Hi All,
This paper defines security as freedom from those conditions that can cause the loss of assets (i.e., items valued by a stakeholder) with unacceptable consequences. Unless otherwise noted, this paper will use the term security to refer to cybersecurity, cyber resiliency, cyber survivability as well as system security, system resilience, and system survivability.
• Cybersecurity is viewed as pertaining to consequences of the loss of information's confidentiality, integrity, or availability.
• Cyber resilience is viewed as pertaining to the loss or degradation of capability associated with cyber resources.
• Cyber survivability is viewed as pertaining to loss or degradation of mission-related functions due to cyber-events .
As discussed, three essential characteristics of a secure system are:
- It delivers the required system capability despite intentional and unintentional forms of adversity within foreseeable operating conditions.
- It enforces constraints to ensure that only the desired behaviors and outcomes associated with the required system capability are realized while satisfying the first characteristic.
- It enforces constraints based on a set of rules to ensure that only authorized human-to machine and machine-to-machine interactions and operations are allowed to occur while satisfying the second characteristic.
To achieve these characteristics, each of, and the relationships between, the system capability, desired behaviors, desired outcomes, and the set of rules must be defined unambiguously. The characteristics are to be achieved and maintained with the requisite assurance.
------------------------------
Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, EMBA, CSA
------------------------------