Security,

Enterprise Architecture,

Software Engineering and �Language Philosophy - �Why this is a great marriage.

Wicca @ Xebia @ 2023-07-26 by Edzo Botjes

Multiple whitepapers�Thesis with 1500+ reads�40+ Blogs�Quoted in Books and Theses.

Consultancy for �7 Sectors,

41 Clients,

50+ Assignments�Infra to business strategy

@Edzob

(.com, LinkedIn, Twitter)

1992 - 2006 your IT guy

2006 - 2020 Sogeti

2021- now Xebia

Research

Share

Apply

Teaching Enterprise Architecture (MSc) at �Utrecht University �of Applied Sciences�2022 -

Edzo Botjes

Organisational Resilience Architect

Antifragility Architect

Trusted Advisor

​

https://www.edzob.com

Wicca 20230726

Language & Security

Edzo Botjes

Organisational Resilience Architect

Antifragility Architect

Trusted Advisor

​

https://www.edzob.com

Consultant @ Xebia�2021-

Consultant @ Sogeti�2006 - 2020

Internships�2005-2006

Wicca 20230726

Language & Security

Two worlds meet

Groningen�…

2010�2013

Python/ Data Science

Language Philosophy

Wicca 20230726

Language & Security

PERSPECTIVE AND INFORMATION

Perspective and information

​

https://twitter.com/DrNeenaJha/status/1338105837684977664

Wicca 20230726

Language & Security

Perspective and information

​

https://twitter.com/TanMohammedMD/status/1337865483446587392

Wicca 20230726

Language & Security

Perspective and information

​

https://en.wikipedia.org/wiki/Rabbit%E2%80%93duck_illusion

https://scitechconnect.elsevier.com/lessons-from-the-dress-the-fundamental-ambiguity-of-visual-perception

Wicca 20230726

Language & Security

PERCEPTION AND INFORMATION

Reflections and information

https://twitter.com/NicoleBeckwith/status/1277236284470280195/photo/1

Wicca 20230726

Language & Security

Reflections and information

https://writing.exchange/@XanIndigo/109966588561594572

Wicca 20230726

Language & Security

The colors in the rectangles are the same

https://writing.exchange/@XanIndigo/109966588561594572

Wicca 20230726

Language & Security

Visualisation and information

https://www.ritsumei.ac.jp/~akitaoka/index-e.html

https://twitter.com/jimhejl/status/1452814882701824001

https://twitter.com/AkiyoshiKitaoka/status/1568102162064113669

Wicca 20230726

Language & Security

https://www.ritsumei.ac.jp/~akitaoka/index-e.html

Rotating Snakes

https://www.linkedin.com/posts/rafaelgiraldotenorio_entarch-activity-6681201385402376192-4MNK

Wicca 20230726

Language & Security

Language,

Post Structuralism

& CHAOS

The two faces of chaos

Botjes, Edzo. (2020). Defining Antifragility and the application on Organisation Design (1.0) [Zenodo]. https://doi.org/10.5281/zenodo.3719389

Wicca 20230726

Language & Security

All is chaos

Subjective and Objective Chaos �& The continuous challenge

MSc thesis: https://zenodo.org/record/3719389 // IEEE article: https://www.researchgate.net/publication/354321606 // Security: https://www.ted.com/talks/bruce_schneier_the_security_mirage�https://www.flaticon.com/free-icon/organization_3985164?related_id=3985166

Wicca 20230726

Language & Security

Language philosophy to influence perception

MSc thesis: https://zenodo.org/record/3719389 // IEEE article: https://www.researchgate.net/publication/354321606 // Security: https://www.ted.com/talks/bruce_schneier_the_security_mirage

Context

Discourse

Post Structuralism

Wicca 20230726

Language & Security

EXAMPLES

The map is not the terrain

Wicca 20230726

Language & Security

Appendix 1 - �Organisational Learning

Learning Organisation (Senge) �+ Mental Models (Hestenes)

Senge, P. M. (1990). The Fifth Discipline: The Art and Practice of the Learning organisation. A Currency book. Doubleday/Currency, New York, NY, USA.

Hestenes, D. (2010). Modeling theory for math and science education. In Modeling students’ mathematical modeling competencies, pages 13–41. Springer.

Wicca 20230726

Language & Security

Appendix 2 - �Cyber Security and Enterprise Architecture Models

SUMMARY

Content

1. What makes an organisation an organisation
2. The role of Risk Management et al
3. Why Resilience is relevant – Business Continuity
4. Why Resilience is relevant – Unpredictable world (VUCA)

​

three models to tackle change and governance

Definition of Security

https://www.ted.com/talks/bruce_schneier_the_security_mirage

DIE trump's CIA

https://www.slideshare.net/sounilyu/distributed-immutable-ephemeral-new-paradigms-for-the-next-era-of-security�https://www.nccoe.nist.gov/publication/1800-26/VolA/index.html

WHAT IS AN ENTERPRISE

What is an Enterprise/ Organization

• An enterprise is an intentionally created cooperative of human beings with a certain societal purpose (Dietz et al, 2013).�
• The purpose and function express that enterprises aim to fulfil or address certain (perceived) wants and needs of (certain) societal member of society at large by delivering products and/or services (Hoogervorst, 2017).�
• If an organization is purposeful, and it is intentionally designed �then the organization design plays an important role, �else there is no intention and no purpose (Daft et al, 2010).

