Toward a target function of an Information Security ... - Semantic Scholar

Toward a target function of an Information Security Management System Wolfgang Boehmer∗ ∗ Technische

Universität Darmstadt, Germany, Hochschulstr. 10, 64289 Darmstadt Email: [email protected]

Abstract—The limits of traditional (static) policies are wellknown in many areas of computer science and information security, and are extensively discussed in the literature. Although some flexibility has been achieved with the introduction of dynamic policies, these efforts have only addressed a fraction of the requirements necessary to secure today’s enterprises. Currently, no feedback mechanisms are in place to evaluate the effectiveness or economic impacts of static or dynamic policy implementation. Here, we address the requirement for feedback and present a policy for the next generation. This is a policy that includes a dynamic feedback response to the effectiveness of changes. The structure of this new type of policy, called a “management system”, is borrowed from discrete event system (DES) theory and functions as a control loop. A management system consists of four elements (control system, sensor, controller, and actuator) that are involved in a control law. Two types of management system can be defined. A simple management system (1st order management system) responds to and regulates only perturbations. An advanced management system (2nd order management system) has an overarching target function that influences the controller. This target function is usually economically oriented. Finally, we compare our new type of policy with two management systems that follows the Plan-Do-Check-Act (PDCA cycle) model. We investigate the two PDCA cycle standards ISO/IEC 27001 (Information Security Management System, ISMS) and BS 25999 (Business Continuity Management System, BCMS). We also show that the new type of policy can be applied to management systems based on a PDCA cycle. Index Terms—Static/dynamic policies, control loop, 1st order management system, balance system, 2nd order management system

Neither static nor dynamic policies have, thus far, been designed with feedback components to monitor policy effectiveness. Policies with feedback have, in general, been under-appreciated in computer science research. In contrast, engineering fields regularly implement control loops with built-in feedback capabilities in technical systems that can be modeled in the framework of discrete event systems theory (DES). These control loops are composed of four elements connected sequentially to form a loop: the control system, the sensor, the controller, and the actuator. In general, control system engineering is a discipline that mathematically models diverse systems in nature by analyzing their dynamic behavior. Control theory is applied to create a controller mechanism that shifts the system behavior in a desired manner. Control loops have gained far-reaching significance because they are not purely technical models; the control loops define general organizing principles that incorporate concepts of self-regulation observed in biology, sociology/psychology, and general systems theory. An extensive body of literature discusses control loops, and the reader is referred, e.g., to [3]. In the realm of control system engineering, the task of control loops can be defined as follows: Def.: Control circuits maintain a process’ time-dependent parameters within a predetermined range of values, particularly in response to disturbances.

I. I In computer science, policies have far-reaching implications and are relevant to several areas of research, including firewall configuration, authentication, and network management. Initially, policies were designed to be static, with a fixed set of rules that dictated the allowed and disallowed states of a system and processed or control objects. As systems (for example, enterprise security or electronic communication networks) have become more complex, it has become apparent that static policies are unable to meet operational requirements. Dynamic policies, therefore, have been developed to enhance system flexibility with respect to temporal and/or substantive components. Detailed flexibility strategies can be found, for example, in [1]. The foundations for dynamic policies were first formulated by Meyden in 1996 [2]. The gain in flexibility meets the needs of businesses, and dynamic policies have been widely applied in a range of systems.

The Information Security Management System (ISMS), ISO 27001 [4], and the Business Continuity Management System (BCMS), BS 25999 [5], are two standard management systems that can be described by a Deming cycle, which consists of a closed loop. The Deming cycle appears to be similar to the technical control loops of DES theory, although significant differences between the two systems are also present. This paper examines the extent to which the theory of control loops can be transferred to technical management systems, including socio-technical systems, that can be described by a Deming cycle. In particular, this paper examines general guidelines by which management systems may be classified, according to their properties. As we will show, control behavior is largely influenced by the balance struck between the opposing objectives of effectiveness and efficiency. This

paper evaluates the interpretation of management systems (ISMS, BCMS) as a type of balance system similar to systems described by DES theory. We conclude that the analogy is useful, and that findings from DES theory can be applied to management systems. This paper is divided into five sections. Section 2 provides an overview of the relevant literature. Section 3 discusses control loops for technical systems, with consideration for both static and dynamic policies. A formal method for describing management systems, based on dynamic policies, is developed. Section 4 discusses the similarities and differences between technical and socio-technical feedback loops. A selection of management standards is discussed in terms of control loops. We conclude in section 5 with a brief summary of the significant results, remaining research questions, and a perspective on future work.

to the input values v(k). Causality allows a state space or state space model to be defined as follows:

II. C    

Vacc = {v0 , ..., vn }acc and Vacc ∈ V.

