Tuesday, July 2, 2013

Dimension 3: Effective Design & Development

This is the third post defining each of the Ten Dimensions of Cyber Security Performance.

Design & Development determines the general characteristics of an organization and its systems relative to cyber security.  Design includes processes of thinking, planning, and formal definition, while Development includes the realization of designs, including refinements and adjustments.

In the block diagram, I've positioned it underneath the "Systems" block because, in a certain sense, it provides the conceptual foundation and architecture of the Systems and how they behave, i.e. how it generates output events in response to inputs and interactions.  Of course this is a simplification since the influence and scope touches nearly every other performance dimension.

While this obviously includes any software and hardware development performed internally, it's very important to note that this dimension include all relevant design and development activities, including:
  • business process design and development
  • organization design and development
  • enterprise architecture
  • information and data architecture
  • partners relations, including supply chain, distribution chain, and outsource partner relations
  • contracts
  • governance, both inside and outside the organization
  • incentive systems
Note that this definition excludes design and development performed outside the organization.  For example, if an electric utility firm does no internal software or hardware development (not even through contractors), it depends on software and hardware from independent vendors.  Notice that this firm has made a design decision, namely to "buy" rather than "make".  But beyond that, it has no influence over the design and development decisions of its venders.  Therefore, it would need to manage the performance of its vendors through a different performance dimension: 7. External Engagement.

Design & Development is extremely important to cyber security performance because it has the potential to yield systemic improvements and benefits.  Conversely, neglect could lead to persistent and systemic dysfunctions, with the negative consequences showing up in many areas and functions.  This is one of the important lessons from the Total Quality Management movement -- that quality (or lack of it) is often pre-determined at design time rather than at manufacturing time or later.

This idea isn't new the field of information security and privacy.  In fact it is promoted with the slogans "Privacy by Design" and "Security by Design".  In software development, it is known as "Security Development Life Cycle".  Unfortunately, too many organizations neglect this approach when it comes to the other design and development activities listed above.  For example, IT outsourcing decisions are often made without adequate attention to security and privacy considerations, partly because managers assume that some combination of audits and reporting can assure that the outsource vendor will operate securely.  Neglect of Design & Development leads to a situation where cyber security is a "bolt-on", which is generally least effective, most expensive, and hardest to manage in the long run.  Sadly, this often only becomes clear in the aftermath of a severe security breach, assuming that comprehensive investigations that are performed.

Performance in this dimension is about effectiveness -- getting the right design and having that design effectively influence the rest of the performance dimensions.  This focuses attention on making the most important design decisions, and on making design decisions that are systemically better than alternatives.  In turn, this requires understanding the interactions between design of technologies, business processes, organization structures, policies and procedures, and the rest.

The description I've just given might lead some readers to believe that this applies to only large organizations.  That is not the case.  Even very small businesses perform design and development, at least their organization structure, their business processes, and probably their data architecture (though it probably isn't known by that name).  It may often be true that managers in small businesses do not have the experience or expertise to make these (cyber security) design decisions effectively.  But this deficiency only reinforces the value of including this as a distinct performance dimension.  This might lead managers in small business to get help from service providers or to partner with other businesses.

(Next dimension: 4. Quality of Protection & Controls)


  1. Russ, I like these first three dimension descriptions. Rather than expound on what i like, though, here is some constructive feedback on additional considerations: a) Spend some time making stronger links between how these dimensions depend on or relate to each other formally. b) There is a difference between actual threats and potential threats. The latter looks more like "possible attack trees". I've found distinguishing between the two to be helpful. c)What I don't see is a leverage point to determine good or appropriate. If your intent is to provide measurement buckets, that's fine, but the ability to measure will need some work...

    1. Thanks for the excellent suggestions. a) Agreed. The descriptions here are just a start, mostly stream-of-consciousness descriptions. Elaborating the links and interactions between performance dimensions will be a very important next step. b) Yes, distinguishing between different threats and threat agents by degree of possibility or actuality is useful. (That's just one reason why I chose the name for this blog.) c) Agreed. I haven't yet specified how performance would be measured on each dimension. I have a specific method to recommend, but that deserves it's own blog post (or several).