​

​

Dietz, J. L., et al, (2013). The discipline of enterprise engineering. https://www.researchgate.net/publication/263068480

Hoogervorst, J. A. (2017). Foundations of Enterprise Governance and Enterprise Engineering https://www.springer.com/gp/book/9783319721064

Daft, R., Murphy, J., and Willmott, H. (2010). Organisation Theory and Design.http://www.worldcat.org/oclc/761007858

Wicca 20230726

Language & Security

An Enterprise is exposed to constant change

• Since the context outside of the organization changes;
• Since the context inside of the organization changes;
• Since we as individuals change:
• Therefore, the organization needs to change continuously.

​

Wicca 20230726

Language & Security

Enterprise Governance

• Higher alignment between business and IT is higher, has a positive relation with higher business value.
• Therefore, Enterprise Governance (of change) has a positive contribution to business value.

​

Governance, is the mutual explicit agreements upon the process (who does what), �the structures (who decides) and relational mechanisms (how are people appointed etc).

De Haes, S. and Van Grembergen, W. (2015). Enterprise Governance of Information Technology https://www.springer.com/gp/book/9783319145464

De Haes, S., Van Grembergen, W., Joshi, A., and Huygh, T. (2019). Enterprise Governance of Information Technology https://www.springer.com/gp/book/9783030259174

Botjes 2020, Defining Antifragility and the application on Organisation Design https://doi.org/10.5281/zenodo.3719389

Wicca 20230726

Language & Security

Enterprise Alignment

Henderson, J. C., & Venkatraman, N. (1993). Strategic alignment: Leveraging information Technology for transforming organisations https://pdfs.semanticscholar.org/e840/2b65103442e2517982e5e3eb330f72886731.pdf https://ieeexplore.ieee.org/document/5387398

Jerry Luftman & Rajkumar Kempaiah An Update on Business-IT Alignment: “A Line” Has Been Drawn https://eds.p.ebscohost.com/eds/pdfviewer/pdfviewer?vid=1&sid=815940a6-41e8-4b9c-84c4-f57d97fbab4f%40redis

​

• Business & IT Alignment in an organization takes place on Strategic and organizational levels.
• Alignment can be measured using a questionnaire (Luftman) on the SAMM model (Henderson)

Wicca 20230726

Language & Security

WHY IS AN ENTERPRISE

2023-06�Cyber Resilience

Enterprise Goal

• The goal of an enterprise (e.g. organizations) is to remain significant for its stakeholders. Stakeholders are owners, employees and consumers.

​

Goldratt, E. M., Cox, J., & Whitford, D. (1992). The goal: A process of ongoing improvement. http://www.worldcat.org/oclc/855170263

Goldratt, E. M. (1994). It's not luck. Great Barrington, Ma: North River Press. http://www.worldcat.org/oclc/937082420

Sinek, S. (2013). Start with why: How great leaders inspire everyone to take action. http://www.worldcat.org/oclc/906697355�https://www.danielstillman.com/blog/abstraction-laddering-for-problem-framing

https://www.danielstillman.com/blog/reflections-over-resolutions

Nietzsche/ Frankel/ Sinek

Hayakawa

Wicca 20230726

Language & Security

Enterprise Goal translated from Why to How

• In the old day we learned to translate for the whole organization the why into the how (business into system).
• Now we have learned context of the organization, people and IT change to quickly to do this for the whole of the organization.
• This is why the field of Risk Management & Information security have adopted resilience.

Wicca 20230726

Language & Security

WHAT IS RESILIENCE

2023-06�Cyber Resilience

Enterprise Goal & Risk Management

• If the goal of an organization is to stay relevant, and the organization is exposed to continuous change, then business continuity is challenged.
• To achieve Business Continuity, �the field of Risk Management and Enterprise Continuity Management �are evolving into the expertise of Enterprise Resilience.
• The field of Information Security is changing toward Cyber Resilience.
• Digital has a crucial role in the value creation and value proposition of an organization; therefore Enterprise Resilience and Cyber Resilience are overlapping.

Wicca 20230726

Language & Security

Risk Management states we are in a VUCA world�and we need resilience to deal with the unexpected

Volatility

Uncertainty

Ambiguity

Complexity

Risk Management ISO 31.000

https://doi.org/10.1016/j.bushor.2014.01.001

https://hbr.org/2014/01/what-vuca-really-means-for-you

https://link.springer.com/book/10.1007/978-3-319-16889-0

https://en.wikipedia.org/wiki/Volatility,_uncertainty,_complexity_and_ambiguity

Wicca 20230726

Language & Security

Resilience is responding to events

Martin-Breen and Anderies, 2011) http://opendocs.ids.ac.uk/opendocs/handle/123456789/3692

Taleb, N. N. (2012). Antifragile: Things That Gain from Disorder. Random House, New York, NY, USA http://www.worldcat.org/oclc/851345873

Botjes, Edzo. (2020). Defining Antifragility and the application on Organisation Design (1.0) [Zenodo]. https://doi.org/10.5281/zenodo.3719389

Wicca 20230726

Language & Security

Three types of resilience

Martin-Breen and Anderies, 2011) http://opendocs.ids.ac.uk/opendocs/handle/123456789/3692

Taleb, N. N. (2012). Antifragile: Things That Gain from Disorder. Random House, New York, NY, USA http://www.worldcat.org/oclc/851345873

Botjes, Edzo. (2020). Defining Antifragility and the application on Organisation Design (1.0) [Zenodo]. https://doi.org/10.5281/zenodo.3719389

Wicca 20230726

Language & Security

WHY IS RESILIENCE RELEVANT

2023-06�Cyber Resilience

2023-06�Cyber Resilience

2023-06�Cyber Resilience

2023-06�Cyber Resilience

2023-06�Cyber Resilience

2023-06�Cyber Resilience

WHY IS CYBER�RESILIENCE RELEVANT

2023-06�Cyber Resilience

Events impact business continuity

https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636�https://www.bankinfosecurity.com/lawsuits-allege-colonial-pipeline-had-inadequate-cybersecurity-a-16928

Wicca 20230726

Language & Security

Information and Information Systems (IT) are the value enablers of an organisation.

