What does define adequate security, and how to measure it?

The story starts in a village of blind men and the elephant where each one tries to describe what he touched to each other. The story illustrates how important to connect each part to explain the whole thing correctly. It isn’t one way or the other. It is essential (in general) to look at things from different angles and through different lenses (bare eye, microscope or telescope). In this article, I want to explain the use of the systems thinking model to address security strategy, especially with who is responsible for making changes to secure their corporate’s systems.

I chose the Zoo to illustrate the systems. It has different species (systems) living together in isolated houses/cages/ponds and looked after by human-being (Zookeepers) to check the animals’ health & safety. And the kingdom to present the rules and processes that govern the Zoo.

The Zoo has segregation, strict nutrition with continuous health-check monitoring and controlled breeding to keep sustainable biodiversity in the kingdom zoo. Nevertheless, accidents happen, and some animals sadly can’t stay alive or expose threats to others (i.e. animals/visitors).

So, what can we learn from the Zoo systems to apply to our corporate enterprise?

Systems thinking is a way of analysis that helps understand the root causes of problems in complex systems by breaking them into elements, interconnections between these elements and functions of each and whole. Then, once you build that system model, you start to understand where the problems come from and where to intervene to fix them.

NASA Safety Framework identified ASARP (As Safe As Reasonable Practical), which once passed there will be significant cost required but safety unlikely to improve further. Rony Ross (fellow at NIST) argued that could be the same in cybersecurity. As organisations reach ASARP (As Secure As Reasonable Practical) line, there will be diminutive security strength that does not justify the extra spending wasting scared resources for that minute gain. It’s a big dilemma and challenging to determine if your corporate level of cybersecurity capabilities reached that line or crossed it. It’s crucial to expect that line (ASARP) would be different between enterprises and likely to keep moving (+/-) as the behaviour of the systems over time will keep changing.

Let’s define adequate security first and then identify how to measure it to draw a line. In the Zoo example, each animal has its own emulated environment based on a well-defined set of requirements for the animal to live safely and for the visitor to watch (i.e. interact/connect) without disturbing (as much) the animal habitat (i.e. system function). The corporate enterprise is similar; to define the requirements to drive the roadmap for the next steps, but this set of the requirements are mostly fixed (or rigid) and based on specific characteristics. Using the system dynamics modelling, we would be able to simulate (i.e. evaluate) the system behaviour in different scenarios and break each element into sub-elements to identify feedback loops and leverage points to adjust the system behaviour to the expected pattern.

But, what does define adequate security, and how to measure it to draw a line?

Unfortunately, I don’t have a straight answer for that, but I have studied some mechanisms & frameworks that could help and guide based on my own analysis as follows:

• The recently revised NIST 800–160 is a good starting point. It defines what security capabilities are needed to increase the resiliency, but measuring it would vary according to the threats and cyber simulated catastrophic level.

• Lockheed Martin incidents report covers the most severe incidents it faced during a particular month and evaluates the effectiveness of the cyber kill-chain controls accordingly. By examining the data over several months, Lockheed Martin would determine what works, what does not, and where to invest in new capabilities.
• Goldman Sachs best practices for defensive system performance. It builds a matrix of all existing security controls across the kill-chain stages. Then, it splits these stages with further measures to identify the gaps and needed investment in improving the security controls.
• The Australian Cyber Security Centre (ACSC) has collected data on tens of thousands of attacks each year. It examines the performance of a large number of security controls in defending against those attacks, then ranks the security controls in terms of their overall effectiveness against potential user resistance, upfront cost and ongoing maintenance cost.

There are others, but I don’t think it is that important to identify which mechanism to consider rather than make sure that your corporate enterprise systems have adequate cybersecurity capabilities and keep tracking your attack vectors patterns. Create feedback loops to identify the leverage points.