Protection and security model

In a risk assessment potential or actual sources of harm (be hazards or damage) associated with the system under consideration and its environment in relation and in relation to potential or actual adverse (involuntary and negative) interactions ( danger or loss events ) and their potential or actual impact (Damage) examined and assessed (Fig. 1).

Risk assessment in
italics: potentially
bold: actually

Within the risk chain of hazard and hazard - protection - safe construction (also safe organization), safe procedure - (feeling of) security - damage and damaging event - damage (Fig. 2), protection and safety are linked to the known elements of a risk assessment: borderline risk , Risk , residual risk . The consciously or unconsciously accepted borderline risk does not lead to protective measures and thus becomes part of the remaining (accepted or overlooked) residual risk. A damage analysis with the determination (evaluation or assessment) of the scope or extent, cause and possibly frequency of a (potential or actual) damage is finally the starting point for a (step-by-step or necessary) renewed risk assessment and optimization of the system under consideration. Some special cases in the risk chain are listed in italics in Figure 2.

Risk chain

Protection thus serves to reduce a risk from or for the system under consideration (protected object), be it by averting a danger or integrating one or more safeguards into the system. Protection can be spontaneous or planned. The planned protection is achieved through protective measures based on a security concept .

The security achieved in this way is for a system under consideration the feeling or the actual fact of freedom from unacceptable risks, i. In other words, the perceived or actually present absence, containment or relativization of a risk to the state and function of the system that goes beyond a limit risk that is considered acceptable or consciously or unconsciously accepted. The danger may be supposed or actual, it may currently exist, or it may be expected or feared. The dangers (or the damaging events in the event of realization) include threats , disturbances or destruction of existing or intended structures or processes, of life and limb, belongings or of experienced or intended environmental conditions; Sabotage of a system and misuse of a system can also be dangerous. And finally, there is also a - more or less well-founded - concern about the dangers. (The boundary between danger and damaging event can be fluid or can be seen differently. For example, a threat may still be feared for one person, but may have already occurred for another, but has not yet resulted in any disadvantage; again, another may like the same threat already seen as having occurred and associated with adverse consequences for him.)

Since protection and security belong together as a required measure and the desired result of a risk assessment of a system, protection and security are summarized. The many different aspects of security (security aspects) should not be viewed in a differentiated manner. However, protection and security within the system under consideration, protection of the system from its environment (the system environment) and protection of the system environment from the system are addressed separately in the following, since the system environment must always be included when considering the system (Fig 3).

Protective measures and safeguards

scope of application

Security (from Latin sēcūritās, going back to sēcūrus “carefree”, from sēd “without” and cūra “(concern) concern”) describes a state that is viewed as free from unacceptable risks, for which the observer does not see a source of harm or takes into account that is not accepted by him. (“Secure” can mean, among other things: fail-safe or fail-safe, available (cf. safe); target or result-safe (cf. safe); protected, confidential, secure (cf. secure); but also checked , confirmed, reliable, certain (cf. engl. certain); also self-assured and self-confident (cf. engl. firm).) With this definition, security is both on a single individual and on other living beings, on inanimate real objects or systems and also related to abstract objects (see security ). In other words: Security and protection can relate to real system elements or systems (people, organizations, devices, machines, plants ...) or virtual system elements or systems (data, information, plans, knowledge ...). The following presentation is designed to be as general as possible, i.e. it should include the perceived and actual security of one or more people, communities, companies, organizations, other living beings and technical, cultural or economic facilities, structures and systems, including private, professional, financial, economic and include public aspects. Depending on the application, security can be synonymous with security or safety, protection can be synonymous with defense, security, averting, security or defense and - because of their ambiguity as a measure or condition - security and protection can be synonymous with sustainability, stability, immutability or inviolability. Despite the desired generality, the focus of the consideration is on industrial and societal aspects of security and protection.

If the time aspect is taken into account, security goes hand in hand with trust in the reliability (functionality and functions) of the system elements and the protective measures of a system (or - especially with regard to people - in the reliability of the function of a system) and overall in the stability of a relationship, Community, structure or environment.

Concepts such as certainty, predictability, accuracy, infallibility, accuracy, and accuracy are not at the center of the area of ​​application considered.

Terms such as self-confidence and self-assurance extend beyond the scope of application considered here.

