Академический Документы
Профессиональный Документы
Культура Документы
MarcusA.Thompson,MichaelJ.Ryan,andAlanC.McLucas UniversityofNewSouthWales SchoolofEngineeringandInformationTechnology AustralianDefenceForceAcademy NorthcottDrive CanberraACT2600 Australia +61262688111 m.thompson@student.adfa.edu.au m.ryan@adfa.edu.au a.mclucas@adfa.edu.au
Copyright2012byMarcusThompson.PublishedandusedbyINCOSEwithpermission.
Abstract. The specification and design of modern security systems are hampered by terminology that is overlapping and recursive. The definitions offered by prominent standards bodies lack commonality in meaning and interpretation and tend to be specific to electronic or cyber security. Consequently, the current set of security terms and definitions is of little use to stakeholders. This paper begins by examining the definitions and terms applied to security and security systems. A systems engineering approach is then used to analyse the set of terms and to propose a new definition of security, from which a suitable set of security terms is decomposed. Definitions of security services and security mechanisms that have a broad application across the electronic, physical, and personnel security domains are then developed, and examples are provided that illustrate the utility of the set of definitions in security management, requirements engineering, systemsengineering,andsystemdesignmethodologies.
Introduction
In the globalised digital economy, individuals, governments and corporations throughout the world are able to cooperate and exchange information in an instantaneous and inexpensive manner. The ease with which information can be exchanged is due principally to the pervasive nature of the Internet, which was originally designed to facilitate such transfers between known entities whose actionswereassumedtobehonourable. The openness of the Internet has facilitated a massive transformation in the global security environment due to increased opportunities for malicious cyber activities that cross national boundaries. An increased dependence on cyber capabilities and the subsequent exposure to emergingcyberthreatspresentsasignificantchallengetocontemporarysociety.Sincecyberspaceis now the primary domain for global communications and commerce, and is increasingly viewed as a potentialdomainforinterstateconflict,thischallengeislikelytogrowquicklyandcontinually. Because the Internet was not originally designed with security as a priority, most considerations of cybersecurityhave tendedtobeafterthoughts. Whiletraditional securityprocessesandprocedures related to physical and personnel security have existed for thousands of years, the contemporary challenge of cyber security is generally seen to be a novel endeavour. Consequently, there is no
single taxonomy that adequately addresses cyber security or the broader aspects of electronic, physical or personnel securitydefinitions and terms, where they do exist, tend to be domainspecific. Additionally, different standards organisations and various commentators have produced security definitions and terminology that, collectively, are overlapping, recursive, and contradictorypresenting a confusing mix of actions, states and governance functions that lack commonalityinmeaningandinterpretation. This lack of a useful generic set of security definitions considerably hampers the adequate specification and design of modern systems. Consequently, despite the critical nature of security in the design of almost all systemsand the increasing criticality of security systems themselvesthe current set of security terms and definitions is of little use to stakeholders when articulating their requirements,nortosystemsdesignerswhendevelopingsystemrequirements. The aim of this paper is to enhance the practice of security systems engineering by developing a cohesive set of security definitions that are applicable across electronic, physical, and personnel securitydomains.Thepaperinitiallydescribestheoverlapping,recursiveandcontradictorynatureof currentsecuritydefinitionsandterminology.Anewdefinitionforsecurityisthenproposed,andthe utility of this definition is explored in various security applications and scenarios. Further security terms are defined, based on the root definition of security. Finally, the paper uses a functional decompositionapproachtodevelopnewdefinitionsofsecurityservicesandsecuritymechanisms.
