Threat-Based Security Engineering - Introduction

For at least the past 20 years, the security industry has struggled unsuccessfully to develop a way to model the dynamics that give rise to security risk and to quantify and forecast expected security outcomes in an objective analytical manner.

As a result of our lack of success, the way we have had to go about building security systems in the past has been based largely on applying established practices and common sense, and on a significant amount of guesswork and uncertainty.  Information Security has remained an art when other Information Management disciplines (for example, IT Asset Management, Performance Management, Capacity Management) have been transformed into engineering subjects based on sound principles.

If we could learn to model security risk analytically and scientifically, we could make enormous leaps forward.  We would be able to calculate reliably the probability of each of the security outcomes we wanted to prevent, the benefits of each countermeasure we might want to apply, and the RoI of any proposed security programme.  We would be able to design security solutions which were accurate and reliable, and optimise our security arrangements to minimise the cost of the security measures needed to achieve stated security goals.  We would be able to demonstrate objectively and auditably that we were satisfying governance and regulatory demands, and assure stakeholders that Information Security needs were being addressed effectively and efficiently.

TBSE solves that risk modelling problem.  Where previous efforts have failed, TBSE has succeeded by adopting the type of approach used to model complex dynamical systems.  TBSE uses non-deterministic techniques to model the dynamics of the interactions between security threats and countermeasures, the dynamics that give rise to security risk.  It turns out that this type of modelling can be applied much more simply than people appear to have anticipated, and initial results suggest that TBSE can be applied successfully to any threat (malicious or non-malicious, accidental or wilful, internal or external) and any countermeasure (technical or non-technical).

TBSE shows how to model risk analytically and derive objective quantified forecasts of the level of risk as a function of both the measured threat profile and the countermeasures being deployed.  It allows us to calculate the reduction in risk we could achieve by varying those countermeasures, enabling us to calculate the benefits of new or improved security measures and the RoI of a security programme.  This is extremely exciting and opens the prospect of major advances to come in the Information Security field.

TBSE is of direct benefit to public or private sector organisations wishing to improve the effectiveness and cost-efficiency of their internal security risk management programmes.  It gives users the ability to optimise their security arrangements, justify security expenditures to the board, and assure stakeholders that the company has an appropriate understanding and control of its security risks.

TBSE also creates a wide variety of exciting opportunities for organisations wishing to support the global, pan-sector, security user community.  For security service providers, it brings opportunities to provide customers with up-to-date threat profiles, threat indices and the algorithms to turn monthly threat indices into forecast risk indices in support of management decision-making.  Management consultancies can build new services to help their clients tailor risk models and decision-support tools to suit the client's particular business and technical environment.  Security assurance companies can develop new services to calibrate security countermeasures and to certify the effectiveness of security deployments.  They will address the need for a new range of e-business support services, providing compliance audits so that:

♦  Companies can assure audit committees they have a security programme in place that protects shareholder interests;
♦  Companies can demonstrate objectively and measurably to external regulators that the company is operating in compliance with regulations and legislation;
♦  Business partners can be benchmarked against an objective baseline to ensure they do not introduce inappropriate risks to the integrated supply chain.

TBSE will create opportunities for product companies to develop new risk management software tools.  TBSE can also kick start an active Digital Risk insurance marketplace by enabling the development of simple Digital Risk insurance products for which premiums can be priced reliably.

For further technical detail about TBSE, what it is and what it can achieve, please click here.

To return to the TBSE Home page, please click here.

For a discussion of how TBSE can be of benefit and value to your company, whether your company is a user of Information Security techniques or a product or service provider to that user community, please contact me directly.