• Digital has a crucial role in the value creation and value proposition of an organization; therefore, Enterprise Resilience and Cyber Resilience are overlapping.

​

Timmers, P. (2022). Cybersecurity and Resilience from a Strategic Autonomy Perspective. Decoding EU Digital Strategic Autonomy, 137.

https://liberalforum.eu/wp-content/uploads/2022/06/Decoding-EU-Digital-Strategic-Autonomy_ELF-Study_Techno-Politics_vol.1-2.pdf#page=54

Wicca 20230726

Language & Security

EU legislation is demanding (as also the US legislation)

At a glance: A guide to the EU’s new digital package January 2023 Guillaume Couneson�https://www.linklaters.com/en/insights/blogs/digilinks/2022/november/eu---dga-data-act-nisd2-dsa---confused

Relevance

1. GDPR includes fines for the company.
2. NIS2 includes personal liability of managers.
3. Etc

​

Caution

The practitioner field is scrambling in adding

the EU policies NIS2, DSA,

the market policies as 27001,

The national policies as BIO,�Into one “spreadsheet”..

This is not viable.

​

There is no conclusive list of patterns/ policies to apply to stay compliant with all these legislation.

Wicca 20230726

Language & Security

WHY RESILIENCE

STAYS RELEVANT

2023-06�Cyber Resilience

Things will happen.

Wicca 20230726

Language & Security

PERSPECTIVE AND INFORMATION

Perspective and information

​

https://twitter.com/DrNeenaJha/status/1338105837684977664

Wicca 20230726

Language & Security

Perspective and information

​

https://twitter.com/TanMohammedMD/status/1337865483446587392

Wicca 20230726

Language & Security

Perspective and information

​

https://en.wikipedia.org/wiki/Rabbit%E2%80%93duck_illusion

https://scitechconnect.elsevier.com/lessons-from-the-dress-the-fundamental-ambiguity-of-visual-perception

Wicca 20230726

Language & Security

PERCEPTION�AND�INFORMATION

Reflections and information

https://twitter.com/NicoleBeckwith/status/1277236284470280195/photo/1

Wicca 20230726

Language & Security

Reflections and information

https://writing.exchange/@XanIndigo/109966588561594572

Wicca 20230726

Language & Security

The colors in the rectangles are the same

https://writing.exchange/@XanIndigo/109966588561594572

Wicca 20230726

Language & Security

Visualisation and information

https://www.ritsumei.ac.jp/~akitaoka/index-e.html

https://twitter.com/jimhejl/status/1452814882701824001

https://twitter.com/AkiyoshiKitaoka/status/1568102162064113669

Wicca 20230726

Language & Security

https://www.ritsumei.ac.jp/~akitaoka/index-e.html

Rotating Snakes

https://www.linkedin.com/posts/rafaelgiraldotenorio_entarch-activity-6681201385402376192-4MNK

Wicca 20230726

Language & Security

The map is not the terrain

Wicca 20230726

Language & Security

WHY RESILIENCE

STAYS RELEVANT

2023-06�Cyber Resilience

Connections lead to chaos

https://zenodo.org/record/3719389 �https://en.wikipedia.org/wiki/Double_pendulum

Wicca 20230726

Language & Security

The two faces of chaos

If a situation is chaotic depends on the perspective of the observer, �this is the subjective part of chaos.

If a situation contains over a certain amount of connections, then it is impossible to predict the future, �this is the objective part of chaos.

https://en.wikipedia.org/wiki/Double_pendulum �https://en.wikipedia.org/wiki/Rabbit%E2%80%93duck_illusion

https://www.linkedin.com/posts/rafaelgiraldotenorio_entarch-activity-6681201385402376192-4MNK

https://www.linkedin.com/posts/complexity-academy_complexitytheory-activity-6625721108249354241-MsJi

Wicca 20230726

Language & Security

The two faces of chaos

Botjes, Edzo. (2020). Defining Antifragility and the application on Organisation Design (1.0) [Zenodo]. https://doi.org/10.5281/zenodo.3719389

Wicca 20230726

Language & Security

FOCUS ON CYBER RESILIENCE

2023-06�Cyber Resilience

The continuous security challenge

MSc thesis: https://zenodo.org/record/3719389 // IEEE article: https://www.researchgate.net/publication/354321606 // Security: https://www.ted.com/talks/bruce_schneier_the_security_mirage

Wicca 20230726

Language & Security

The continuous security challenge

Increasing subjective chaos

Increasing objective

chaos

MSc thesis: https://zenodo.org/record/3719389 // IEEE article: https://www.researchgate.net/publication/354321606 // Security: https://www.ted.com/talks/bruce_schneier_the_security_mirage

Wicca 20230726

Language & Security

The power of the many

http://ars.userfriendly.org/cartoons/?id=20021110

https://twitter.com/TheRealSpaf/status/1401555550480080901/photo/1

https://cloudsecurityalliance.org/artifacts/state-of-cloud-security-risk-compliance/

• Information security is not sustainable achieved by one smart technical mitigation.

