Page 1 of 2 pages  1 2 > 

Risk and Threats - The Common Ground Between Security and Safety?

This is something that has been bumbling around for some considerable time - safety and security. By that I whether there is something useful that an enterprise architecture view can be used for in the system safety and security disciplines.

On the face of it there is quite a bit of overlap. Both are ultimately concerned with risk inherent in a solution design which arises from threats (security) or hazards (safety). Both involve management with the aim to reduce the risk, threat or accident (safety) to an acceptable or tolerable target. I suspect also that security management also uses categories to classify acceptable severity or probability in much the same way that the various system safety management standards in defence do (MIL STD 882D, DEF STAN 00-56). Both also involve mitigation of risk by design - through structure, behaviour, or adherence to a normative process of some sort.

There are bound to be some differences, not the least of which is terminology. In the security area we seem to have constructs like:

• Threat poses Risk
• Threat exploits Vulnerability
• design aka TRAK:Resource (System, Software, Organisation, Job or Role) exposed to Risk (and subsequently that Risk is mitigated by the (improved) Resource or Function (of that Resource)

In the safety area we seem to have constructs like:

• Failure may present Hazard
• Hazard can cause Accident
• Accident poses Risk
• Resource exhibits Failure

and attributes such as probability, impact, severity.

Anyway it seems sensible to open up the debate so I’ve posted some thoughts in the forums within the TRAK Viewpoints project site on Sourceforge. Something is definitely needed and my hunch is that there is so much overlap that it would be possible to create a Viewpoint that addresses the risk within a solution design. This may of course end up being two viewpoints depending on the concerns and therefore concepts (metamodel stereotypes) and relationships involved. What is needed is more debate and input from those involved with system safety and system security - hence the post. As ever with TRAK the objective is economy so that we have something that is just or barely adequate to describe the concerns and concepts involved and no more.

Comments

Comment on this article

Related Articles

• Keep Clear Separation Between the Concerns that Each Architecture View Addresses

Sharing tags:

• Conformance Assessment vs ISO/IEC 42010:2011 (18% )
• Every Viewpoint Has to Be Distinct - Say “Goodbye” to the TRAK CVp-02 Concept Viewpoint (12% )
• ISO/IEC/IEEE 42010:2011, Systems and software engineering—Architecture Description Released (12% )
• TRAK Article Published by The Institution of Engineers (Singapore) (6% )
• TRAK is a Finalist in the 2011 IET Innovation Awards (6% )

Forums

• See discussion thread in forums

External Links

• DEF STAN 00-56/4 Part 1 / Part 2 Safety Management Requirements For Defence Systems.  [registration needed to access]
• MIL STD 882D. Department Of Defense Standard Practice For System Safety. February 2000
• Cabinet Office. Security Policy Framework. V7 October 2011.
• Security Ontology. Stefan Fenz.
• Secure Business Austria. Security Ontology.
• HIPAA Security Series. 6 Basics of Risk Analysis and Risk Management.
• Safety & Functional Safety. ABB Brochure 1SFC001008B0201.

‘Logical’, ‘Abstract’ or ‘Concept’ Instead of ‘Operational’?

The language used in a framework definition is important to its “user interface”. Get it wrong and you build in problems for the long term. It is, however, difficult to get the ‘right’ name - one that is readily understood and where everyone has the same understanding.

In TRAK we have an ‘Operational Perspective’ - that provides the elements and viewpoints with which to describe the problem in terms of need, exchanges and behaviour in a way which is free from implementation or any particular solution or technology. The trouble is that the word ‘operational’ is all too readily associated with the day to day running or operation of the system. This has caused confusion in the rail domain. Of course any confusion can lead to the use of the wrong architectural views or for an unnecessary restriction in scope - all of which can lead to inconsistency and which make it harder to exchange or collaborate on architecture models.

