Friday, October 22, 2004
Generative Methodology Thread
Discussion between Peter Stephenson and Paul Prueitt
White Paper on Incident
Information Orb Architecture (IIOA) à
PowerPoint on Application to
Cyber Event Space à
PowerPoint on the Application to English Social Discourse à
Paul
I have cleared my rather cluttered decks so that I can make time for this discussion this morning. There are a few issues I want to discuss on the taxonomy and suggest a couple of things that we really should address as part of the process. One of those is the relationship between attacks, threats, vulnerabilities and risks.
We can use the language of Rossler, where he talks about an endophysics
and an exophysics. The language is
consistent with other “complex systems” language such as Maturana’s term
“autopoiesis”. Kugler and others talk
about an epistemic gap between the “internal processes of the living system”
and the external world. Both he
internal endophysics and the external exophysics are complex in a formal
sense. In the case of a system of
models for cyber events, we can realize the same complex model. However the difference is that the
endophysics is simple, as in “non-complex”, because at the lowest level of
organization the cyber event are non-ambiguous bits. The exophysics to the human computer interactions is complex.
The Semantic Web concepts are than seen as a complex system having a
simple part, the data in computer systems, and a complex part, the human and
natural world that is interacting with and through the endophysics of the
Semantic Web.
Anticipatory Web is a Semantic Web that has a real time harvest of the
data constructions and data flows in the Semantic Web. This real time harvest allows the encoding
of structure into optimal pattern co-occurrence frameworks. See previous notes at [140]. [141]. And [142].
Also, I am struggling with what I see as an important issue: You speak about the natural world and, from a computer science perspective that makes a lot of sense (as you've pointed out, it's all just bits and bytes). However, threats, vulnerabilities and attacks are human-contrived. That poses, to me anyway, a bit of a dichotomy.
As a starting point for a discussion, I define (very loosely) an attack to be the application of a threat against vulnerability from a threat agent.
A formal definition (my definition) of a security incident is given below:
Definition 1 – Computer Security Incident
A computer security
incident is a change of state in a bounded computer system from the desired
state to an undesired state, where the state change is caused by the
application of a stimulus external to the system.
such that:
Please note that an attack and an incident are not exactly the same, but this may help show where my thinking is headed.
I have been working on formalizing this whole vulnerability/threat/attack space for a couple of years now and the insertion of your theories into this work has been a major milestone for me. It has forced me to rethink some of my theories. So far, your work supports, does not contradict, at least, my theories...