Wicca 20230726

Language & Security

The fragility of the many

• Information security incidents are most often the result of unexpected human errors.

http://www.jklossner.com/humannature

https://web.archive.org/web/20051130114833/http://ars.userfriendly.org/cartoons/?id=20021110

https://cloudsecurityalliance.org/artifacts/state-of-cloud-security-risk-compliance/

Wicca 20230726

Language & Security

We need to measure Insecurity not security

https://www.researchgate.net/publication/359821764_Researching_Sensemaking_and_Situational_Architecting_A_First_Step_Towards_a_Guide_for_Sensemaking_Situational_Architecturing_Designing_and_Changing_Enterprises

We design security via functional and non-functional requirements.�We obtain insecurity by affordance.

Wicca 20230726

Language & Security

Affordance

a use or purpose that a thing can have, that people notice as part of the way they see or experience it: In design, perceived affordance is important — that is, our implicit understanding of how to interact with an object.

Wicca 20230726

Language & Security

Innovation thrives business value

• To create new value, we need innovation.
• We need to embrace the continuous change in our products, services, in our people, at our clients, at our competitors.
• If we not embrace this, then we are in-secure.

MSc thesis: https://zenodo.org/record/3719389 // IEEE article: https://www.researchgate.net/publication/354321606 // �Security: https://www.ted.com/talks/bruce_schneier_the_security_mirage�Innovation: Huber, D., Kaufmann, H., and Steinmann, M. (2017). Innovation: An Abiding Enigma, pages 11–19. Springer International Publishing, Cham. https://books.google.nl/books?id=rzckDwAAQBAJ

Wicca 20230726

Language & Security

SENSEMAKING

2023-06�Cyber Resilience

Cynefin framework to make sense

• My chaos is not your chaos.
• When I am new to a situation, I experience it differently then a veteran.
• Some persons thrive better in a certain context then others.
• Therefore, if a context is chaotic or obvious is very personal.
• This is why Dave Snowden introduced the Cynefin model.

https://en.wikipedia.org/wiki/Cynefin_framework

Botjes, Edzo. (2020). Defining Antifragility and the application on Organisation Design (1.0) [Zenodo]. https://doi.org/10.5281/zenodo.3719389

Wicca 20230726

Language & Security

Cynefin framework to make sense

Holistic

approach

Reductionistic

approach

Correlation: seen�Causality: known

Correlation: seen�Causality: unknown

Correlation: unseen�Causality: unknown

Correlation: seen�Causality: known

https://en.wikipedia.org/wiki/Cynefin_framework

Botjes, Edzo. (2020). Defining Antifragility and the application on Organisation Design (1.0) [Zenodo]. https://doi.org/10.5281/zenodo.3719389

Wicca 20230726

Language & Security

Sensemaking OODA

https://xebia.com/blog/monitoring-levels-and-monitoring-maturity/

https://en.wikipedia.org/wiki/OODA_loop

Wicca 20230726

Language & Security

MEASURE, INFLUENCE �and �BECOME RESILIENT

2023-06�Cyber Resilience

How to measure Resilience

Balázs Nagy

Wicca 20230726

Language & Security

Monitoring

•Monitoring Tips

1.Tip - log not only for the expected, but also for the unexpected.

2.Tip - log system metrics into another database as the application log data.

3.Tip - have the log environment in another context as the application and infrastructure the logs generate.

4.Tip - determine why you are logging so that you can decide what to log.

•Monitoring Levels

1.Metric data from the infrastructure level.

2.Metric data from the application component level.

3.Functional log data from the application component level.

4.Meta-data from the application component level.

5.Meta-data from the user defined business transaction level.

6.Meta-data from (synthetic) end-users.

•Monitoring Maturity

1.Gather data.

2.Transform data into information.

3.Transform information into events.

4.Automate the response to events.

•

​

https://xebia.com/blog/monitoring-levels-and-monitoring-maturity/

Wicca 20230726

Language & Security

Measuring Automation of Continuous Delivery

Deployment Frequency

Lead time for Changes

Change failure Rate

Time to Restore Service

DORA Metrics Software Delivery Performance

Wicca 20230726

Language & Security

How to influence Resilience

Senge, P. M. (1990). The Fifth Discipline: The Art and Practice of the Learning organisation. A Currency book. Doubleday/Currency, New York, NY, USA.

Hestenes, D. (2010). Modeling theory for math and science education. In Modeling students’ mathematical modeling competencies, pages 13–41. Springer.

Wicca 20230726

Language & Security

What to design to become resilient

Per resilience type, different attributes are relevant to achieve that type of resilience.

Botjes, Edzo. (2020). Defining Antifragility and the application on Organisation Design (1.0) [Zenodo]. https://doi.org/10.5281/zenodo.3719389

Botjes, E., van den Berg, M., van Gils, B., & Mulder, H. (2021, September). Attributes relevant to antifragile organizations. In 2021 IEEE 23rd Conference on Business Informatics (CBI) (Vol. 1, pp. 62-71). IEEE.

Wicca 20230726

Language & Security

HOW TO �LEARN

2023-06�Cyber Resilience

Mental Model and reality

Dietz, J., & Hoogervorst, J. (2017). Foundations of enterprise engineering. TEE-00 https://www.researchgate.net/publication/320353420_Foundations_of_Enterprise_Engineering

Hestenes, D. (2006). Notes for a modeling theory. In Proceedings of the 2006 GIREP conference: Modeling in physics and physics education, volume 31, page 27. University of Amsterdam, Amsterdam https://www.semanticscholar.org/paper/Notes-for-a-Modeling-Theory-of-Science%2C-Cognition-Hestenes/066bbeae4d25ade2d16055886e330159bf3a2312

Hestenes, D. (2010). Modeling theory for math and science education. In Modeling students’ mathematical modeling competencies, pages 13–41. Springer.