General specification

For a given system, security includes

• the security based on the planned or desired conditions within the system,
• the security of the system environment against undesired effects of the system on the system environment,
• the security against undesired effects on the system as a whole or on one or more system elements from outside the system

(see Fig. 3) as well as the respective protection against unwanted or undesired, also unintentional or unexpected use of the system or such changes to or in the system (e.g. through misuse or sabotage).

This includes security and protection along the timeline, i.e. with regard to the present considered and with regard to security at any or specific future point in time or time range.

According to the required security, protection has three directions:

• the protection of the system elements against and among each other,
• the protection of the system environment (outside world / environment) from a system failure with effects of the system on the environment,
• the protection of the entire system against the effects of the system environment (outside world / environment) on the system under consideration.

(It also follows that all system considerations, planning, development, construction, organization, implementation and monitoring must take these three aspects into account on a permanent basis.)

The effort for protective measures (or for countermeasures or defense measures in the event of a concern or threat) depends on the assessment or assessment or the feeling of endangerment, marginal risk, risk, residual risk and expected or feared damage in relation to the value of the system to be protected or system element, as far as this is possible.

All these aspects must be taken into account when selecting, planning and implementing the system and must be monitored and ensured during the life of the system; Only in this way can protection "with certainty" prevent undesirable changes in and on the system and in and around the system: In front of a cave, the best privacy protection against an external enemy is of no use if the cave collapses. The most extensive subsequent discussion of data and information security is of little use if the software has gaps or errors or an unsuitable architecture.

Complete "all-round carefree protection" with comprehensive security and no residual risk should be viewed as an illusion. The need for the greatest possible security inside a system and vis-à-vis the outside world can undesirably restrict the freedom of design and movement of a system. Flexibility of the individual system elements, of the system elements with one another or of the overall system, which is required for a system, can thereby be reduced to the point of rigidity and thus only cause a previously non-existent hazard and only bring about a risk that is not intended per se.

Formal specification

A system and its environment can each be part of the higher-level areas

• Person (both as a person in general or as an individual as well as a legal person) including his material and immaterial property
• Environment and nature beyond the system under consideration
• Community including its social, cultural, organizational, economic and government institutions and aspects
• Technology including all objects, systems, equipment, processes, plans and technical knowledge.

The protection required for the desired security of a system is achieved through a security concept and protective measures. The way to define, organize, implement and review these protective measures is shown in Figure 4a. In detail this way means:

• Determine hazards (or identify damage to optimize the security concept after a damaging event) and specify with regard to the protected object X, the hazard or damage Y, the type of danger f (X, Y) of an interaction between X and Y or the damaging event f ( X, Y) after such an interaction and the possible or occurred damage Z = f (X, Y);
• assess (determine or estimate) or re-assess the risk for X for each identified hazard or damage Y;
• In accordance with the risk chain (Figure 2), define the security concept with an accepted limit risk and the measures to be taken to protect X with regard to the design of X and the intended procedures and then organize, implement and check the protective measures.

It should be noted that - according to Figure 3 - the protected object X can be both the system under consideration and the system environment, and the hazard or damage Y can come from the system environment or from the system or a system element. For example, system behavior that is inherently part of the system function can also be a system failure that is detrimental to the system environment. If the IT program or consumer good should exist for three months or seven years, the facility or system should exist for 30 or 100 or 1,000,000 years, should or not be secured against plane crashes ...

In order to keep the residual risk as small as possible, the possibility of undesired overcoming of the planned protective measures should always be taken into account when assessing the protection concept, the protective measures and the security to be achieved or achieved. The way to overcome protective measures is therefore shown in Figure 4 (Figure 4b).

Process model for a) protective measures and b) attempt to overcome the protection

To make this protection and security model more concrete, Figure 5 shows a system with its system environment as well as some security installations and procedures in the system and other exemplary protective measures to protect the system and the system environment from one another. This picture is a detail of picture 3.

Security aspects and protective measures within a system and between a system under consideration and the system environment (explanations in the text; otherwise colors and boundaries as in Figure 3)

In Figure 5 denote in detail

- - - - - - - System under consideration with backups in the system (examples of security aspects (larger font) and examples of backups in the system (smaller font) are listed)

-. -. -. -. Protection between the system and the system environment (outside: protecting the system from the system environment (with examples); inside: protecting the system environment from the system (with examples))

………… .. Security boundaries and protection zones inside the system as (fictitious) demarcation against an "internal enemy" and protection against an "internal enemy" - (the examples are underlined)

_______ Boundary of the observation area (actual system boundary) - different types of a system or a system environment are listed in italics.