Back to the problem in hand. If we don’t use ‘Operational’ what could we use instead? ‘Logical’ is a possibility. It is used in other frameworks, such as Zachman, where it is a perspective that represents the logical information systems model which is free from the technology (another perspective). It looks as though MODAF would like to use ‘logical’ since the pre-amble to the MoD’s ‘The MODAF Operational (OV) Viewpoint’ states ‘the OV Views illustrate the Logical Architecture of the enterprise; ie whilst they show what is required to conduct an (operational or business) activity, they do not consider how a solution may manifest itself when implemented.’  The trouble is, would the average user equate ‘logical’ with implementation-free or would they associate mathematics, rules or some alternative “Spockian” image with the term?

‘Abstract’ is another candidate. Looking in the New Oxford American Dictionary, produced by the Oxford University Press (OUP),  that comes with the Apple Dictionary application we have:

ab•stract
adjective |ˈabstrakt|existing in thought or as an idea but not having a physical or concrete existence : abstract concepts such as love or beauty.

• dealing with ideas rather than events : the novel was too abstract and esoteric to sustain much attention.
• not based on a particular instance; theoretical : we have been discussing the problem in a very abstract manner.
• (of a word, esp. a noun) denoting an idea, quality, or state rather than a concrete object : abstract words like truth or equality.
• of or relating to abstract art : abstract pictures that look like commercial color charts.

This looks to be promising. It is quite clearly nothing to do with a particular solution or realisation. Is ‘Abstract Perspective’ only a term that an air-head would use? It certainly seems to be better than keeping the current ‘operational’.

Or would it be better just to use ‘Concept’....?

Not easy. The request to change the name has been made on SourceForge and it will be interesting to see what comments or reaction develops.

Whatever the outcome there will have to be some changes on the site wiki…. :-(

Comments

Comment on this article

Related Articles

{REL[139][related1_blog]CV7q71VlREL}

Sharing tags:

• Every Viewpoint Has to Be Distinct - Say “Goodbye” to the TRAK CVp-02 Concept Viewpoint (29% )
• Risk and Threats - The Common Ground Between Security and Safety? (29% )
• Conformance Assessment vs ISO/IEC 42010:2011 (14% )
• TRAK is a Finalist in the 2011 IET Innovation Awards (14% )
• TRAK Article Published by The Institution of Engineers (Singapore) (14% )

External Links

• MODAF. The MODAF Operational (OV) Viewpoint.12th February 2009.
• Sourceforge. TRAK Enterprise Architecture Viewpoints. Feature Request #2989344

A System is a System, Right? Not if You’re Head-Modelling

Introduction

Choosing stereotypes for an enterprise architecture framework isn’t easy. In defining something you embed the prevailing view at the time the framework was created. This may later haunt you. With every extra stereotype you add choice and then when you add the poor old architect or modeller into the mix you increase the possibility of inconsistency - the very thing the metamodel is designed to constrain and eliminate. This is illustrated very nicely in trying to place ’System’ at the centre of TRAK.

Since we started with MODAF 1.2 this is where the story begins.

MODAF 1.2

In the MODAF System is defined as

The usage of an artefact as a System in a Capability Configuration

and part of the physical architecture.

MODAF::System - A Physical Artefact

Technically it is defined as an Artefact alongside Platform. This arose because when the MODAF was originally launched the consensus on what a system is wasn’t the currently accepted one with emergence et al and the MODAF quite reasonably took the then accepted view - hence it is a purely man-made thing. No notion of complexity whatsoever.

From the The MODAF System Viewpoint(SV) (17th February 2009):
‘Artefacts - Physical objects made for a purpose (e.g. system, sub-system, platform, component or any physical item that occupies space and has attributes)’

‘Physical Architectures - Configurations of resources for a purpose (e.g. capability configurations)’

‘The physical resources contributing to a capability must either be an organisational resource or a physical asset. That is, a system cannot contribute alone; it must be hosted on a physical asset used by an organisational resource of both. Organisational aspects (e.g. who uses a system) can now be shown on SV-1.’