This section discusses control circuits for technical systems. In this context, the temporal behavior of the control loop for technical systems, which can be described by first-order differential equations, is not of interest. Instead, we shall treat the discrete behavior of control circuits for technical systems, which can be expressed using an algebraic formulation. Under these circumstances, the classical control theory, which is limited to single-input and single-output (SISO) system designs, is sufficient. Systems that evolve continuously in time can be related to discrete systems via a Laplace transform. The equations for the standard control loop are Laplace transforms, and, therefore, are algebraic equations. The suffix (s) indicates the transformation. The reader is referred to the literature for further details, e.g., [6]. The next subsection discusses the transition from dynamic policies to control loops, with an introduction of the properties of control loops.

Static policies determine the state of a process, system, or object. The state space of a process can be moulded by certain policy conditions that define the acceptable conditions for a system. Static policies either allow or disallow system states. If a process is modeled as a deterministic I/O automaton (A) with no restrictions on states or state transitions, such a process can be represented as a 6-tuple, which includes three sets, two functions, and the initial state: (1)

Where Zˆ V W f g zˆ0

= = = = = =

for k = 0, 1, 2, 3, . . . and zˆ(0) = zˆ0 ;

w(k) = g(ˆz(k), v(k)). (2) The causal relationship between input values and output values of this state space allows this system to be classified as a deterministic I/O automaton. If a static policy for an I/O automaton is defined, the set of all possible input values is reduced to only the acceptable (acc) input values. A static policy takes the general form of v(k) ∈ Vacc and Vacc ∈ V.

state set with state values {ˆz0 , ..., zˆn } ∈ Zˆ set of input values (input alphabet) {v0 , ..., vn } ∈ V set of output values (output alphabet) {w0 , ..., wn } ∈ W state transition function, where f : Zˆ × V → Zˆ output function, where g : Zˆ × V → W initial state.

Fundamental to the concept of state space for a DES is that a time sequence k of the output values w(k) is causally related

(3)

The state space, therefore, is restricted, and the number of output symbols is also reduced, (4)

For technical systems and technical processes, static policies are often sufficient. For authentication and network management, however, static policies are often insufficient [7], [8]. In these environments, dynamic policies have been developed. Dynamic policies are more flexible in terms of the restrictions imposed on input and output values, and, therefore, introduce more flexibility into the state space. Flexibility can be achieved in two ways. First, for a given time sequence k0 , a subset of the disallowed values may be excepted from rejection. A dynamic policy may be defined by extending Eq. 3, v(k0 ) ∈ Vacc .

(5)

Secondly, flexibility with respect to content is achieved if a state is accepted (acc) under certain conditions and for certain input values. A dynamic policy may be defined by extending Eq. 3, v0 (k) ∈ Vacc .

A. From static/dynamic policies toward control circuits

ˆ V, W, f, g, zˆ0 }. A = {Z,

zˆ(k + 1) = f (ˆz(k), v(k)),

(6)

Eq. 5 and Eq. 6 may also be combined to allow for both temporal and content flexibility. This type of policy is relevant to a wide range of applications e.g. [7], [8]. The disadvantage of these three types of policies (Eqs. 3, 5, 6) is that the systems include no feedback for effectiveness. Feedback is especially desirable in the field of security, which encompasses the specific system design goals of protecting confidentiality, availability, and integrity. Feedback acts on the input values, v(k) and introduces corrections. If this type of policy is described by an I/O automaton, one obtains the graph shown in Fig. 1, in which a policy containing feedback defines the behavior of a simple linear standard control loop (s) for a single-input single-output system (SISO). The transfer function G(s) of the correction device K(s) governs the deviation d(k) ∈ D, and the perturbation e(k) ∈ E(s) falls in the range u(k) ∈ U(s). Linear transfer elements were processed for a unilateral standard control loop, as shown in Fig. 1. This feedback always guarantees that a state Z acting on a deviation

Gv(s)

d = perturbation d(k)

e(k)

v(k)

Actuator(a)

u(k) K(s)

(+)

G(s)

(-)

control value

Gv(s)

plant (p)

u(k)a

w(k)

u(k)c = v(k) - e(k)

wp(k) control deviation

e(k) controller (c)

(-)

w(k)s (+) process

sensor (s)

value

Fig. 1: Regular control loop as an I/O automaton.

K(s)

v(k)

G(s)

reference signal

(fault) is corrected enabling the standard control loop for a SISO system to be described as follows: W(s) = G(s)U(s); U(s) = K(s)E(s); E(s) = V(s) − W(s).

