Modeling Reality: A Business Operation
Modeling Reality is a series of blog posts describing how real world scenarios are modeled by our software. This is the seventh installment.
I realized I’ve gotten a bit ahead of myself and neglected to explain a central piece of our software: the business operation. An astute observer may ask, don’t already have a page on your website about “A Business Operation”? Well, that page discusses business operations from a marketing perspective, not from a technical perspective. From a technical perspective, a business operation consists of four main components: technologies, security controls, governing policies, and a user community.
The illustration below shows the basic idea of how technologies work in a business operation. A business operation consists of one or more host systems connected to one or more network devices. The host systems and network devices are made up of technology elements—the software and firmware running on them. One or more technology element will be designated as a target for attack. Together with the user community, the technologies make up the attack surface of the business operation.
The illustration helps clarify the idea of trust boundaries. Everything on the same system or device is local. Everything connected to the same network is adjacent. And of course, everything inside the business operation is internal, and everything else is external.
Security controls are the elements that protect a business operation from attack—defenses and detectors and the like. Technically speaking, security controls are also technologies, but we make a distinction between the technology part, which is part of the attack surface, and the security control part, which reduces the attack surface.
Governing policies are a quantification of how a business operation is run. Our security experts have enumerated a list of policies that influence a business operation’s risk exposure. For each policy, we use a rubric to translate qualitative assessments into a score between 1 and 5. These scores are fed into the simulation engine for use in a variety of simulation models.
As I’ve discussed previously, the user community consists of five roles—users with access, authenticated users, authorized users, application managers, and system administrators. A business operation defines the number of users in each role who have access to the operation.
Tags: analysis, assessments, cybersecurity, national security, policy, risk, risk management