Security Engineering (SE) Workbench


Return to the SE-Workbench Project Page

An Analytial Model for Security Engineering

Security Engineers use critical thinking and deductive reasoning to analyze, identify, prevent and remediate anomalies and weaknesses in complex information systems. Common Criteria provides a General Model along with sets of Functional and Assurance Requirements for Security that form the basis for measurable trustworthy computing.

Security Model from Common Criteria (ISO/IEC 15408:2009)

Common Criteria for Information Security Evaluation, provides an Information Security Concept and Relationship Model that concisely represents the conflicting factors that Security Engineers need to consider when performing Security Analysis.

Table #1 contains a reproduction of the graphic from Common Criteria Part 1: Introduction and General Model. It illustrates a set of core security concepts and relationships. The graphic on the left side of the table is a visual representation of the relationships. The list on the left side of the table enumerates the assertions represented in the graphic.

Table #1 - General Model for Security

Security Concepts and Relationships
in the Common Criteria General Model
Security assertions in the
Common Criteria General Model
CC Relationship model.
  1. Owners value Assets
  2. Owners wish to minimize Risk to Assets
  3. Owners Impose Countermeasures to reduce Risk to Assets
  4. Threat Agents wish to Abuse or Damage Assets
  5. Threat Agents give rise to Threats that increase Risk to Assets



This figure illustrates the connection between Owners, Assets and Risks. It also calls out the interplay between Risk and Countermeasures. Common Criteria Introduction and General Model defines countermeasures as: "countermeasures are imposed to reduce the risks to assets. These countermeasures may consist of IT countermeasures (such as firewalls and smart cards) and non-IT countermeasures (such as policies and procedures). See also ISO/IEC 27001 and ISO/IEC 27002 for a more general discussion on security countermeasures (controls)."

Security Model for Imperfect Systems

Table #2 expands the scope of connections between Owners, Assets and Risks by identifying the interplay between Security Controls, Threats and Vulnerabilities. This representation of the model differentiates between security controls that typically include policies and procedures as described by documents such as NIST SP800-53 or ISO/IEC 27001, and countermeasures that typically include security guards and technical mechanisms that are prescribed as a defense against a specific type of attack. This change provides the Security Engineer with the ability to investigate and plan for both types of risk response:

  • Security controls, in the form of Management Controls, Operational Controls and Technical Controls to mitigate risk to Assets.
  • Countermeasures, in the form of IT security mechanisms and services that mitigate the likelihood of Attacks against assets.

The diagram in the upper portion of the table provides a visual representation of the relationships. This list in the lower portion of the table enumerates the paths represented in the diagram.

Table #2 - Security Model for Imperfect Systems

Security Concepts and Relationships for Imperfect Systems

Amended CC Relationship model for Imperfect Systems

Security assertions for Imperfect Systems

  1. Owners value Assets
  2. Owners wish to minimize Risk to Assets
  3. Threat Agents wish to Abuse or Damage Assets
  4. Owners Impose Controls to reduce Risk to Assets
  5. Vulnerabilities and Weaknesses Increase Risk to Assets
  6. Owners Impose Controls and Countermeasures to Mitigate Vulnerabilities and Weaknesses
  1. Owners Impose Controls and Countermeasures to Mitigate Discovery and Exploit of Vulnerabilities and Weaknesses
  2. Threat Agents Discover Vulnerabilities and Weaknesses that Increase Risk to Assets
  3. Threat Agents give rise to Threats that increase Risk to Assets
  4. Threat Agents give rise to Threats that Exploit Vulnerabilities

This figure acknowledges that all systems may have flaws and weaknesses, and that these flaws and weaknesses provide opportunities for bad actors abuse and/or damage assets.

Security Model for Imperfect Information Technology Systems

Table #3 further extends the Base CC Model by illustrating the elements and relationships related to the building, operating and usage of Information Technology Systems that operate on Assets. This model recognizes the need for authorization of users in roles, and that Information Systems exist in operational environments that may contain threats and threat agents. The diagram in the upper portion of the table provides a visual representation of the relationships. This list in the lower portion of the table enumerates the paths represented in the diagram.

The Model in Table #3 exposes the true complexity of the Security Engineering problem space.