(7)

The properties of the correction device K(s) and the general set point function Gv (s) can be derived from Eq. 7, only for this derivation we presume the deviations d(k) = 0, W(s) G(s)U(s) G(s)K(s)E(s) = = . (8) V(s) E(s) + W(s) E(s) + G(s)K(s)E(s) Solving Eq. 8 yields an expression for the leadership transfer function Gv (s), G(s)K(s) Gv (s) = . (9) 1 + G(s)K(s) Similarly, Eq. 9 allows the correction device K(s), also known as an actuator, to be expressed as Gv (s) =

U(s) W(s) = . (10) E(s) G(s)V(s) − W(s) The elements illustrated in Fig. 1 can now be expressed in a general form, allowing definition of a standard control loop with four elements: plant (p), sensor (s) (measuring unit), controller (c), and actuator (a), as shown in Figure 2. Feedback in this control loop is implemented by means of a deviation sensor, which passes the relevant values to the regulator (controller). The controller prepares a correction, which is passed to the actuator. The actuator acts on the control system (plant). In this sequence, the plant is checked and, if necessary, an intervention is made in the event of perturbation (d). For purely technical systems, rule movements are often prescribed to operate within a given context. The elements of Fig. 2 are defined according to Eq. 9 and Eq. 10, yielding a transfer function G(s) and a correction function K(s): K(s) =

K(s) = G(s) =

{controller, actuator}; {plant, sensor}.

Fig. 2: Regular control loop enhanced with a plant and a sensor.

section, a bisimulation can be defined between a management system that follows the PDCA cycle and a management system that can be described by a control circuit. B. Bisimulation between a standard automaton and the Deming cycle The standard management systems (ISMS, BCMS, ITSM) are based on the Deming cycle with the four phases, Plan– Do–Check–Act. The PDCA cycle was designed to monitor and correct imperfections in socio-technical systems through feedback [9]. If the four phases are interpreted as states, the PDCA cycle can be shown to generate a standard automaton. Fig. 3 sketches the Deming cycle as a state transition diagram. The four phases are presented as states z(1,...,4) ∈ Z, and the state transitions are presented as events σ(1,...,4) . σ0 indicates the initial event in Fig. 3. The final state ZF is provided for the standard state automaton, but may not exist as a single state because the system undergoes a continuous improvement process, represented as a cycle (loop). Transitions δ allow σ1

σ0 z1

Do

Plan

z2

σ4

σ2

z4

Act

Check

z3

σ3

Fig. 3: PDCA-cycle presented as a discrete event system. σ

(11)

We next define a management system consisting of a control loop with four elements and a feedback loop, based on the PDCA cycle (see Fig. 3). Eq. 11 defines the management equation or the the correction function K(s) and the internal transfer function G(s) of the management system. The (internal) transfer function G(s) acts on the plant. The correction device K(s) acts as a control variable. As is shown in the next

the system to change state, as indicated by z1 −→ z2 , and the successor state is determined by the transition function z0 = δ(z, σ). The Deming cycle can be described by a standard automaton (D) as D = {Z, Σ, δ, z0 , ZF }, where Z = {z1 , z2 , z3 , z4 }, Σ = {σ1 , σ2 , σ3 , σ4 },

(12)

z0 = z1 , ZF = z01 . The state transition function δ can be expressed as δ : Z × Σ −→ Z.

(13)

Improvement is achieved if ZF = 10 , 1, such that z1 , z01 in the Deming cycle. This improvement criterion, applied over n cycles, yields a final stable state. As discussed in [10], this condition produces a balance in the system that can be interpreted as an equilibrium state, i.e., the state of the system no longer changes. The Deming cycle is, then, balanced. For this case, ZF = 1. The Check (check for improvements) and Act (perform improvements) functions are responsible for attaining the equilibrium state. In an ideal case, the system reaches equilibrium after a certain period of time. In general, one I/O automaton, as shown in Eq. 1, may be converted into a standard automaton. To this end, we define ˆ and v/w = σ, ˆ where σ ˆ is a discrete event in the event set Σ, ˆ The relation Σˆ = {V, W} the final state is denoted by zˆF ∈ Z. is then successively applied. A discrete event that shows a state change from zˆ to zˆ0 is given by σ ˆ and is described by σ ˆ 0 ˆ This process zˆ −→ zˆ . The transition function is given by δ. allows conversion of the I/O automaton described in Eq. 1 into a standard quintuple automaton, analogous to Eq. 12, ˆ σ, ˆ zˆ0 , zˆF }. Aˆ = {Z, ˆ δ,

(14)

If we define a standard automaton Aˆ with four states, it follows that Zˆ = {ˆz1 , zˆ2 , zˆ3 , zˆ4 }, Σˆ = {σ ˆ 1, σ ˆ 2, σ ˆ 3, σ ˆ 4 }, ˆ ˆδ = Zˆ × Σˆ −→ Z, zˆ0 = zˆ1 , Zˆ F = zˆ01 . The two machines can be compared based on the similarity and equivalence of the response behavior. Here, the similarity is determined only by the input and output values of the automaton. This type of similarity is called interface equivalence. The interface equivalence will not be discussed further here in favor of discussion of the bisimulation. According to the axiom of Milner, two states are considered equal if they cannot be distinguished by (a combination of) observations [11]. A bisimulation between two objects is, thus, a transition system that reproduces an observed behavior that is identical for two objects. If a relation exists between the states of a ˆ then the Deming quintuple D and a standard automaton A, bisimulation SA,D applies, such that ˆ SA,D ⊂ Aˆ × D. ˆ

