A Bit of Security for June 12, 2024Ontology, Explained
In Kurt Vonnegut’s novel Welcome to the Monkey House the President of the World has a sign on her office wall that reads, “Someday we’re going to have to get organized around here.” When we talk about organizing the information security space, things get really complicated.
There are a few ways of organizing topics like information security: by business function (help desk, DR, patching, etc.), by target (supply chain, phishing, configuration verification, firewall, IdM, etc.) by attack type (MITRE ATT&CK framework). The problem with these lists (technically “folkonomies”) is that they are entirely derivative, that is, based on observed sets of facts and habits of thought.
Taxonomies are useful things – they give us a common reference vocabulary to talk about observed phenomena. But they are also models, and they, by definition, obscure essential details. Consider the traditional Aristotelean taxonomy:
Disease taxonomy helps certain kinds of research but excludes others: When a person is unwell, is the cause an injury, a poison, or an infection? If it’s an infection, is it a virus or a bacterium? This helps categorize research, but it excludes diseases with no identifiable cause, like prion diseases, stomach ulcers, or Lyme disease. It stops consideration of problems with the gut microbiome. And it prohibits consideration of unconventional approaches (there’s that limiting categorization thing, again) like the use of electricity to resolve diseases (see Tech Review on electricity). The breakthrough in each case came about by changing the ontology to admit categories that had been omitted. That’s what Thomas Kuhn wrote about in his 1962 book “The Structure of Scientific Revolutions.”
Ontologies split the space into seemingly mutually exclusive categories. Revolutionary insights come about by examining the boundaries between these categories. Consider in the case of cybersecurity how difficult it is for practitioners to cope with industrial control systems. Actuators and sensors are out of scope for Information Technology. The simple triad of Confidentiality, Integrity, and Availability only considers the data as the subject, not the underlying service the data models (or represents). That’s why I consider the current approach to categorizing InfoSec as a “folkonomy” – an informal and vague list of common traits shared by some observers of information security problems, rather than a formal, programmable set of comprehensive categories that covers the space of all possible problems (or objects of study).
Is there a possible ontology for information security? Possibly the solution is to widen the scope of the space to cover program errors – to grab issues like degraded response time, overly-long problem resolution, misleading user interfaces, confusing user experiences, and irrecoverable interruptions to critical systems continuity. That way, information security becomes a proper subset of a more comprehensive set of possible problems. This broader range gives us a greater likelihood of establishing a comprehensive ontology (not just a taxonomy or a folkology) which we can then refine. This also avoids futile arguments over whether slow response time is a form of security problem (like a DDoS attack) or a diversion such as a false alarm should be considered a threat or not. Of course it is.
The step I suggest is we realize that information security problems are a subset of IT problems, IT problems come about for one of two reasons – either someone makes a mistake or someone exploits a code defect. The way to reduce errors is to improve the user interface. If your program leads people to making bad decisions, that’s not on them, it’s on you. And improving code quality comes down to better development practices. We know how to do this: it’s called cleanroom software, and it embodied higher levels of the capability maturity model.
But we will never be able to develop programs that can resolve security generally until we have a comprehensive set of categories that covers the space of all possible information security problems. And AI (specifically LLMs) can’t help, because all it does is develop the statistical average of the training set. If the problem were in there, we would have it. The problem is outside the training set, in this case. We need to go beyond our current categories.
A Bit of Security for June 12, 2024
Information Security cannot be programmed until we develop a comprehensive ontology. A what? That means a consistent and complete description of all its parts. Listen to this -
Let me know what you think in the comments below or at wjmalik@noc.social
#cybersecuritytips #securitytopics #ontology #platform #BitofSec
Музыка
Фильмы
ТВ Шоу
Категории видео