In short as it is defined in MODAF 1.2:

• system is something physical
• it is man-made
• it can’t contain anything else like Organisation, Post or Role, or Software
• it is not the same thing as a Capability Configuration
• systems cannot provide capability

TRAK

When creating TRAK we found we couldn’t use MODAF::System as it didn’t fit with either the London Underground view of a system or the INCOSE or ISO ones.

The current INCOSE Systems Engineering Handbook defines a system as:
‘an integrated set of elements, subsystems, or assemblies that accomplish a defined objective. These elements include products (hardware, software, firmware), processes, people, information, techniques, facilities, services, and other support elements.’

It was therefore impossible to use MODAF::System to represent what is currently accepted to be a system. So what could we use? As a system is a mixture of hard and soft resources it made sense to position at the centre of TRAK:

TRAK::System - Central to the Metamodel

Immediately therefore this allows us to describe systems

• composed of a mixture of equipment, software and people - not just physical
• composed of just software or of just human stuff - soft systems

and we don’t need ‘Sub-system’ either or ’System of Systems’ since the terms just reflect a point of view in the hierarchy of systems and we already have the construct ‘System is configured with System’ to allow us to represent systems at any level. In fact if we introduced sub-system we would be forcing architects to make a choice and with choice comes difference of opinion and the potential for inconsistency - my Sub-system might be your System and so on.

Now Add People

The choice of metamodel elements is important, particularly when you add people (users of the metamodel) into the mix.

Some of you will be looking at the TRAK metamodel fragment above and thinking ... Capability Configuration. Indeed in MODAF this is where Capability Configuration sits. So is Capability Configuration correct? As defined it cannot be - Capability Configuration is still part of the Physical Architecture.

The bigger problem, however, is that you end up using one element but with the meaning of another. It’s easy to see how this might arise - being not allowed to add parts to MODAF::System the architect takes the stereotype that does allow him or her to add the stereotypes that they want - the Capability Configuration. It is possible that they don’t even see the problem in doing so. The trouble is that they describe something as a system but use Capability Configuration. Their ‘head-model’ doesn’t fit the meaning of the model elements used.

It is actually worse because in providing MODAF::Platform and MODAF::System there is a choice to be made - when is something a platform and when is it a system? You can almost guarantee that different choices will be made and therefore it makes it more likely that architecture descriptions (models) can’t be ported between organisations. In fact the poor modeller has 3 stereotypes that can be used to mean ’system’ (in their head) - the MODAF::Capability Configuration, MODAF::System and MODAF::Platform. On the receiving end you can’t predict which will have been used.

This is why in TRAK there is only 1 TRAK::System. It’s flexible, can be used for hard or soft systems and, importantly, ‘there shall only be one’ - no sub, super or whatever-system.

You describe the context simply by the system boundary and hierarchy. Easy.

After all a system is a system.

Acknowledgements

The MODAF is Crown Copyright/MOD
The TRAK Metamodel is released under the GNU Free Documentation License.

Comments

Comment on this article

Related Articles

Sharing tags:

• Risk and Threats - The Common Ground Between Security and Safety? (14% )
• TRAK Article Published by The Institution of Engineers (Singapore) (14% )
• Every Viewpoint Has to Be Distinct - Say “Goodbye” to the TRAK CVp-02 Concept Viewpoint (7% )
• Conformance Assessment vs ISO/IEC 42010:2011 (7% )
• TRAK is a Finalist in the 2011 IET Innovation Awards (7% )

External Links

• MODAF Metamodel 1.2.003
• The MODAF System Viewpoint(SV) 17th February 2009.
• INCOSE‐TP‐2003‐002‐03.2. INCOSE Systems Engineering Handbook v. 3.2. January 2010
• TRAK Metamodel. 26th February 2010.

Page 1 of 2 pages  1 2 >