(15)

Here, ZD and Zˆ Aˆ indicate the state sets of the two automata ˆ Eq. 15 shows the relation between the automata Aˆ D and A. and D. The simulation relation SA,D maps the states of the ˆ ˆ z1 in the sense that the second of the automaton D|z1 and A|ˆ pair, e.g., (z1 , zˆ1 ) ∈ S is simulated by the first, and, therefore, z1 ∼ zˆ1 applies. The number of states may be different in the

two machines, but this does not present a contradiction within ˆ z j are equivalent for all input the relation S. If D|zi and A|ˆ sequences k, they are called k-equivalent. In the Deming cycle, k = 4 (see Fig. 3). The k-equivalent states are also l-equivalent for all l ≤ k. Nonequivalent states are called distinguishable. All states that are distinguishable by input sequences of length k are k-distinct. In this section, we have shown that a Deming cycle may be expressed as a quintuple (see Eq. 12), and this behavior may be compared with any other automaton, such as Aˆ (see Eq. 14), by the bisimulation function S (see Eq. 15). In the following sections, we will convert the control circuits of each of the management systems (ISMS, BCMS, and ITSM) into the standard automata Aˆ IS MS , Aˆ BCMS , and Aˆ IT S MS ; subsequently, we will study their equivalence to the Deming standard automaton D. III. C       In this section, we discuss control loop elements and management systems and show their equivalence to state machines with feedback. This equivalence is achieved through application of the PDCA cycle of a management system to a state machine with feedback (loop-induced). We show the equivalence between the PDCA cycle and the elements of a standard control loop for the ISO 27001 and BS 25999 standard systems. In the first and second subsections, we show the equivalence of ISO 27001 and BS25999 for the management system. To do so, we discuss selected control and management elements of ISO 27001 and BS 25999. Finally, in the last subsection, we define a target function for the control value such that the property management systems can be classified as first- or second- order. Management systems defined in ISO 27001 and BS 25999 can be regarded as socio-technical systems. Socio-technical systems are different from technical systems in that sociotechnical systems include a subject’s contribution to the process. We hypothesize that control loops that are closely linked to the value chain of a company (such as companies operating in ISO 27001 or BS 25999 must be well-organized with respect to the controller, sensor, and actuator, similar to the organization implemented in engineering control loops. If this were not the case, the value chain would not have the requisite stability. For now, tight organization of the value chain (where “tight” is characterized by the risks and dependencies of the supply chain) is a basic requirement for existence in the market. Consequently, management requires the installed systems, which secure the supply chain, to be as tightly organized and well-behaved as a technical control loop. Socio-technical systems must consist of a controller, sensor, and actuator developed specifically for each individual company, because value chains differ from company to company. The behavior of the control, sensor, and actuator in a sociotechnical system can be studied given the equivalency of the management systems and the control loop (state machine with feedback).

In the next section, we discuss selected standards for management systems from the viewpoint of DES theory. We will also examine the two standards, ISO 27001 and BS 25999. The standards are connected through risk analysis, as was shown in [12]. If a preventative treatment must be designed based on the risks, management systems under ISO 27001 (ISMS) are favored. However, if the cost-benefit risks must be managed in a response-based manner, management systems under BS 25999 must be installed in the company. If the risks are low but have potentially significant effects on the value chain, a management system under the BS 25999 standard is preferred. A. Control circuit for ISO 27001 (ISMS) In essence, an ISMS follows a PDCA cycle, as shown in Fig. 3. However, if the control loop elements of an ISMS are transferred to elements of a control loop, we obtain the control loop shown in Fig. 4. This representation illustrates the four elements of a Deming cycle management system and the four elements of a control circuit. Fig. 4 illustrates a d = perturbation

control value actuator controls of ISO 27002 Act-Phase)

u(k)A

plant

(update procedures,

(crit. value chain)

Gv(s)

working lists, etc.)

u(k) = v(k) - (e(k)

w(k)

(update security policy)

(actual level of CIA)

control deviation e(k)

controller (development of the SoA) (ISO 27005)

(-)

w(k)s

(+) process

Sensor (Check-Phase, Auditing,KPI)

Clearly, Eq. 16 can be interpreted from the perspective of the standard automaton D as follows: State 1: State 2: State 3: State 4:

Plan → Statement of applicability (SoA) (risk analysis according to ISO 27005) → controller; Do → Implement measurements (ISO 27002) → actuator; Check → check phase → sensor; Act → act phase, corrective action → actuator.

