Cyber Security
Getting serious about security assurance By Codee Ludbey CPP Digital Lead at Norman Disney and Young, responsible for a team of security professionals in New South Wales.
20 | Cyber Risk Leaders Magazine
M
y favourite explanation of the difference between safety and security is succinctly (and humorously) presented by Somerson (2009), who states that security is an approach to protect against the malicious actions of others, where safety is an approach to protect against the duncery of negligence. Because we can all relate more easily to the the latter, we tend to have more conversations about making designs safe as opposed to secure. In the public consciousness, there is a higher duty to provide safety than security, and this shows in a variety of ways in the engineering industry. For example, Safety in Design is thoroughly embedded in the typical design processes of any built environment practitioner. Many hours are spent in Safety in Design Workshops, filling in Safety in Design Registers, and developing comprehensive Safety in Design strategies. On the other hand, Security in Design is still a new and emerging topic that few have actually applied properly outside of Government projects. Even where security in design is applied, the level of thoroughness and completeness from a security assurance perspective is often less developed than the safety in design process. This is probably due to the relative immaturity of security as a science, particularly as applied in the built environment. Nevertheless, due to some recent observations and experiences with more rigorous security and safety assurance processes, I wanted to present an overview of how the two can be co-managed in the security risk management process. But, before we delve into security
assurance, let's start with a definition of safety assurance from Kelly & Weaver (2004). "[Safety Assurance is] a qualitative statement expressing the degree of confidence that a safety claim is true." In the context of design, this definition is basically explaining that safety assurance is a statement or argument that is reinforced by evidence that expresses the level of confidence that a system is safe to operate or rely upon. This is important, as safety, much like security is not certain, and rests on assessments of likelihood and consequence. Subsequently, under the various occupational health and safety laws amongst others, we need to satisfy ourselves, our clients, and the State that we have reduced risks so fair as reasonably practicable (SFAIRP). Safety assurance is the process through which we do this. Security assurance then, is a similar - we need to demonstrate security risk reduction SFAIRP and that a tailored approach to the security of critical assets has been undertaken. Security practitioners have a responsibility for ensuring security is embedded in a project, and that the security objectives are met through a well reasoned argument and risk reduction strategy. This argument should be built upon supporting evidence (or security cases) that can demonstrate to a third party how the identified security risks have been reduced to acceptable levels. To effectively construct this argument, there needs to be a clear definition of the security requirement or objective, a series of security cases (or arguments) that support these objectives, and the subsidiary evidence in design that informs the arguments.
