing the account? Clearly, the bank does not want any person to have access, so they wish to limit access to the authenticated account holder (or holders, in the case of a joint account). The possible means of providing the mechanism must then be considered. Almost 100% certaintycan beachievediftheperson issubjected toaDNAanalysis,butthat isclearly impractical. The bank must then conduct a risk analysis of any other lesser authentication mechanism. If, for example, it chooses to implement a customer identity number in combination with a password, it must accept that it cannot guarantee that the combination is not being used by a party other than the intended customer (in which case, for example, it could mitigate the risk by adding a qualification whereby the bank accepts responsibility if the account is hacked, and denies responsibilityifthelogondetailswereknowinglyorunwittinglyexposedbythecustomertoanother person). Therearethereforetwogovernanceaspectsforeachsecuritymechanismtheconditionsplacedon the mechanism, and the selection of an appropriate means. Additionally, the consideration of one mechanismisnotnecessarilyindependentoftheothers.Forexample,theattributionofanactionto a particular entity is contingent upon that entity being able to be identified by an authentication mechanism. Similarly, the authorisation of a particular effect (entityaction combination) is a combination of the authentication of the entity and the accessibility of that action to that entity. Using the previous example of a company employee who is authorised to access a building during

normal working hours only, pass cards and biometric information could be used to identify the employee, and audited data logging could be used register any attempt to enter the building. In which case, theauthorisedeffectremainsunchangedtheemployee canonlyachieveaccesstothe building during normal working hours, and any attempt to access the building outside normal workinghoursisdetected. Theconditionsandmeansforsecuritymechanismscanbefurtherillustratedbyabriefconsideration of additional subgenres of security. Using the new proposed definition of security, border security canbedefinedas: Border security is being maintained when an identified (authenticated) individual (entity) is recorded as (known to) receiving permission to cross (perform an accessible action) a controlled(nominatedstate)border(designatedresource). Alternatively,anegativeexpressionofbordersecuritycanbeexpressedas: Border security is not being maintained if an individual is not identified; not recorded as, or hasnotreceivedpermissiontocrossacontrolledborder. In this instance, the conditions for authentication would be correct identification of the individual person who is attempting to cross the sovereign border, and the possible means would be an identitycard,passport,biometricanalysis,oracombinationofeachofthesemeans.Theconditions for attribution would be that the entry of individual is correctly recorded, including personal details, and the time and place at which the sovereign border was crossed; and the means of attribution wouldbeacustomsagentmakingarecordinapaperregisteroracomputerregister(manuallyorby a swipe of a passport), and a customs agent entering biometric details (photograph, fingerprints, DNA) in computer register. Access control would have the conditions of a valid passport and travel visa, and the means of confirmation (either manual or computerbased) of the validity of the individualstraveldocuments. Similarly,usingtheproposeddefinitionofsecurity,physicalsecurityofahomecanbedefinedas: Physical security is being maintained when a welcomed (authenticated) individual (entity) is seen to (known to) enter a home and respect (perform an accessible action) the possession (nominatedstate)ofbelongingsofvalue(designatedresource). Alternatively,anegativeexpressionofphysicalsecuritycanbeexpressedas: Physicalsecurityisnotbeingmaintainedifanindividualisunwelcome,notseenenteringthe home,ordoesnotrespectthepossessionofbelongingsofvalue. In this instance, the conditions for authentication would be the welcoming of an individual into the home, and the possible means would be recognition of a known individual, or an invitation from a known third party. The condition of attribution would be a physical witness of the individual entering the home, and the means of attribution would be to monitor all entries to the home. The conditionofaccesscontrolwouldbetheindividualnotstealingordamaginganypersonalbelongings insidethehome,andthemeanswouldbetomonitoreachindividualsbehaviour.

Using the same application of the proposed definition of security, electronic security can be defined as: Electronic security is being maintained when a recognised (authenticated) person / computer/bot (entity) is recorded as (known to) accessing/manipulating/transmitting (accessibleaction)controlled(nominatedstate)data(designatedresource). Inanegativecontext: Electronicsecurityisnotbeingmaintainedifaperson/computer/botisnotrecognised;isnot recordedas,oraccesses/manipulates/transmitscontrolleddata. Further,environmentalsecuritycanbedefinedas: Environmental security is maintained when a living (authenticated) bioorganism or ecosystem(entity)isrecognisedas(knownto)reproducing(accessibleaction)tosupportthe sustainment(desiredstate)ofourenvironment(designatedresource). Inthenegativecontext: Environmental security is not maintained if a bioorganism or ecosystem is not living; is not recognisedas,ordoesnotreproduce. The applicability of the proposed set of definitions and terms across these diverse subgenres of security illustrates their utility as a generic taxonomy that is acceptable for a broad suite of security domains.

