In the block diagram, I've positioned it underneath the "Systems" block because, in a certain sense, it provides the conceptual foundation and architecture of the Systems and how they behave, i.e. how it generates output events in response to inputs and interactions. Of course this is a simplification since the influence and scope touches nearly every other performance dimension.
While this obviously includes any software and hardware development performed internally, it's very important to note that this dimension include all relevant design and development activities, including:
- business process design and development
- organization design and development
- enterprise architecture
- information and data architecture
- partners relations, including supply chain, distribution chain, and outsource partner relations
- governance, both inside and outside the organization
- incentive systems
Design & Development is extremely important to cyber security performance because it has the potential to yield systemic improvements and benefits. Conversely, neglect could lead to persistent and systemic dysfunctions, with the negative consequences showing up in many areas and functions. This is one of the important lessons from the Total Quality Management movement -- that quality (or lack of it) is often pre-determined at design time rather than at manufacturing time or later.
This idea isn't new the field of information security and privacy. In fact it is promoted with the slogans "Privacy by Design" and "Security by Design". In software development, it is known as "Security Development Life Cycle". Unfortunately, too many organizations neglect this approach when it comes to the other design and development activities listed above. For example, IT outsourcing decisions are often made without adequate attention to security and privacy considerations, partly because managers assume that some combination of audits and reporting can assure that the outsource vendor will operate securely. Neglect of Design & Development leads to a situation where cyber security is a "bolt-on", which is generally least effective, most expensive, and hardest to manage in the long run. Sadly, this often only becomes clear in the aftermath of a severe security breach, assuming that comprehensive investigations that are performed.
Performance in this dimension is about effectiveness -- getting the right design and having that design effectively influence the rest of the performance dimensions. This focuses attention on making the most important design decisions, and on making design decisions that are systemically better than alternatives. In turn, this requires understanding the interactions between design of technologies, business processes, organization structures, policies and procedures, and the rest.
The description I've just given might lead some readers to believe that this applies to only large organizations. That is not the case. Even very small businesses perform design and development, at least their organization structure, their business processes, and probably their data architecture (though it probably isn't known by that name). It may often be true that managers in small businesses do not have the experience or expertise to make these (cyber security) design decisions effectively. But this deficiency only reinforces the value of including this as a distinct performance dimension. This might lead managers in small business to get help from service providers or to partner with other businesses.
(Next dimension: 4. Quality of Protection & Controls)