It is evident from Eq. 16 and the framed states listed above that a bisimulation does not exist for all k-states of the Deming cycle (k = 4). For instance, no bisimulation exists for the state zˆ3 . This indicates that the plant cannot be directly represented by the Deming cycle. The plant is defined only implicitly by the scope of each standard. The scope of an ISMS ISO 27001 describes the value chain of a company, which is the plant. In contrast with control system engineering, the controlled system (plant) is part of the standard automaton. Consequently, an l-equivalence only exists because the state zˆk=3 is distinguishable. From the viewpoint of DES theory, these four phases compose a control loop, as shown in Fig. 4. We assume that a linear control loop exists that can express the management system in terms of the executive function G(s) and the correction device K(s),

value

G(s) = K(s) =

v(k) reference signal (pre defined level of CIA)

Fig. 4: Control circuit for ISMS.

z1 z2 z3 z4

∼ zˆ1 , ∼ zˆ2 , ∼ zˆ4 , ∼ zˆ2 .

(17)

B. Control circuit for BS 25999 (BCMS)

reference signal (setpoint) v(k) within a loop that maintains the requirements for confidentiality, integrity, and availability (CIA) at a predefined level. The current security level of w(k) is generated by the disturbance (d) acting on the plant (controlled system). The sensor(s) measure the current security level, denoted by w(k) s . The controller is adjusted by means of the reference signal v(k) to restore to the previously defined level of security. As a corrective measure, the signal u(k) = v(k)−e(k) is created. This signal reflects the updating of the current security policy. The actuator specifies measures and implements procedures and working instructions. The signal u(k)A indicates the corrected signal, which acts on the plant to eliminate the perturbation (d). We will now investigate the equivalency between the standard Deming cycle automaton D and the standard closed loop automaton Aˆ IS MS , in accordance with Eq. 15. During conversion of the control loop into a standard automaton Aˆ IS MS , we defined the four states zˆ1 = controller, zˆ2 = actuator, zˆ3 = plant, and zˆ4 = sensor (see Fig. 4). The four states of Aˆ IS MS are compared with the standard Deming cycle automaton using Eq. 15, (z1 , zˆ1 ) ∈ S = (z2 , zˆ2 ) ∈ S = (z3 , zˆ4 ) ∈ S = (z4 , zˆ2 ) ∈ S =

{critical value chain, KPI, sensor}, {SoA, controls}.

(16)

A business continuity management (BCM) process is a holistic management process that identifies potential threats to an organization, provides a framework for building resilience, and confers the capacity for an effective response to safeguard the interests of the company’s shareholders, as well as its reputation, brand, and value [5], [13]. A BCMS relies on BCM principles that manage rare business risks that may have a huge impact on a company. The BCMS is capable of building a response under extreme circumstances (catastrophic events) using pre-defined plans: the business continuity plan (BCP) and the disaster recovery plan (DRP). The standards for BS 25999 define the control system, which constitutes the critical business processes that are vital for keeping a company alive. An interruption (as in an emergency or catastrophe) of these processes can be tolerated only for a short period of time, defined as the maximum tolerable period of disruption (MTPD). This period of time constitutes an ultimate boundary for a company and decides the company’s survival. If this ultimate limit is exceeded, the company is irretrievably lost. The relation between critical activities and the value chain is determined by the Business Impact Analysis (BIA). Within the BIA, the dependent critical resources (key stake holders, key products, key services) and their importance to the critical activities (core processes of the value chain) are analyzed.

Fig. 5 illustrates a BS 25999 as a control circuit. This control circuit follows the PDCA cycle shown in Fig. 3. The four phases of the PDCA cycle and the elements of the control loop are shown in Fig. 5. The reference signal (setpoint) v(k) in d = perturbation

control signal u(k)a

controls, process, procedures

(impovement of BCP/DRP)

Emergency processes

actuator

wp(k)

plant

u(k) = v(k) - e(k) (update BCP/DRP)

BIA/ ISO27005 BCPlan/DRPlan

deviation signal e(k) (+) w(k)s

process value w(k) = actual behavior of the emergency processes

KPI

G(s) = K(s) =

{emergency processes, KPI}, {ISO 27005, BIA, BCP, DRP, controls etc.}.

(19) Similarly, it can be shown that a BCM ultimately approaches an equilibrium state. The BCM then balances the risk and potential harm (insolvency), analyzed by a BIA, with the costs of the BCP and DRP, as discussed in [14].