The registered - exemplary, not conclusively identified - safety and protection terms refer in particular to industrial and societal aspects. Their respective position is only to be regarded as approximate. Both protecting the outside world from the system and protecting the system from the outside world require an expanded view of the system boundary. Within the observation area (the actual system boundary), protective boundaries and the visible / constructive system boundary (in different ways) are drawn interrupted, not only to distinguish the individual boundaries, but also because the demarcation between the primary system elements and the protective elements of the system can be difficult and the transition from protection within the system to protection of the system and the system environment against each other can be fluid. Some terms are entered multiple times because they can concern both the protection of the system environment against the system and the protection of the system against the system environment or can also be a security element within the system.

The area inside the visible / structural system - unlike in Figure 3 - is to be seen as part of the system on the one hand and not belonging to the system on the other. This area stands for a hazard or threat to the rest of the system or a safe function of the system that is not planned in the system. He can z. B. stand for a built-in but unintentional malfunction of the system or - as specified here with underlining - by a part of the system that intends or should intend to damage the system from the system ("internal enemy", abuse, sabotage, terror ...). It should be noted, however, that such a representation of a danger from within, an enemy within or behind, is used especially by authoritarian organizations and structures to distract from their own intentions, which run counter to the interests of the other parts of the system, and in order to do so to be able to apply more or less restrictive or even repressive protective measures to this "outer" part of the system or to the entire rest of the system, which are or were intended to deal with external influences.

Model elements

Supplementary explanations to previous formulations in "Core models - description and examples" are written in italics below.

Defense : Active reduction of a danger or attempts to do so (primary defense mechanisms = avoidance by separating the hazard and the object to be protected; secondary defense mechanisms = averting by limiting, reducing or eliminating a harmful interaction).

Aspect: Representation of a subset of properties of an object or system that have a particular or sole relevance for a description or application area with its models.

Threat : Serious prospect of damage through active action or the creation of facts.

Entity: a conceptual or physical unit that is managed individually and whose life cycle is followed.

Event : (short, medium or long term) change in the state or function of a system or a system environment.

Danger : a possibility that a damaging event can occur.

Endangerment : Potential source of damage.

Source of danger: A potential or actual source of undesired (involuntary and adverse) interaction of a system under consideration with its system environment or within this system.

Borderline risk : risk that is considered acceptable or consciously or unconsciously accepted. This limit may be different for different viewers. Residual risk: risk that remains after protective measures have been taken.

Risk : the product of the probability of occurrence and the effect of an undesirable event.

Risk assessment : The entire process for risk reduction from risk analysis to risk assessment to risk assessment (cf.)

Damage : An undesirable (involuntary and disadvantageous) change in the status or one or more functions of a system or the system environment, including changes to one or more existing but unused functionalities of one or more system elements.

Damage Event: An event that leads to damage.

Source of damage: A source of danger taken into account in a risk assessment.

Damage: causing a damaging event (an actual source of damage).

Damage analysis : (Attempt to) establish (assess or evaluate) the cause, scope or extent and, if applicable, frequency of damage.

Protective measure: an activity or the result of an activity that serves to protect a protected object. (A protective measure does not contribute to the functioning of a system, but "only" reduces a risk for the system or the system environment; the boundary to a safe construction, a safe organization or a safe procedure can, however, be fluid in individual cases.)

Protected object: System that is considered for a hazard or system environment, the hazard of which is checked by the system under consideration.

Backup: System element or procedure which, as a protective measure, is intended to prevent or limit an undesired change in the status or function of the system (including "backups" or "backup" in the narrow sense).

Security aspect: Representation of a subset of properties of the security of a system (cf. Aspect); given or required contribution to the security of a system.

Safety concept: A concept for the design and function of a system that is intended to ensure the use and end of use of a system safely for the system and for the system environment.

Concern : A reasonable or unfounded sense of endangerment to a system that is being “cared for”.