If you don’t know, then you can not see it.

Wicca 20230726

Language & Security

Hierarchy of Competence

https://en.wikipedia.org/wiki/Four_stages_of_competence

Before you can improve you need to see what can be improved.

Wicca 20230726

Language & Security

Rational Action Model

Fishbein, M. and Ajzen, I. (2011). Predicting and changing behavior: The reasoned action approach. Psychology press.�https://en.wikipedia.org/wiki/Reasoned_action_approach (image uploaded by Gjalt-Jorn Peters, feedback loop is new)

Behavior is the result of many internal believe systems and internal capabilities.

Wicca 20230726

Language & Security

Morphogenic Social Systems

Archer, M. S. (1995). Realist social theory: The morphogenetic approach. Cambridge university press.

Behavior is the result of external factors like culture, other people behavior.

Wicca 20230726

Language & Security

Team Topologies

https://scaledagileframework.com/organizing-agile-teams-and-arts-team-topologies-at-scale/

Wicca 20230726

Language & Security

HOW TO DESIGN FOR RESILIENT

2023-06�Cyber Resilience

How to design for resilience

1. Design Process
1. diverge, converge
2. Design Process
• research, concept, design = ideate, validate, realize
3. Deming Cycle
4. Product development Lifecycle
5. Software product (DevOps) Lifecycle
6. Product and Service development Lifecycle
7. Cyber Security Lifecycle
• Optimize recover to become resilient

Wicca 20230726

Language & Security

Design Process

…..

Wicca 20230726

Language & Security

Design Process

https://www.designreview.byu.edu/collections/from-chaos-to-clarity-in-the-design-process

Wicca 20230726

Language & Security

Plan-Do-Check-Act Deming Circle

• The archetype of feedback loops for continuous improvement

https://en.wikipedia.org/wiki/PDCA �https://en.wikipedia.org/wiki/Product_lifecycle �http://www.hec.unil.ch/aosterwa/PhD/Osterwalder_PhD_BM_Ontology.pdf

Wicca 20230726

Language & Security

Product Development Lifecycle (PDCA instance)

https://cio-wiki.org/wiki/Product_Lifecycle_Management �https://en.wikipedia.org/wiki/Product_lifecycle

Wicca 20230726

Language & Security

DevOps Lifecycle (PDCA instance)

https://www.linkedin.com/pulse/governance-cloud-world-david-das-neves �https://www.linkedin.com/pulse/devsecops-paradoxon-david-das-neves �https://xebia.com/the-shift-left-fallacy

https://awkwardgen.com/devops-infinity-loop-for-beginners/​

Wicca 20230726

Language & Security

Product Development (PDCA instance)

Gartner, 2017 Enterprise Architecture and Technology Innovation Leadership Vision for 2017,

https://www.gartner.com/binaries/content/assets/events/keywords/enterprise-architecture/epaeu17/enterprise_architecture_and__tech-innovation.pdf

Wicca 20230726

Language & Security

NIST Cybersecurity functions (PDCA instance)

• For Cyber Resilience, focus on Optimizing the recover function

Wicca 20230726

Language & Security

HOW TO DESIGN FOR VALUE

2023-06�Cyber Resilience

Value delivery

• It is relevant to focus on the core of value delivery when design and operate an
• organization,
• IT system,
• a service, etc.

Wicca 20230726

Language & Security

Essential business transaction

Value is always delivered between two

Actors and in 5 phases.

​

Ask the following key questions:

1. Who is asking?
2. What do we promise?
3. What do we deliver?
4. Who needs to accept?

https://www.pronto-lectures.com/docs/glossary/

Wicca 20230726

Language & Security

Business Model Canvas

https://en.wikipedia.org/wiki/Business_Model_Canvas �http://www.hec.unil.ch/aosterwa/PhD/Osterwalder_PhD_BM_Ontology.pdf �https://cardboardit.com/2018/10/understanding-your-business-through-the-business-model-canvas

Wicca 20230726

Language & Security

Value proposition canvas

https://assets.strategyzer.com/assets/resources/the-value-proposition-canvas.pdf

Wicca 20230726

Language & Security

Enterprise Success

• When an enterprise wants to be successful the following elements play a crucial role.

Osterwalder, 2015 - 5 tools for new business success, https://www.strategyzer.com/blog/5-tools-for-new-business-success

Ries, 2011 - The Lean Startup, https://www.goodreads.com/book/show/10127019

�

Wicca 20230726

Language & Security

HOW TO DESIGN AN ENTERPRISE FOR VALUE

2023-06�Cyber Resilience

Enterprise Organization

• How do we organize ourselves to deliver value and stay relevant as an Enterprise?�
• Causal loop of external forces (blue), organizational strengths (red) and architectural contributions (green)

Causal loop of external forces (blue), organizational strengths (red) and architectural contributions (green)�https://e476rzxxeua.exactdn.com/wp-content/uploads/2022/04/DYA-whitepaper-Architecture-In-This-New-World-We-Live-In.pdf

Wicca 20230726

Language & Security

Enterprise Goal

What a company wants to be and the values guiding the journey.

The purpose of a company.

How a company will achieve its vision and mission (in the long run).

The things a company needs to do to realize the strategy.