(-)

controller

company. In contrast with control system engineering, the controlled system (plant) is part of the standard automaton. Consequently, only an l-equivalence may exist because the state zˆk=3 is distinguishable. From the viewpoint of DES theory, these four phases form a control loop, as shown in Fig. 5, which shows this loop as an automaton graph. We assume that a linear control loop exists that can guide management through the function G(s) and express a correction device K(s),

sensor v(k) reference signal

(pre defined MTPD of each Business Process)

Fig. 5: Control circuit for BCMS the first line of Fig. 5 represents the availability requirements of the controlled system (emergency procedures). During a training event, if one of the Key Performance Indicator (KPI) signals w(k) suggests that the processes of BCP/DRP do not meet the short period of the MTPD (reference signal v(k)) a correction signal must be made via the controller u(k) = v(k) − e(k), which signals the actuator u(k)a . We now investigate the equivalency between the standard Deming cycle automaton D and the standard closed loop automaton Aˆ BCMS according to Eq. 15. During conversion of the control loop into the standard automaton Aˆ BCMS , we now defined the four states as zˆ1 = controller, zˆ2 = actuator, zˆ3 = plant, and zˆ4 = sensor for a control circuit for BCMS (see Fig. 5). If the four states of Aˆ BCMS are compared with the standard Deming cycle automaton using Eq. 15, (z1 , zˆ1 ) ∈ S = (z2 , zˆ2 ) ∈ S = (z3 , zˆ4 ) ∈ S = (z4 , zˆ2 ) ∈ S =

z1 z2 z3 z4

∼ zˆ1 , ∼ zˆ2 , ∼ zˆ4 , ∼ zˆ2 .

(18)

Clearly, Eq. 18 can be interpreted from the perspective of the standard automaton D as State 1: State 2: State 3: State 4:

Plan → BIA and risk analysis according to ISO 27005 → controller; Do → exercises of BCP and DRP → actuator; Check → performance of the exercises against the MTPD → sensor; Act → act phase, corrective action → actuator.

It is evident from Eq. 18 and the framed states listed above that a bisimulation does not exist for all k-states of the Deming cycle (k = 4). For instance, no bisimulation exists for the state zˆ3 . This indicates that the plant is not directly represented by the Deming cycle. The plant is defined only implicitly by the scope of each standard. The scope of a BCMS in accordance with BS 25999 depends strongly on the value chain of the

C. Differences between a first and second order management system This section discusses the classification of management systems using the target function. The equations describing the linear control loop of an ISMS (Eq. 17) or a BCM (Eq. 19) produce different compensation behaviors after an incident, depending on the design of the controller and actuator. Management systems can be divided into two classifications based on the way in which interference from the controller and actuator are compensated: Def. 1:

Def. 2:

A first-order management system describes the compensation behavior after a disturbance in a socio-technical system. A second-order management system meets the conditions of a first-order management system and also satisfies other requirements. Compensation after the disruption is described by economic criteria. The controller operates under an overarching target function that affects the effectiveness and efficiency of compensation.

In this section, we investigate the compensation behavior of ISO 27001 and BS 25999 management systems in terms of first- or second-order system responses. Previous studies [12], [15], [16] have addressed the role of effectiveness and efficiency feedback in management systems. These studies presented a new discussion of security investment estimation based on the KPIs of effectiveness and economic efficiency. The two KPIs present a trade-off situation. Alignment in favor of one KPI is necessarily performed at the expense of the other. However, these studies did not derive a target function. Here, we derive a target function to define the requirements for a second-order management system based on the properties of effectiveness and efficiency.

The opposing system characteristics of effectiveness and efficiency can be formulated in an optimization task, in which the levels of effectiveness and efficiency are normalized to 1 and vary on the interval [0, . . . , 1], to define the hypotenuse of the cathetus of the effectiveness and efficiency. Fig. 6 illustrates this situation. The values of the effectiveness, e.g. (E f k = a, a0 , a00 | E f k ∈ R), and the efficiency, (E f z = b, b0 , b00 | E f z ∈ R), in the interval [0, . . . , 1] transform this optimization problem into a graphic optimization problem. To illustrate this principle, Fig. 6 shows three rectangles. The first rectangle is delimited by the values a, b and is marked by vertical hatching. The second rectangle is delimited by the values a0 , b0 and is transparent. The last rectangle is delimited by the values a00 , b00 . The optimization problem is solved by maximizing the area spanned by the rectangle embedded in the triangle (see Fig. 6). The sides of the rectangle are denoted by a0 and b0 . Given E f z = b00 and E f k = a00 , f is the area of the rectangle, and the target function is defined as the product of the lengths of each side: f (a00 , b00 ) = a00 b00 . (20) Maximizing the area of a rectangle delimited by a00 , b00 (see