Background
Several standards organisations and commentators have proposed definitions and descriptions of security in the context of electronic, physical and personnel security. Notably, the International Organisation for Standardisation (ISO) defines security as the measures used to provide physical protection of resources against deliberate and accidental threats (ISO 1989). Similarly, the International Telecommunications Union (ITU) defines security as minimising the vulnerabilities of assets and resources (ITU 1991). In the specific context of electronic security, a recent Commonwealth Scientific and Industrial Research Organisation (CSIRO) computer security fact sheet states that information is secure if it cannot be intercepted, understood if intercepted, altered or faked either during or beyond an interaction (CSIRO 2009). The Organisation for Economic Cooperation and Development (OECD) described information system security as the protection of the interests of those relying on information systems from harm (OECD 1992). Similarly, the Internet Engineering Taskforce (IETF) define security as measures taken to protect a system, the condition of a system that results from the establishment and maintenance of measures to protect the system, and the condition of system resources being free from unauthorized access and from unauthorized or accidental change, destruction, or loss (Shirey 2010). From a further Australian perspective, Standards Australia defines information security as the security and preservation of confidentiality,integrityandavailabilityofinformation(StandardsAustralia2004). In presenting definitions of security, standards organisations such as the ISO, the ITU, the OECD, the Control Objectives for Information and related Technology (COBIT), the IETF, the US National Institute of Standards and Technology (NIST), and Standards Australia have each described the various constituent elements that comprise security, describing these elements as security services, controlcriteria,orsecurityobjectives,assummarisedinTable1.
Several of the terms described above are similar and common to multiple standards organisations. However, others lack commonality and are unique to a single standards organisation. The listed terms also present an eclectic mix of actions, states, and management functions. For example, authentication, nonrepudiation, access control, authorisation and accountability are actions, whereas terms such as confidentiality, integrity and availability relate to the state of a resource. Similarly, assurance, auditing and backups are management actions that could be described as governancefunctions.Thisconfusingmixofactions,statesandgovernancefunctionsissummarised inTable2. Table 2: Security Terminology: Actions, States and Governance Functions
authorisation nonrepudiation accesscontrol authentication confidentiality integrity availability auditing assurance accountability backups effectiveness efficiency compliance reliability Action x x x x State x x x Governance Function x x x x x x x x
The definitions associated with these terms are also collectively overlapping, and at times contradictory. Additionally, each standards organisation has a unique definition for each of terms listed. Some of the standards organisations even have contradictory definitions for the same term. For example, Standards Australia has two different definitions of a security event, both of which are different from the Australian Government definition of a security event (Standards Australia 2004, 2010;AustralianGovernment2009). Beyond the security services, other commonly used terms have recursive and contradictory definitions. For example, the NIST defines a threat as being the potential for an actor to exploit or trigger a specific vulnerability (Stoneburner 2001). Yet the Australian Governments Information Security Manual defines a vulnerability as being a weakness of an asset or group of assets that can be exploited by one or more threats (Australian Government 2009). Defining a threat in terms of a vulnerability, and a vulnerability in terms of a threat is clearly recursive, and further contributes to thecollectivelackofutilityofcurrentsecurityterminology. It follows, therefore, that generic terminology could be developed to describe a broader application ofsecurity,includingelectronic,physicalandpersonnelsecurity.
Securityisbeingmaintainedwhenanactionhasanauthorisedeffectonthenominatedstate ofadesignatedresource. It follows that security is not maintained when an action has an unauthorised effect on the nominatedstateofadesignatedresource. It should be noted in this definition that the state of security of a particular resource is not preordainedthe owner of the resource must make an assessment of what effects are authorised, on which particular nominated state, of whichever resources are designated to be important. It is immediatelyobvious,therefore,thatgovernancehasasignificantroletoplaybeforeanydesignofa securitysystemcanbeundertaken.Securityisastatethatisdesiredbystakeholders,notonethatis natural and predefined for any system. We return to these issues at the end of this paper when consideringtheconditionsandmeansofsecuritymechanisms. The benefit of the above definition of security is that the following subordinate definitions flow naturally: Threat: A threat is a possible action that may have an unauthorised effect on the nominated stateofadesignatedresource. Vulnerability: A vulnerability is a possible undesirable effect on the nominated state of a designatedresource. SecurityEvent:Asecurityeventoccurswhenathreatisrealised. Security Attack: A security attack is a combination of security events coordinated to achieve aparticularobjective. Security Breach: A security breach occurs when a vulnerability is realised (that is, a threat successfullyexploitsavulnerability). Countermeasure: A countermeasure is a feature or function of a security system that removesvulnerabilitiesorcountersthreats. The base definition of security can be decomposed further by examining the detail of an authorised effect. An action is undertaken by an entity (such as a person, animal, program, or bot), so the definitionofsecuritycouldbeelaboratedtorefertothatentity.However,theelaboration: Securityisbeingmaintainedwhenanauthorisedentityperformsanactiononthenominated stateofadesignatedresource. isnotsufficientbecauseaneffectisauthorisedonlywhentheentityactioncombinationthatcaused theeffectisauthorisedthatis,anauthorisedeffectistheresultoftheauthorisedcombinationofa certainentityundertaking aparticularaction.For example,a companyemployeemaybeauthorised to access a building during normal working hours, but not be authorised to access the building outside those hours. In this instance, the authorised effect is that the company employee can only achieveaccesstothebuildingduringnormalworkinghours.