Greefhorst & Proper: A Practical Approach to the Formulation and Use of Architecture Principles

Wicca 20230726

Language & Security

The 13 (normalized) Enterprise Goals

1. Portfolio of competitive products and services
2. Managed business risks
3. Compliance with external laws and regulations
4. Quality of financial information
5. Customer Oriented service culture
6. Business service continuity and availability
7. Quality of Management Information
8. Optimization of business process functionality
9. Optimization of business process costs
10. Staff skills, motivation and productivity
11. Compliance with internal policies
12. Managed digital transformation programs
13. Product and business innovation

De Haes, S. and Van Grembergen, W. (2015). Enterprise Governance of Information Technology https://www.springer.com/gp/book/9783319145464

De Haes, S., Van Grembergen, W., Joshi, A., and Huygh, T. (2019). Enterprise Governance of Information Technology https://www.springer.com/gp/book/9783030259174

Wicca 20230726

Language & Security

Balanced Business Scorecard & Goal Maps

Science direct papers on Balanced Business Scorecard: https://www.sciencedirect.com/topics/computer-science/balanced-scorecard

Bizzdesign on designing a BBSC https://support.bizzdesign.com/display/knowledge/Modeling+a+Balanced+Scorecard

Archimate Goal Map https://circle.visual-paradigm.com/goal/

Wicca 20230726

Language & Security

Enterprise Governance

Enterprise Governance

Structures

Processes

Relational Mechanisms

COBIT 5 and COBIT 2019

Wicca 20230726

Language & Security

Enterprise Architecture

This is a meta-model of how to divide an enterprise in layers that each have their own description of coherence and design language.

Created by Edzo Botjes https://edzob.medium.com/where-does-enterprise-and-solution-architecture-fit-e3a5ae26c750

Wicca 20230726

Language & Security

Enterprise Architecture

Per layer certain topics are captured within.

​

Service Management and Security are domains relevant on all layers and depend on the coherence between the layers.

Created by Edzo Botjes https://edzob.medium.com/where-does-enterprise-and-solution-architecture-fit-e3a5ae26c750

Wicca 20230726

Language & Security

Enterprise change – a conscious choice

Created by Edzo Botjes https://edzob.medium.com/where-does-enterprise-and-solution-architecture-fit-e3a5ae26c750

Wicca 20230726

Language & Security

Three roles of architects – and their focus

SAFe https://www.scaledagileframework.com/agile-architecture/ https://www.scaledagileframework.com/enterprise-architect/

Wicca 20230726

Language & Security

Architects are responsible for creating insight in the coherence between the layers.

SAFe https://www.scaledagileframework.com/agile-architecture/ https://www.scaledagileframework.com/enterprise-architect/

Wicca 20230726

Language & Security

The Antifragile Organization

“The agile organization is dawning as the new dominant organizational paradigm. (2017)”

https://en.wikipedia.org/wiki/Antifragile_(book)

https://www.mckinsey.com/business-functions/organization/our-insights/the-five-trademarks-of-agile-organizations

Wicca 20230726

Language & Security

HOW TO DESIGN AN ENTERPRISE FOR DIGITAL

2023-06�Cyber Resilience

Digital transformation to a digital platform

• When an enterprise wants to offer a digital platform, the following elements need to be designed, implemented, exploited and governed.

Ross, J. W., Beath, C. M., & Mocker, M. (2019). Designed for digital: How to architect your business for sustained success. The MIT Press.

Wicca 20230726

Language & Security

HOW TO MANAGE

RISK

2023-06�Cyber Resilience

RISK Management

• Thanks to the role of IT, risk management has changed from risk management to enterprise continuity management, to cyber security into cyber resilience.
• Hutchins, 2018, ISO 31.000:2018:
• Risk management aims to minimize, monitor and control the probability or impact of unfortunate events or to maximize the realization of opportunities
• We live in a VUCA time. In terms of ISO 31000:2018 and ISO 9001:2015 the concept of “uncertainty” is integrated throughout the standards.

​

Wicca 20230726

Language & Security

Risk Management & Value creation

1. Value is created by actors in a process.
2. The actors use data to create a product or services.
3. The actors use data to deliver a product or service.
4. Data is stored in systems.
5. Data is processed in systems

​

To identify the risk for the value creation of an organization, you need to know the risk and impact at each transition.

Actors

Data

Systems

Value

Requested by

Delivered by

Produce with

Requested with

Stored in

Provided by

Wicca 20230726

Language & Security

ROSI = RETURN ON SECURITY INVESTMENT

• Mitigating every risk is an infinite expense.
• Therefor a risk acceptance method needs to be selected.
• ROSI is a method to determine the value of the risk mitigation versus not doing the mitigation.

https://essay.utwente.nl/79757/1/Casano_MA_EEMCS.pdf

https://www.enisa.europa.eu/publications/introduction-to-return-on-security-investment/at_download/fullRepor

https://d2k0ddhflgrk1i.cloudfront.net/TBM/Over%20faculteit/Afdelingen/Engineering%20Systems%20and%20Services/People/Professors%20emeriti/Jan%20van%20den%20Berg/MasterPhdThesis/PANCHIT-MASTER-THESIS.pdf

Wicca 20230726

Language & Security

Risk Management ISO 31000

1. Risk management aims to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities
2. Risk management is a continuous process

https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en

https://en.m.wikipedia.org/wiki/ISO_31000

https://pecb.com/whitepaper/iso-31000-risk-management--principles-and-guidelines

https://theriskacademy.org/is0-31000-iso-27005/

Wicca 20230726

Language & Security

Risk Management ISO 27005

1. Risk management aims to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities
2. Risk management is a continuous process

https://www.iso.org/standard/75281.html

https://en.wikipedia.org/wiki/ISO/IEC_27005

https://www.researchgate.net/figure/ISO-27005-Risk-Management-Framework-7_fig1_263023688

Wicca 20230726

Language & Security

Risk Management -3 lines of defense

1. Risk management aims to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities
2. Risk management is a continuous process

https://www.researchgate.net/publication/279180559

https://www.icas.com/professional-resources/audit-and-assurance/internal-audit/internal-audit-three-lines-of-defence-model-explained

Wicca 20230726

Language & Security

HOW TO DETERMINE

RISK

2023-06�Cyber Resilience

Threat models

• A threat model is a method applied on an existing model (ERD, DFD, Sequence diagram or context diagram) to identify abuse cases.
• This is part of the game between how it is created (construction) and what the design intention is (functionality) and the actual usage (affordance).