Fig. 4) in the management systems discussed above, which were designed in accordance with ISO 27001 and BS 25999 standards. The management system designed in accordance with ISO 27001 meets the requirements for a control loop, but measuring the effectiveness of the controls (see [4] (ISO2 7001) section 4.2.2.d, ) does not explicitly specify economic efficiency. This system only partially meets the requirements for a second-order management system. To fully meet these requirements, the Phase Check, Phase Act, Statement of Applicability (SoA), and target function must be defined in terms of effectiveness and economic efficiency. Management systems that are influenced by the controller within the value chain are meaningless if their control value is not economically oriented. In contrast, management systems designed in accordance with BS 25999-2 and BS 25999-1 meet the requirements of a control loop and are designed under normative requirements for effectiveness and economic efficiency (see [13], Section 2.1.4). This requirement can be projected onto the controller or the actuator, the BCP and DRP. Thus, a BCMS designed in accordance with BS 25999 meets the requirements listed under Def. 2, and can, therefore, be classified as a secondorder management system.

1

IV. R W a

Efk

a0 a'

a'' 0 0

b

Efz

b'

b''

1

b0

Fig. 6: Defining the superordinated target function for a management system. Fig. 6) yields the following relationship: a0 a00 a0 = =⇒ a00 = × (b0 − b00 ). (21) 00 b0 b0 − b b0 Substituting the right side of Eq.21 into Eq. 20 yields a0 f (b00 ) = × b00 (b0 − b00 ). (22) b0 Because f is differentiable as a polynomial function, it follows that a0 f (b00 ) = × (b0 − 2b00 ). (23) b0 Any solution to this equation is also a root of the function f (b00 ). A solution that also gives f (b00 ) = 0 and b00 = 0 is a useful solution. Finally, we will summarize the importance of the target function for operation of the control loop (compare Fig. 5 and

Static and dynamic policies are widely used in computer science. The IETF RFC 3198 can be used, for example, for IP traffic management, QoS, and firewalls [17]. Policybased management systems allow the administrator to control resources using rules in the form of conditions. Conditions may depend on e.g. user, group, time of day, or network address. Conditional statements take the form if , then . Examples are presented in [7], [8], [18], [19]. Policies described by such statements are verified and validated, as discussed in [20]. Static policies are the application of first-order predicate logic (PL1), however, such policies for compliance proving (SOX) are insufficient, as discussed in [21]. Historically (1939), management systems or Plan-DoCheck-Act (PDCA) cycles were derived first from statistical considerations, as discussed in [22], [23]. Made popular by [9], the cycles have since taken their name from Deming. Application of security policies to security management systems has, to our knowledge, not yet been presented in the literature. The relationships between management systems, PDCA cycles, and evaluation measurements have also not been extensively addressed. A measurement using key performance indicators (KPI) was proposed by [21], [24]. Measurements of the effectiveness and efficiency of management systems are discussed in [12], [15], [16], with a focus on the behavior of systems designed under the ISMS and BCMS standards. These studies concluded that effectiveness and economic efficiency operate in opposition to one another and must be balanced in a stable system. For example, [16] showed that the establishment of a budget line results in a knapsack problem. An

iterative solution was then derived using branch and bounding procedures. The approach presented here was inspired by [15], [25], although a new type of policy is discussed here. This type of policy differs from previously described classical policies in that it includes feedback. Policies with feedback are defined as management systems. V. C  F W The properties of static and dynamic policies are often explored in computer science. There are a number of situations in which policies play a significant role, and consideration for the theoretical treatment of these policies is useful. Here we have shown that the implementation of current policies is not necessarily adequate for meeting the requirements of today’s enterprises. In particular, the field of information security often requires feedback on the effectiveness of a set of policies. A lack of feedback disadvantages both the classical static as well as the newer dynamic policies. In this paper, we have shown that dynamic policies can be expressed by DES theory with feedback control loops. It was shown that the control loops in DES theory of technical systems can be used to describe the behavior of socio-technical systems. These are known as management systems, and their behavior is equivalent to the behavior of technical control loops. An analysis of two standards and two management systems (ISO27001, BS25999), and the behaviors of a PDCA cycle and a loop were studied. We demonstrated that these standards could be expressed using DES theory for the control loops. In addition, we developed an objective classification scheme for management systems. Management systems that treat a disorder using only a controller are defined as first-order management systems. Second-order management systems use a higher target function as the controller. This target function is strictly economically oriented. Future work will address the classification and control behavior modeling of other management systems subject to a PDCA cycle. Coupling between the control loops of the ISO 27001 (ISMS) and the ISO 27005 (risk management system) was not addressed. The mechanism by which these feedback loops operate as coupled systems remains unknown. The extent to which the properties of complex systems, such as the PID controller, can be generalized to socio-technical systems is also unknown. These questions form the basis for further investigations. R [1] R. Pucella and V. Weissman, "Foundations of Software Science and Computation Structures", vol. 2987/2004 of Lecture Notes in Computer Science, ch. Reasoning about Dynamic Policies, pp. 453–467. Springer Berlin / Heidelberg, 2004. [2] R. van der Meyden, “The Dynamic Logic of Permission,” J. Log. Comput., vol. 6, no. 3, pp. 465–479, 1996. [3] R. M. Miller, “Market automation: self-regulation in a distributed environment,” SIGOIS Bull., vol. 9, no. 2-3, pp. 299–308, 1988.