System : a set of interrelated elements that, in a certain context, are seen as a whole and are considered to be separated from their surroundings. A system can be a person, an object, a machine, a plant, a person's property, a community, culture and economy, an organization, society, a state, equipment, process, plans, knowledge, facts, (a part or Parts of) nature, a group of it or a connection with and with one another.

System element: Entity as part of a system.

System environment : Everything that is not assigned to the system under consideration, but can interact with it (e.g. lane in relation to a car, if only the car is viewed as a system). The system can be expanded to include parts of the system environment in order to produce a larger system. The original system is then a subsystem of the new system.

Reliability: Effectiveness of the functions of a system over time under requirements-based conditions (ie from the user's point of view; primarily used in relation to people and their experienced functions).

Reliability: Effectiveness of a system (including its safeguards and other protective measures) over time under conditions as required.

regulate

R1 As a prerequisite for a safe system, stability, reliable functionality and sustainability of the system must be ensured when planning and implementing a system, monitored over the entire life of the system and guaranteed through appropriate use, servicing, maintenance and optimization.

R2 The protection of the system elements against and among each other is to be considered in the system design and implementation as part of the stability and functionality of the system.

R3 When protecting between the system and its outside world / surroundings / environment, two further directions must be taken into account:

• the protection of the outside world (environment / environment) from an undesired system effect or a system failure with effects of the system on the environment.
• the protection of the entire system from the effects of the outside world (surroundings / environment) on the system under consideration.

R4 When planning, implementing and using a system, every hazard must be taken into account in accordance with the risk of its occurrence and its effects - whether it is currently existing or is to be expected or feared in the future - and through a security concept and appropriate protective measures, the entire risk is below the to push agreed limit risk.

R5 The safety concept must be regularly checked and optimized in accordance with the applicable standards, guidelines or other regulations (if they are not available, at least after each damaging event).

R6 If security concepts and protective measures would impair the flexibility and freedom of the system and its parts expected or desired by the user, they are to be disclosed before implementation or installation and agreed between the parties involved.

R7 Security and protection can be specified as security for or from or as protection of something (e.g. law, health, children, species, animals, information) or as security against or protection against a hazard (e.g. Disease, attack, flood, earthquake, bankruptcy, wiretapping) or where or when security or protection is expected (e.g. traffic, old age) or how or by what means security or protection should be guaranteed (e.g. reliability, dependability, stability , Sustainability, surety, security, warranty, contactor, security, maintenance and servicing).

Individual evidence

1. ↑ Guide 51 (TECHNISCHE REGEL, ISO / IEC Guide 51: 2014-04, Beuth-Verlag, Berlin); There: Security is freedom from unacceptable risks
2. ↑ DIN SPEC 40912 “Core Models - Description and Examples”, October 2014
3. ↑ DIN EN ISO 12100: 2010 (safety of machines)
4. ↑ DIN EN ISO 12100 Safety of machines - General principles for design - Risk assessment and risk reduction (ISO 12100: 2010); German version EN ISO 12100: 2010 - Part 8
5. ↑ International Electrotechnical Dictionary: DKE-IEV 351-57-01 “Hazard” or 903-01-03 “Hazard”; s. also TECHNISCHE REGEL, ISO / IEC Guide 51: 2014-04, Beuth-Verlag, Berlin
6. ↑ DIN SPEC 40912 “Core Models - Description and Examples”, October 2014
7. ↑ DIN SPEC 40912 “Core Models - Description and Examples”, October 2014
8. ↑ DIN SPEC 40912 “Core Models - Description and Examples”, October 2014
9. ↑ DIN SPEC 40912 “Core Models - Description and Examples”, October 2014
10. ↑ International Electrotechnical Dictionary: DKE-IEV 351-57-01 “Hazard” or 903-01-03 “Hazard”; s. also TECHNISCHE REGEL, ISO / IEC Guide 51: 2014-04, Beuth-Verlag, Berlin
11. ↑ DIN EN ISO 12100 Safety of machines - General principles for design - Risk assessment and risk reduction (ISO 12100: 2010); German version EN ISO 12100: 2010 - Part 8
12. ↑ DIN EN ISO 12100: 2010 (safety of machines)
13. ↑ Quoted in: DIN SPEC 40912 "Core models - description and examples", October 2014; Source: DIN IEC 60050-351
14. ↑ DIN SPEC 40912 “Core Models - Description and Examples”, October 2014