So, when the term authorised effect is decomposed to include the detail of the entity and of the action, both subordinate terms must inherit a property, the combination of which results in an authorised effect. The necessary property of the entity is that the identity of that entity must be knowntoasufficientdegree(commonlycalledauthentication).Thenecessarypropertyoftheaction isthatitisaccessible(atall,toasingleauthenticatedentity,ortoanumberofentities).So,wecould thenelaborate: Security is being maintained when an authenticated entity performs an accessible action on thenominatedstateofadesignatedresource. This definition is still not sufficient, however. While authorisation might decompose directly into an authenticated entity performing an accessible action, security is not necessarily maintained unless theauthorisedeffectisabletobeattributed toaparticularentityactioncombination.Thisproperty is known as attribution (that is, it is knownto a desired state of certainty that an entity performedanaction)or,inthe negative,asnonrepudiation(thatis,theentitycannotdenythatthe actionwasperformedbythem). So, the authorisation of an effect decomposes into the authentication of an entity; the ability for an action to be attributed to a particular authenticated entity; and the accessibility of an action to that authenticated entity. That is, the effect is the result of an entity performing an action; the authorisationisthecombinationofauthenticationandaccess.Thedefinitionofsecuritycanthenbe completelyelaboratedtobe: Securityisbeingmaintainedwhenanauthenticatedentityisknowntoperformanaccessible actiononthenominatedstateofadesignatedresource. Setting or establishing levels of authentication, attribution, and accessibility are specific functions of governance. Similarly, designating resources of value or importance to be secured, and nominating thestateatwhichthoseresourcesaredesiredtobemaintainedarealsogovernancefunctionswhich will be outputs of threat assessment and risk management processes within an organisation. We return to these issues at the end of this paper when considering the conditions and means of security mechanisms. Security is also necessarily qualified by the temporal, spatial and situational context, as acknowledged by the Standards Australia definition of a security event as being an incident or situation, which occurs in a particular place during a particular interval of time (Standards Australia 2004). These qualifications, therefore, form key contextual considerations as partofanygeneralsecuritygovernancemeasuresandfunctions.
It is more useful to provide a definition of a security service that reflects more closely the generic natureoftheproposeddefinitionofsecurity: A security service is a process that, alone or in combination with others, maintains the nominatedstateofadesignatedresource. In this context, therefore, since the proposed definition states that maintenance of security is achieved when an authorised action is performed on the nominated state of a designated resource, it follows that authorisation and resource assessment (designating resources and nominating their desiredstates)areappropriatesecurityservices. ISO 74982 describes security mechanisms as being used to provide some of the security services (ISO1989).Inthiscontext,adefinitionforasecuritymechanismisproposedasfollows: A security mechanism is an activity that, alone or in combination with others, contributes to theprovisionofasecurityservice. As previously mentioned, authorisation includes the authentication of an entity, attribution of the conduct of an action, and the accessibility of an action. It is therefore appropriate in a revised taxonomy of security to consider authentication, attribution, and access control as security mechanisms relative to the provision of authorisation as a security service. Similarly, the security service of resource assessment involves the security mechanisms of state nomination and resource designation. Table 3 summarises the preceding discussion as a hierarchical taxonomy of definitions supported by ahierarchyofservicesandmechanisms. Table 3: Summary of Revised Taxonomy of Security Definition Maintenance Security Services an authenticated entity Authentication Securityisthemaintenanceofthenominatedstateofadesignatedresource. anauthorisedactionisperformed Authorisation performan accessible action Access Control onthenominatedstateofa designatedresource ResourceAssessment onthe nominated state State Nomination ofa designated resource Resource Designation
isknownto
Security Mechanisms
Attribution
Table 4 provides an illustration of the correlation between the current security terms presented in Tables 1 and 2, and the summary of the revised security taxonomy illustrated in Table 3. Table 4 demonstrateshoweachofthenongovernancetermslistedin Tables1and2 canbe mappedacross to the revised taxonomy, either directly in the case of authorisation, authentication and access control; or in all other cases, as a constituent element of a security service or security mechanism. The direct and indirect mapping of existing terminology validates the utility of the revised security taxonomyasaclearandmoreorderedmethodofpresentingcommonsecurityterminology.