[4] SC27, “ISO/IEC 27001:2005, information technology - security techniques - information security management systems - requirements.” Beuth-Verlag, Berlin, 10 2005. [5] BS25999-2, “Business Continity Management System – Part 2: Specification, BSI (UK).” ISBN 9780580599132, 11 2007. [6] L. Litz, Grundlagen der Automatisierungstechnik, Regelungssysteme Steuuerungssysteme - Hybride Systeme. ISBN-3-486-27383-3, Oldenbourg Verlag, 2005. [7] X. jie Liu, Y. heng Liu, D. Wei, and H. ying Liu, “Dynamic policy based network management scheme in mobile environment,” Computer Science and Computational Technology, International Symposium on, vol. 1, pp. 434–437, 2008. [8] N. Dunlop, J. Indulska, and K. Raymond, “Dynamic policy model for large evolving enterprises,” Enterprise Distributed Object Computing Conference, IEEE International, vol. 0, p. 0193, 2001. [9] W. E. Deming, Out of the Crisis. No. ISBN-13: 9780911379013, MIT Press (MA), 1986. [10] W. Boehmer, “Survivability and Business Continuity Management System According to BS 25999,” Proceedings of the Emerging Security Information, Systems and Technologie, 2009. SECUWARE ’09, Third International Conference on, IEEE Computer Society, pp. 142–147, June, 18-23 2009. [11] R. Milner, “Pure bigraphs: structure and dynamics,” Inf. Comput., vol. 204, no. 1, pp. 60–122, 2006. [12] W. Boehmer, “Performance, survivability and cost aspects of Business Continuity Processes according to BS 25999,” in The International Journal on Advances in Security, vol. 2, IARIA, 2010. [13] BS25999-1, “Business Continuity Management System – Part 1: Code of practice, BSI (UK).” ISBN 0580496015, 11 2006. [14] W. Boehmer, C. Brandt, and J. Groote, “Evaluation of a business continutiy plan using process algebra and modal logic,” Computer Science Report CSR-09-12, Eindhoven University of Technology,, 2009. [15] W. Boehmer, “Appraisal of the Effectiveness and Efficiency of an Information Security Management System Based on ISO 27001,” Emerging Security Information, Systems, and Technologies, The International Conference on (SECUWARE 2008), IEEE Computer Society, vol. 0, pp. 224–231, 2008. [16] W. Boehmer, “Cost-benefit trade-off analysis of an ISMS based on ISO 27001,” ARES Conference, The International Dependability Conference, IEEE Computer Society, pp. 392 –399, March, 16th. – 19th. 2009. [17] A. Westerinen et. al., “IETF/RFC 3198 - Terminology for Policy-Based Management.” http://www.faqs.org/rfcs/rfc3198.html, 2001. [18] P. Naldurg, R. H. Campbell, and M. D. Mickunas, “Developing dynamic security policies,” DARPA Active Networks Conference and Exposition, vol. 0, p. 204, 2002. [19] K. Quinn, D. Lewis, D. O’Sullivan, and V. P. Wade, “Trust meta-policies for flexible and dynamic policy based trust management,” Policies for Distributed Systems and Networks, IEEE International Workshop on, vol. 0, pp. 145–148, 2006. [20] W. T. Tsai, Y. Chen, R. Paul, X. Zhou, and C. Fan, “Simulation verification and validation by dynamic policy specification and enforcement,” Simulation, vol. 82, no. 5, pp. 295–310, 2006. [21] W. Boehmer, “Managementsysteme sind Balance-Systeme – Diskussion relevanter Kennzahlen eines ISMS gemäß ISO/IEC 27001:2005,” in Multikonferenz Wirtschaftsinformatik, Göttingen (MKWI2010), 2010. [22] W. A. Shewhart, "Statistical Method from the Viewpoint of Quality Control". No. ISBN-13: 978-0486652320, Dover Publications Inc. (November 1986), 1939 / (reprint 1986). [23] W. A. Shewhart, "Economic Control of Quality of Manufactured Product". ISBN-13:9780873890762, American Society for Quality Control, Wisconsin, 1980. [24] L. Tsinas, B. Trösken, and S. Sowa, “KPI-framework für informationssicherheit,” KES, SecuMedia Verlag-GmbH, 55205 Ingelheim, vol. 4, pp. 6 – 12, 2009. [25] W. Boehmer, “Analysis of Strongly and Weakly Coupled Management Systems in Information Security,” Fourth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2010), 2010 (accepted for publication).