One of the fundamental papers in the Information Security industry is “The Protection of Information in Computer Systems” written by Jerome Saltzer and Michael Schoeder in the mid-1970s. This paper defines eight design principles to ensure the safety, security, and functionality of computer systems and applications. It’s timeless as those principles still apply today. If you haven’t seen it yet, Adam Shostack of Emergent Chaos does a great job in his blog of explaining the Saltzer and Schroeder Design Principles and equating them to something almost everyone can understand: Security in Star Wars.
One of the ideas that come out of it is the concept of “work factor” and the fire/safety ratings on safes. Safes are classified by Underwriters Laboratory for their ability to protect their contents from both fire and burglars. It’s the degree of protection that safe will protect its contents. There are both construction and performance requirements. The former defines the minimum specifications for the container. The latter defines how long the safe must withstand a burglary attempt. You can read more about it here: http://www.maximumsecurity.com/safes/pc/Burglary-Fire-Rating-Guide-d92.htm.
This idea isn’t new. A DARPA research report from 2001 presents it from a scientific standpoint: “Adversary Work Factor as a Metric for Information Assurance.” In this paper, Schudel and Wood present the hypothesis, “that adversary work factor is a quantifiable metric that yields valuable insights into the relative strengths and weaknesses of modern complex information systems.” The authors go on to develop an approach for observing and reporting adversary work factors for information systems.
It’s time we used the same approach in Cybersecurity. The UL rating system is a standard that’s long been in use in the physical world. Why not begin to follow it in the cyber world? The IT industry should consider creating construction and performance standards for all computer systems and applications. An unbiased, standardized security work factor rating would allow consumers to understand the safety of an application or system to determine if it fits into their risk appetite.
Why reinvent the wheel?