Securityisthemaintenanceofthenominatedstateofadesignatedresource. anauthorisedactionisperformed Authorisation an authenticated entity Authentication performan accessible action Access Control onthenominatedstateofa designatedresource ResourceAssessment onthe nominated state State Nomination ofa designated resource Resource Designation
isknownto
Security Mechanisms
Attribution
normal working hours only, pass cards and biometric information could be used to identify the employee, and audited data logging could be used register any attempt to enter the building. In which case, theauthorisedeffectremainsunchangedtheemployee canonlyachieveaccesstothe building during normal working hours, and any attempt to access the building outside normal workinghoursisdetected. Theconditionsandmeansforsecuritymechanismscanbefurtherillustratedbyabriefconsideration of additional subgenres of security. Using the new proposed definition of security, border security canbedefinedas: Border security is being maintained when an identified (authenticated) individual (entity) is recorded as (known to) receiving permission to cross (perform an accessible action) a controlled(nominatedstate)border(designatedresource). Alternatively,anegativeexpressionofbordersecuritycanbeexpressedas: Border security is not being maintained if an individual is not identified; not recorded as, or hasnotreceivedpermissiontocrossacontrolledborder. In this instance, the conditions for authentication would be correct identification of the individual person who is attempting to cross the sovereign border, and the possible means would be an identitycard,passport,biometricanalysis,oracombinationofeachofthesemeans.Theconditions for attribution would be that the entry of individual is correctly recorded, including personal details, and the time and place at which the sovereign border was crossed; and the means of attribution wouldbeacustomsagentmakingarecordinapaperregisteroracomputerregister(manuallyorby a swipe of a passport), and a customs agent entering biometric details (photograph, fingerprints, DNA) in computer register. Access control would have the conditions of a valid passport and travel visa, and the means of confirmation (either manual or computerbased) of the validity of the individualstraveldocuments. Similarly,usingtheproposeddefinitionofsecurity,physicalsecurityofahomecanbedefinedas: Physical security is being maintained when a welcomed (authenticated) individual (entity) is seen to (known to) enter a home and respect (perform an accessible action) the possession (nominatedstate)ofbelongingsofvalue(designatedresource). Alternatively,anegativeexpressionofphysicalsecuritycanbeexpressedas: Physicalsecurityisnotbeingmaintainedifanindividualisunwelcome,notseenenteringthe home,ordoesnotrespectthepossessionofbelongingsofvalue. In this instance, the conditions for authentication would be the welcoming of an individual into the home, and the possible means would be recognition of a known individual, or an invitation from a known third party. The condition of attribution would be a physical witness of the individual entering the home, and the means of attribution would be to monitor all entries to the home. The conditionofaccesscontrolwouldbetheindividualnotstealingordamaginganypersonalbelongings insidethehome,andthemeanswouldbetomonitoreachindividualsbehaviour.
Using the same application of the proposed definition of security, electronic security can be defined as: Electronic security is being maintained when a recognised (authenticated) person / computer/bot (entity) is recorded as (known to) accessing/manipulating/transmitting (accessibleaction)controlled(nominatedstate)data(designatedresource). Inanegativecontext: Electronicsecurityisnotbeingmaintainedifaperson/computer/botisnotrecognised;isnot recordedas,oraccesses/manipulates/transmitscontrolleddata. Further,environmentalsecuritycanbedefinedas: Environmental security is maintained when a living (authenticated) bioorganism or ecosystem(entity)isrecognisedas(knownto)reproducing(accessibleaction)tosupportthe sustainment(desiredstate)ofourenvironment(designatedresource). Inthenegativecontext: Environmental security is not maintained if a bioorganism or ecosystem is not living; is not recognisedas,ordoesnotreproduce. The applicability of the proposed set of definitions and terms across these diverse subgenres of security illustrates their utility as a generic taxonomy that is acceptable for a broad suite of security domains.
