Back to main site

Tel: 01347 812150

Category Archives: Cloud Based IT Services

The Three Laws of Cyber and Information Security

 

July 2014 – Daniel Dresner, PhD, MInstISP and Neira Jones, MSc, FBCS

 

Protect. Operate. Self-Preserve

 

It is more than 70 years since Asimov’s three laws of robotics were codified(1), becoming the basis for much classic science fiction. They have crossed the boundary from fiction to fact, and are still relevant today(2).

 

The three laws recognize the importance of tracing the maturity of the environment in which a system is created, used, and ultimately decommissioned. We will show how the first law defines the capabilities for ‘asset protection’, the second law as defining the capabilities for ‘operation’, and the third law defining the capabilities for ‘self-preservation’.

 

These correspond to the three attributes of security: confidentiality, integrity, and availability.

 

The Standards Coordination Group of the Trusted Software Initiative(3) has recognized that ‘cyber security’ is without a generally accepted definition; different standards makers use different definitions.

 

It is our observation that cyber and information security are two different things. And this is why it is perhaps not surprising that those who appreciate the history (Williams, 2013) are unhappy with the term ‘cyber’ being appended to all things touching on information technology in general and the Internet in particular.

 

Medical records, credit card numbers, credentials, and such, need to be protected(4).

 

Where we are interested in the behaviour of the system and the necessary monitoring and protective or corrective feedback, then it is cyber and it is permissible to borrow the term (from Weiner, 1948).

So when the SCADA(5) engineers talk about cyber security, they really mean it!

Harm to assets, by our definition, equates to:

 

  • Proportional harm to a human being or collective of human beings (which may be, for example, a nation state, a community, or a business),
  • Either actual harm (for example resulting in physical injury in the case of a security breach of medical device or an airplane control system),
  • Or implied harm (for example, financial loss through a credit card data breach or identity theft through the fabrication of credentials, or IP theft which would harm a corporation(6)).

 

A system comprises information assets and the processes, people and technologies necessary to exploit those assets within an environment which is likely to affect the context of the system’s use or misuse. A system is itself an asset.

 

  • And the first law demands the primary cybernetic (see full paper) capabilities for ‘asset protection’.
  • The second law expects the system that must be secured to have the capabilities for ‘operation’ (secondary cybernetics).
  • The third law expects that a system’s tertiary cybernetics to have the capabilities for ‘self-preservation’.

 

These correspond to the three attributes of security: confidentiality, integrity, and availability (BS ISO/IEC 27002:2005)

As a practical example, we view ‘the information technology components of the system, we may apply the three laws to three diverse manifestations:

 

  • an on-line ‘shop’,
  • a customer database,
  • and malicious software (malware)

 

The three laws govern how feedback from a dynamic approach to risk management is applied to regulate the confidentiality, integrity, and availability of the information assets.

 

To read the full paper from Daniel Dresner and Neira Jones or to learn more about the authors please click here to download: The Three Laws of Cyber and Information Security

 

 

1. The first of Asimov’s Robot stories were published in Astounding edited by John Wood Campbell Jr who codified the three laws from Asimov’s work (Nicholls, 1981 and Gunn, 1975).

2. New Scientist, One Minute with Mark Bishop, 18 May 2013

3. http://www.uk-tsi.org.uk/

4. That is, in a state of information security.

5. Supervisory Control And Data Acquisition [systems] 

6. notwithstanding the psychological or social harm that may result.

Subscribe to our emails

Twitter

Don’t miss out and register now - https://t.co/hpdHBdSqOX https://t.co/jayyOoVb2N
Don’t miss out and register now - https://t.co/hpdHBdSqOX https://t.co/jayyOoVb2N
Don't forget to come along and see us Cymru Socitm this Thursday. Click here for more information… https://t.co/FG5AWubMTc
Don't forget to come along and see us Cymru Socitm this Thursday. Click here for more information… https://t.co/FG5AWubMTc
Don’t miss out and register now - https://t.co/fxjTTCZ4hk https://t.co/o9ufSaJ5vx
Don’t miss out and register now - https://t.co/fxjTTCZ4hk https://t.co/o9ufSaJ5vx
For more information, please visit https://t.co/p6gUp7Dj4r https://t.co/cGaTrCUAkt
For more information, please visit https://t.co/p6gUp7Dj4r https://t.co/cGaTrCUAkt
Don’t miss out and register now - https://t.co/lBxLiw0NGa https://t.co/3oz3xnw9dH
Don’t miss out and register now - https://t.co/lBxLiw0NGa https://t.co/3oz3xnw9dH