Conclusion
Current security terminology is overlapping, recursive and at times contradictory in nature. The terms and associated definitions used by several prominent standards organisations present a confusing mix of actions, states and governance functions that lack commonality in meaning and interpretation, and are mostly specific to a single problem domain (most commonly to electronic or cyber security). A new taxonomy of security terminology and definitions, as summarised in Table 2, is proposed. The definitions are presented in a hierarchy developed by functional decomposition fromthebasedefinitionofsecurity. Anew definitionforsecurityisproposedthatisapplicableacrosselectronic, physical,and personnel securitydomains: Securityisthemaintenanceofthenominatedstateofadesignatedresource. wherethemaintenanceofsecurityisdefinedas: Securityisbeingmaintainedwhenanauthenticatedentityisknowntoperformanaccessible actiononthenominatedstateofadesignatedresource. Usingfunctionaldecomposition,anewdefinitionforsecurityservicescanbedeveloped: A security service is a process that, alone or in combination with others, maintains the nominatedstateofadesignatedresource.

andadefinitionofsecuritymechanismsas: A security mechanism is an activity that, alone or in combination with others, contributes to theprovisionofasecurityservice. These definitions encapsulate the intent and meanings of current security terminology, and are therefore not in conflict with current usage. The terms developed here are not only applicable to cybersecurity,buthaveabroaderapplicationacrosstheelectronic,physical,andpersonnelsecurity domains.

References
Australian Department of Defence. 2009. Australian Government Information Security Manual. Barton,ACT. CSIRO. 2009. Fact Sheet: What trust and security really mean, Accessed 23 June 2011, http://www.csiro.au/resources/SecurityAndTrust.html. ISO (International Organisation for Standardisation). 1989. ISO 74982. Information processing Systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture. ITU (International Telecommunications Union). 1991. Recommendation X.800. Security Architecture forOpenSystemsInterconnectionforCCITTApplications. OECD (Organisation for Economic Cooperation and Development). 1992. Guidelines for the Security of Information Systems. Accessed 19 August 2010, http://www.oecd.org/document/19/0,2340,en_2649_34255_1815059_119820_1_1_1,00.ht ml. Oxford.1993.InTheNewShorterEnglishDictionary.NewYork:OxfordUniversityPress. Rich, Philip. 1992. The Organizational Taxonomy: Definition and Design. Academy of Management Review17(4):758781. Shirey, Robert W. 2000. IETF (Internet Engineering Task Force) RFC 2828. Internet Security Glossary. TheInternetSociety.Accessed2October2010,http://www.ietf.org/rfc/rfc2828.txt. StandardsAustralia.2004.InformationSecurityRiskManagementGuidelines. .2010.BusinesscontinuityManagingdisruptionrelatedrisk. Stoneburner,Gary.2001.UnderlyingTechnicalModelsforInformation,TechnologySecurity.National InstituteofStandardsandTechnology.

Biographies
Marcus Thompson is a Brigadier in the Australian Army with over 24 years of experience in communications and information systems. He is currently undertaking doctoral research with the UniversityofNewSouthWalesattheAustralianDefenceForceAcademy. Dr Mike Ryan is a senior lecturer at the University of New South Wales at the Australian Defence Force Academy. He holds bachelor, masters and doctor of philosophy degrees in engineering, and his research interests include project management, systems engineering, requirements engineering and military communications and information systems. He is the author or coauthor of nine books, threebookchapters,andoverahundredtechnicalpapers. Dr Alan McLucas is a senior lecturer at the University of New South Wales at the Australian Defence Force Academy. He holds bachelor, masters and doctor of philosophy degrees in engineering, management and operations research, and has had extensive experience in management, complex problem solving, and strategy development. Alan is widely published in the systems thinking and systemdynamicsmodellingliteratureandistheauthoroftwobooksonthesesubjects.

Вам также может понравиться