Conclusion
Current security terminology is overlapping, recursive and at times contradictory in nature. The terms and associated definitions used by several prominent standards organisations present a confusing mix of actions, states and governance functions that lack commonality in meaning and interpretation, and are mostly specific to a single problem domain (most commonly to electronic or cyber security). A new taxonomy of security terminology and definitions, as summarised in Table 2, is proposed. The definitions are presented in a hierarchy developed by functional decomposition fromthebasedefinitionofsecurity. Anew definitionforsecurityisproposedthatisapplicableacrosselectronic, physical,and personnel securitydomains: Securityisthemaintenanceofthenominatedstateofadesignatedresource. wherethemaintenanceofsecurityisdefinedas: Securityisbeingmaintainedwhenanauthenticatedentityisknowntoperformanaccessible actiononthenominatedstateofadesignatedresource. Usingfunctionaldecomposition,anewdefinitionforsecurityservicescanbedeveloped: A security service is a process that, alone or in combination with others, maintains the nominatedstateofadesignatedresource.
andadefinitionofsecuritymechanismsas: A security mechanism is an activity that, alone or in combination with others, contributes to theprovisionofasecurityservice. These definitions encapsulate the intent and meanings of current security terminology, and are therefore not in conflict with current usage. The terms developed here are not only applicable to cybersecurity,buthaveabroaderapplicationacrosstheelectronic,physical,andpersonnelsecurity domains.
References
Australian Department of Defence. 2009. Australian Government Information Security Manual. Barton,ACT. CSIRO. 2009. Fact Sheet: What trust and security really mean, Accessed 23 June 2011, http://www.csiro.au/resources/SecurityAndTrust.html. ISO (International Organisation for Standardisation). 1989. ISO 74982. Information processing Systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture. ITU (International Telecommunications Union). 1991. Recommendation X.800. Security Architecture forOpenSystemsInterconnectionforCCITTApplications. OECD (Organisation for Economic Cooperation and Development). 1992. Guidelines for the Security of Information Systems. Accessed 19 August 2010, http://www.oecd.org/document/19/0,2340,en_2649_34255_1815059_119820_1_1_1,00.ht ml. Oxford.1993.InTheNewShorterEnglishDictionary.NewYork:OxfordUniversityPress. Rich, Philip. 1992. The Organizational Taxonomy: Definition and Design. Academy of Management Review17(4):758781. Shirey, Robert W. 2000. IETF (Internet Engineering Task Force) RFC 2828. Internet Security Glossary. TheInternetSociety.Accessed2October2010,http://www.ietf.org/rfc/rfc2828.txt. StandardsAustralia.2004.InformationSecurityRiskManagementGuidelines. .2010.BusinesscontinuityManagingdisruptionrelatedrisk. Stoneburner,Gary.2001.UnderlyingTechnicalModelsforInformation,TechnologySecurity.National InstituteofStandardsandTechnology.
Biographies
Marcus Thompson is a Brigadier in the Australian Army with over 24 years of experience in communications and information systems. He is currently undertaking doctoral research with the UniversityofNewSouthWalesattheAustralianDefenceForceAcademy. Dr Mike Ryan is a senior lecturer at the University of New South Wales at the Australian Defence Force Academy. He holds bachelor, masters and doctor of philosophy degrees in engineering, and his research interests include project management, systems engineering, requirements engineering and military communications and information systems. He is the author or coauthor of nine books, threebookchapters,andoverahundredtechnicalpapers. Dr Alan McLucas is a senior lecturer at the University of New South Wales at the Australian Defence Force Academy. He holds bachelor, masters and doctor of philosophy degrees in engineering, management and operations research, and has had extensive experience in management, complex problem solving, and strategy development. Alan is widely published in the systems thinking and systemdynamicsmodellingliteratureandistheauthoroftwobooksonthesesubjects.