Why can’t information security people all use the same terms of reference and speak a common language?

This thought last came up for me when working to produce multiple-choice questions for an information security exam. My carefully worded ‘wrong’ choices (called ‘distractors’) as well as my correct choices all had to be backed by referenced and credible authorities.

This was challenging. The inexact, flexible world of information security has a rich multiplicity of interacting methods and a variety of terminologies. Some of these are defined differently under various standards. Some do not relate to any standard at all. I found that challenging my distractor questions and my correct answers led to some intense, sometimes fruitless searches for credible sources (blogs and magazine articles, though helpful pointers, did not count). Occasionally I had to abandon what at first sight looked like a cast-iron question when I could not validate what I was professionally certain was correct (and incorrect).

This is an issue for exam-setting bodies. If you have taken any kind of information security multiple-choice exam then be assured: much effort is made to bulletproof the pool of questions.

GASSP

The effort to reference my questions took me through some vast – very dry – landscapes of knowledge. A colleague with a lot of experience told me about Generally Accepted System Security Principles – GASSP. But my research threw a harsh light onto some of the problems our profession has when it tries to standardize terms.

There are mythological commentaries on the use of common terms. The story of the Tower of Babel tells of a time when everyone spoke the same tongue and possessed, what we might call now, a common body of knowledge. In all traditions, this led to divine intervention – apparently motivated by a desire for cultural diversity. Thus the earliest attempts at common standards were frustrated too. But no divinity can be concerned about common terms for information security: all attempts so far to produce one seem to have failed.

Does it really matter?

In the U.S., you can trace modern attempts to build common standards for information security to Al Gore, whose National Partnership for Reinventing Government Committee created a platform for asking how government should adapt to the new Information Age. Some thinkers hoped the model of generally accepted accounting principles (GAAP) could be applied to information security. But those principles were too divergent (in particular, they only apply to the USA). More promisingly, concerns about computer security from the OECD had led them to prepare the internationally produced “Guidelines for the Security of Information Systems.”

The federal government was nudged by all of this to provide common terminologies for the increasingly complex work of joined up computing (and thus joined up government). They decided there was merit in the OECD model as well as standards being developed in the UK at the time. Mixing these into its own conclusions, in 1996 NIST produced Special Paper 800-14.

SP 800-14 has not been updated since, and surprisingly, it is still available from the NIST site. A brief trawl through it will quickly demonstrate how far we have come since 1996. Readers are told about practices that could “[e]liminate hackers and viruses” and are warned about times when a system “[c]hanges its environment, such as being connected to the internet”. They are advised to create passwords with “a minimum length of six characters”. Penetration testers are told their “testing should preferably be conducted with the knowledge and consent of system management”. Behind all of this was an encouragement to “work together synergistically”.

What is risk?

SP 800-14 defined risk as “the possibility of something adverse happening”. Twenty years on, another standard defines risk as the “effect of uncertainty on objectives”. This highlights a problem for any common language: meanings change, sometimes very quickly and extensively in response to circumstances. Even more significantly, SP 800-14 is clearly focused upon systems over all other considerations. The biggest change in protective security over the past twenty years I have seen is the acceptance that IT systems are just part of a security whole. In 1996 the profession was becoming conscious that it was something new and separate. This separateness can only have been sustained by the limited means then available for inputting data onto systems – no handheld devices or cloud computing. And not much Internet either.

While NIST may have preferred to leave things there, efforts to introduce a universal language continued through the work of International Information Security Foundation (I²SF). This organization saw the building of generally accepted principles of security as just one pillar of a number of efforts at standardization, including the Common Criteria for software with the International Information Systems Security Certification Consortium (now better known as ISC²) taking on the professionalism side of things. Unfortunately it also struck a rather portentous note of how definitions were to be agreed, such as positing international committees of experts to agree on standard meanings.

You can still find their public consultation paper from 1999 online, setting out the GASSP vision. No doubt with helpful intent, the paper adds some solid examples of what each term means – all of them rather long and with obsolesce built in (e.g., “[h]aving received the first request for dial-in access, ‘Joe A.’ carefully assessed the stated need and the description of the resources required.”).

Like SP 800-14, GASSP has not been superseded or apparently updated from its draft status. The sheer effort required to agree on standards as well as inevitable technological changes seems to have left both stranded in the last century. Attempts to produce worldwide definitions of information security terms and practices seem destined to become bogged down and/or forgotten. There are some internationally accepted terms within the ISO 27000 series, but those are not free.

On the bright side, everyone now has access to powerful search engines that will at least show up all of the varied meanings of terminologies. In effect, these are our instant translation devices that can help us understand what any particular term means in real time. From the viewpoint of an information security question-setter, I wish a process for registering terms could be like that of a well-established online dictionary rather than an edict from a committee of experts (all of whom will have more important things to do).

That takes us back to the myth of Babel. Forget about a common language for now. Just use your favorite search engine as a translator. And a special plea to NIST: it’s time to archive SP 800-14.