Wicca 20230726

Language & Security

Affordance, Construction, Functionality

https://www.researchgate.net/publication/359821764_Researching_Sensemaking_and_Situational_Architecting_A_First_Step_Towards_a_Guide_for_Sensemaking_Situational_Architecturing_Designing_and_Changing_Enterprises

Wicca 20230726

Language & Security

Threat Model Process

https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling

Wicca 20230726

Language & Security

Threat Model Model

https://xebia.com/blog/threat-modeling-without-a-diagram/

Wicca 20230726

Language & Security

Data Flow Diagram

https://learn.microsoft.com/en-us/windows-hardware/drivers/driversecurity/threat-modeling-for-drivers

Wicca 20230726

Language & Security

STRIDE

https://developer.ibm.com/articles/threat-modeling-microservices-openshift-4/

Wicca 20230726

Language & Security

USE CASE vs ABUSE CASE

https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html

Wicca 20230726

Language & Security

Sites relevant to Secure Solution Development

1. Threat modeling - �https://owasp.org/www-community/Threat_Modeling
2. OWASP top 10 - �https://owasp.org/www-project-top-ten
3. OWASP SSDLC -�https://owasp.org/www-project-integration-standards/writeups/owasp_in_sdlc
4. Microsoft Stride - �https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats
5. OWASP Threat Dragon - �https://owasp.org/www-project-threat-dragon
6. OWASP Abuse Case Cheat Sheet - �https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html
5. OWASP - webGoat – �https://owasp.org/www-project-webgoat
6. OWASP - ZAP – �https://owasp.org/www-project-zap
7. OWASP - Wrong Secrets – �https://owasp.org/www-project-wrongsecrets
8. OWASP - openSAMM – �https://owasp.org/www-project-samm
9. OWASP - ASVS – �https://owasp.org/www-project-application-security-verification-standard
10. OWASP - SKF – �https://owasp.org/www-project-security-knowledge-framework
11. BSIMM - �https://www.bsimm.com
12. BURP - �https://portswigger.net/burp

​

​

Wicca 20230726

Language & Security

LAYERS IN

TECHNOLOGY

2023-06�Cyber Resilience

Technology

• Technology consists of many layers.
• Each layer in itself contains also an iteration of the same layers (inception).
• More layers implies more integration and more moving parts, therefor more layers enable innovation and also increase the in-security, unless you embrace in-security as a fact.

Wicca 20230726

Language & Security

Make the dependencies explicit

• OSI Stack inspired stack

Created by Edzo Botjes 2012

Wicca 20230726

Language & Security

Make the dependencies explicit

• Cloud OSI Stack

Integrity

Access

Virtual Machine

Network & Power

Storage

Database

Middleware

Application

Operating System

HyperVisor

Virtual Network

Compute/CPU

Application 3-Tier Layer

Virtual Machine Layer

Virtualization Layer

Hardware Layer

Configuration

Tools/ Services

Data / Interfaces

(DevOps) LifeCycle Management

Dev & Ops Environment

Created by Edzo Botjes 2012

Wicca 20230726

Language & Security

… as a Service

Muratore, L., Lennox, B., & Tsagarakis, N. G. (2018, October). Xbotcloud: A scalable cloud computing infrastructure for xbot powered robots.

In 2018 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS) (pp. 1-9). IEEE.

https://www.researchgate.net/publication/327700356

Wicca 20230726

Language & Security

HOW TO SECURE

TECHNOLOGY

2023-06�Cyber Resilience

Principles for secure design

1. Assume you are breached
2. Apply Zero-trust as a design principle between every business and IT component.
3. Apply Zero-knowledge as a design principle.
4. Apply Distributed, Immutable and Ephemeral as design principle.

Wicca 20230726

Language & Security

ISO 25010 – SW Quality Attributes

How to determine the quality of a certain IT solution?

Functional Suitability

Functional completeness�Functional correctness�Functional appropriateness

Compatibility

Co-existence

Interoperability

Performance Efficiency

Time-behaviour

Resource utilisation

Capacity

Portability

Adaptability

Installability

Replaceability

Security

Confidentiality

Integrity

Non-repudiation

Accountability

Authenticity

Reliability

Maturity

Availability

Fault tolerance

Recoverability

Maintainability

Modularity

Reusability

Analyzability

Changeability

Modification

Testability

Usability

Appropriateness

Recognisability

Learnability

Operability

User error protection

User interface aesthetics

Accessibility

​

https://nl.wikipedia.org/wiki/ISO_25010

https://iso25000.com/index.php/en/iso-25000-standards/iso-25010

Wicca 20230726

Language & Security

Software Design Process

https://commons.wikimedia.org/wiki/File:RUP_disciplines_greyscale_20060121.svg

Wicca 20230726

Language & Security

Test process in the old world.

• What are the requirements on the process of go-live?