Table #3 - Security Model for Imperfect Information Technology Systems

Security Concepts and Relationships for Imperfect IT Systems

Amended CC Relationship model for IT Systems

Security assertions for Imperfect IT Systems

  1. Owners value Assets
  2. Assets are located in an Environment
  3. Information Systems are located in an Environment
  4. Information Systems operate on Assets
  5. Environments may include Threats and Threat Agents
  6. Owners wish to minimize Risk to Assets
  7. Threats increase Risk to Assets
  8. Information Systems may contain Vulnerabilities and Weaknesses
  9. Vulnerabilities and Weaknesses Increase Risk to Assets
  10. Threat Agents wish to Abuse or Damage Assets
  11. Threat Agents Discover Vulnerabilities and Weaknesses
  1. Threat Agents give rise to Threats
  2. Threats Exploit Vulnerabilities and Weaknesses
  3. Owners may Authorize Users in Roles to Build Information Systems
  4. Owners may Authorize Users in Roles to Operate Information Systems
  5. Owners may Authorize Users in Roles to Use Information Systems
  6. Owners impose Controls and Countermeasures to reduce Risk to Assets
  7. Owners impose Controls and Countermeasures to Mitigate Vulnerabilities and Weaknesses
  8. Owners impose Controls and Countermeasures to Mitigate Discovery and Exploit of Vulnerabilities and Weaknesses

Security Engineers can use this set of Security Assertions to build the logic needed to perform Security Analysis.

Security Analysis Logic

Table #4 provides a view of Relationships and Dependencies that are relevant to Security Analysis. The formula expresses Security of a System as a function of Trustworthiness, Protections and Risks. These elements are dependent upon sets of controls, countermeasures, weaknesses and vulnerabilities. The elements are influenced by the characteristics and behaviors of the people, process, technology and information associated with the system.

Table #4. Security as a Function

Security as a function of Trustworthiness, Protections and Risk

Risk Default

Much of security analysis deals with the trying to understand and anticipate the behaviors of attackers who seek to bypass or circumvent security controls and countermeasures; or exploit vulnerabilities and weaknesses in the systems. This gives rise to the concept of "adversarial thinking" that juxtapositions the intent of system owners with the interest of threat actors and threat agents.

Adversarial Thinking

Security Analysis needs to position the motivation of the owner of assets against the motivation of attackers. This is referred to as Adversarial Thinking. Adversarial Thinking is routinely incorporated into Security Engineering tasks and activities, where some Security Engineers may act as members of Red Teams, i.e., attackers or ethical hackers, and some Security Engineers may act as members of Blue Teams, i.e., designers and defenders.

Table #5 below, shows how the content from the bottom portion of Table #3 can be organized in a way that demonstrates the foundations of adversarial thinking for imperfect Information Technology Systems.

Table #5 - Adversarial Points of View

Defender view (Blue Team)
Attacker view (Red Team)
    Given:
  • Owners value Assets
  • Assets are located in an Environment
  • Information Systems operate on Assets
  • Information Systems are located in an Environment
  • Environments may include Threats and Threat Agents
  • Owners wish to minimize Risk to Assets

  • Action:
  • Owners impose Controls and Countermeasures to reduce Risk to Assets
  • Owners may Authorize Users in Roles to Build Information Systems
  • Owners may Authorize Users in Roles to Operate Information Systems
  • Owners may Authorize Users in Roles to Use Information Systems
  • Owners impose Controls and Countermeasures to Mitigate Vulnerabilities and Weaknesses
  • Owners impose Controls and Countermeasures to Mitigate Discovery and Exploit of Vulnerabilities and Weaknesses
    Given:
  • Attackers value Assets
  • Assets are located in an Environment
  • Information Systems operate on Assets
  • Information Systems are located in an Environment
  • Environments may include Threats and Threat Agents
  • Attackers wish to maximize Risk to Assets

  • Action:
  • Threat Agents wish to Abuse or Damage Assets
  • Threat Agents Discover Vulnerabilities and Weaknesses
  • Threat Agents give rise to Threats
  • Threats increase Risk to Assets
  • Threats Exploit Vulnerabilities and Weaknesses


Table #5 illustrates the conflicting motivations and points of-view that contribute to the complexity of Security Engineering. On one hand, defenders work on behalf of owners and stakeholders of enterprises that include Information Technology Systems. On the other hand attackers see value in abusing or damaging assets belonging to the owner and stakeholders.

Defenders and attackers act as adversaries in support of, or opposition to, the interests of owners. Attackers can be external threat actors or internal threat actors. Defenders can be any person or entity who is subject to the security policies of the owner(s). The role and task of being a defender is much more complicated than the role and task of being an attacker. Defenders need to get everything right all the time, and Attackers only need to be right once.

Information Technology (IT) Professionals, to include Software Developers, Software Engineers, Systems Engineers and Security Engineers have a special role in ensuring that Information Technology systems are designed, implemented, operated and maintained with security and privacy in mind. IT professionals in the role of Security Engineers need to pratice Adversarial Thinking as the perform Security Analysis and apply their knowledge and expertise.


top of the page

Copyright © 2021, 2022 Jim Whitmore.

LAST UPDATE: 13 March 2022