Performance Test

Load �Test

Penetration �Test

Created by Edzo Botjes 2012

Wicca 20230726

Language & Security

VIEWS ON

SECURITY

2023-06�Cyber Resilience

Defining security

Secure

in-Secure

https://www.ted.com/talks/bruce_schneier_the_security_mirage

Wicca 20230726

Language & Security

Information Security

https://en.wikipedia.org/wiki/Information_security “Bachelor course introduction into Security” https://zenodo.org/record/6580724

Wicca 20230726

Language & Security

Information Security ISO 27001

….

Wicca 20230726

Language & Security

CIA(S)

https://www.securecontrolsframework.com�https://en.wikipedia.org/wiki/Information_security#Key_concepts

Wicca 20230726

Language & Security

DIE overCIA

…..

CIA - https://www.nccoe.nist.gov/publication/1800-26/VolA/index.html

CIA - https://en.wikipedia.org/wiki/Information_security

DIE – 2019 - https://www.slideshare.net/sounilyu/distributed-immutable-ephemeral-new-paradigms-for-the-next-era-of-security�DIE – 2021 - https://www.rsaconference.com/library/Presentation/USA/2021/death-to-cia-long-live-die-how-the-die-triad-helps-us-achieve-resiliency

DIE – 2020 - https://www.cisa.gov/sites/default/files/publications/Daily_Keynote_with_Sounil_Yu_508pobs.pdf

DIE over CIA - https://www.techtarget.com/searchsecurity/feature/Experts-say-CIA-security-triad-needs-a-DIE-model-upgrade

Wicca 20230726

Language & Security

NIST Cybersecurity functions

• For Cyber Resilience, focus on Optimizing the recover function
• Version 2.0 of NIST includes governance as a function over the other 5 functions.

…..

Wicca 20230726

Language & Security

VIEWS ON

SECURE SOFTWARE DEVELOPMENT LIFECYLE

2023-06�Cyber Resilience

Cyber defense matrix

1. A stack of Cyber Defense matrices can be used to identify blind spots in the security of the solutions.

https://github.com/OWASP/www-project-cyber-defense-matrix

https://owasp.org/www-project-threat-and-safeguard-matrix

Wicca 20230726

Language & Security

DevSecOps Playbook

https://xebia.com/blog/getting-started-with-devsecops-the-culture

https://github.com/6mile/DevSecOps-Playbook/blob/main/images/devsecops-controls.jpg

Wicca 20230726

Language & Security

BRACE Secure Software Development Lifecycle meta-model

BRACE states that in every step of the product development process, from plan/design up and until operations, security enablers (topics) needs to be addressed.

​

BRACE provides generic epics and generic user stories, to be refined by each team involved, to improve the security of the product development process.

​

It is contextual to which maturity level it makes sense to evolve towards, based on a risk assessment (cost vs benefits)

​

The content of the epics and user stories is based on experience and inspired by available SSLDC Models.

​

Wicca 20230726

Language & Security

BRACE Secure Software Development Lifecycle meta-model

1. The BRACE model recognizes that the DevOps lifecycle and Product Lifecycle are similar in their approach of value creation
2. The BRACE model recognizes that the culture, internal control framework and enterprise governance define the design space of the security enablers.
3. The BRACE model tries to integrate the various devsecops and ssdlc models into 7 topics that enable security.

BRACE https://pages.xebia.com/brace-a-metamodel-on-secure-product-development?ref=Xebia

Wicca 20230726

Language & Security

BRACE https://pages.xebia.com/brace-a-metamodel-on-secure-product-development?ref=Xebia

Wicca 20230726

Language & Security

BRACE https://pages.xebia.com/brace-a-metamodel-on-secure-product-development?ref=Xebia

Wicca 20230726

Language & Security

BRACE security enablers – generic Azure user stories to be refined by individual teams

BRACE https://pages.xebia.com/brace-a-metamodel-on-secure-product-development?ref=Xebia

Wicca 20230726

Language & Security

Other SSDLC MODELS

1. Whitepaper - World Economic Forum - The Cyber Resilience Index: Advancing Organizational Cyber Resilience�https://www3.weforum.org/docs/WEF_Cyber_Resilience_Index_2022.pdf
2. CSRC - Secure Software Development Framework �https://csrc.nist.gov/Projects/ssdf
3. OWASP SAMM | OWASP Foundation �https://owasp.org/www-project-samm
4. Building Security In Maturity Model | BSIMM �https://www.bsimm.com/
5. DoD DevSecOps Fundamentals Playbook�https://dodcio.defense.gov/Portals/0/Documents/Library/DevSecOpsFundamentalsPlaybook.pdf
6. DoD - Enterprise DevSecOps Referene Design�https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf
7. Cloud Security Alliance - Cloud Controls Matrix�https://cloudsecurityalliance.org/download/artifacts/cloud-controls-matrix-v4
8. Cloud security Alliance - Security Guidance - For critical areas of focus in cloud computing v4.0�https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/security-guidance-v4-FINAL.pdf
9. NCSC - Cloud security guidance �https://www.ncsc.gov.uk/collection/cloud
10. Google Cloud - DevOps capabilities�https://cloud.google.com/architecture/devops
11. OWASP DevSecOps Verification Standard | OWASP Foundation �https://owasp.org/www-project-devsecops-verification-standard/
12. DSOMM �https://dsomm.timo-pagel.de/
13. Google - Whitepaper - CISO’s Guide to Cloud Security Transformation�https://services.google.com/fh/files/misc/ciso-guide-to-security-transformation.pdf
14. Microsoft Security Development Lifecycle �https://www.microsoft.com/en-us/securityengineering/sdl/
15. ..

Wicca 20230726

Language & Security