I found some pictures I took of a model house I had made out of paper and sticky tape for a very early 3D computer games class assignment in 2021. It was a fun project, The task was to determine how I could draw a house in OpenGL.

From the perspective of the renderer, you can't just say draw a house, you need a way to feed in a set of vertices, basically (x, y, z) coordinates for all the points and it will then be able to draw them for you. I needed a way to find out what the vertices were for my toy house and then determine how to translate my physical house into a set of vertices the renderer could understand.

I decided to set out and manually determine how to enumerate all the vertices in the model using a method of labelling each and every corner and side (see pictures), and from that construct vertices lists that represented those sides, which I could feed into the vertex buffer in OpenGL.

It worked out pretty well as my model translated very easily into its digital form.

Blog - Stuart Mathews

Top View

House

Top Side

House

Left and Right Roof

House

Right Wall

House

Left Room and Left Wall

House

Side Top

House

Left Roof

House

Side Bottom

House

Final paper model

House

Model Vertices

House

Texturing the model

House

Joomla Gallery makes it better. Balbooa.com

(Parekh, et al., 2018) determined that conceptual understanding in vulnerabilities, system failures, establishing defences and identifying targets and attackers were the among the most important core aspects of cyber security along with evaluating security goals and the impact of security decisions and strategies on the CIA triad. In addition, ethics and privacy concerns were determined as equally important.

While that research was focused on establishing a generalised and core foundational basis for cybersecurity and its assessment, (Jones, et al., 2018) approached their research differently, while also focusing similar attention to establishing the importance of specific cybersecurity topics, but with the specific goal to establish a more practical approach to devising an educational curriculum that is directly associated with industry related needs.

This pragmatic pursuit is reflected in their methodology to actively try and determine the gaps in educational needs required by current cyber security professionals, in contrast to the generalist cyber security experts consulted in the former research.

These results suggest that, vulnerability assessment is key, as is an understanding of network security, but the research into professional practise yielded more pragmatic additions including insights into specific personality traits that would increase success in the discipline, such as persistence, self-determinization, curiosity and inherent interest in Cyber security.

It also suggested that communication skill is essential in being able to convey meaning and decisions in assessing cyber security approaches. This is supported by related research that suggests that there is an increasing importance towards less technical areas such as, “…human, organisational and societal security” (Cabaj et al., 2018)

Interestingly, most professionals found that they needed self-study in many aspects of their jobs to fulfil the requirements their jobs, indicating that adaptability and changeability are important traits to have.

The CISA Security Architect role requires many of these aspects. For example, core tasks include developing security designs for networks, and systems within networks, which requires understanding networks and how they interoperate and are protected.

The task of assessing the security posture requires determining what are, and which vulnerabilities have or have not been mitigated within networked systems and who might seek to exploit them, and as such draws from the ability to understand the implications of vulnerabilities and where they lie. This also pertains to evaluating security architectures to meet security requirements  and mitigating risks from prior analysis and assessment, also straddling on the increased need for effective communication skills, which particularly important during security reviews and identifying gaps in security architecture (an inherently collaborative endeavour).

There are some areas that were addressed by the prior research but were not identified among the most important aspects, but which appear to be of particularly high importance to this role, which includes management, i.e., the ability to use secure management processes, prioritize and collaborate with stakeholders and to develop plans. This is likely to be particularly important skill in mediating between cyber security skills, business needs and effective and secure deployment of those skills in and increasingly socio-technical workplace. This trend is particularly evident in role’s requirements to maintain compliance with PCI and privacy constraints such as PII (Personal Identifiable Information).

The specifics and detailed core knowledge required for this role, which are not specifically included in cyber security educational curricula as determined by the prior research, such as knowledge of microprocessors and knowledge of electrical engineering and electronics, will likely require drawing upon the afore mentioned skills of  independent study and persistence, and, to a large extent self-management e.g., compliance with best practises and security guidelines.

References:

Condori-Fernandez, N., Franqueira, V.N.L. and Wieringa, R.J. (2012) ‘Report on the Survey of Role-Based Access Control (RBAC) in Practice’. Available at: https://research.utwente.nl/en/publications/report-on-the-survey-of-role-based-access-control-rbac-in-practic (Accessed: 26 June 2023).

McGrew, D.A. and Viega, J. (2004) ‘The Security and Performance of the Galois/Counter Mode (GCM) of Operation’, Lecture notes in computer science, pp. 343–355. Available at: https://doi.org/10.1007/978-3-540-30556-9_27.

Ahmad, N., Wei, L.M. and Jabbar, M.H. (2018) ‘Advanced Encryption Standard with Galois Counter Mode using Field Programmable Gate Array.’, Journal of Physics: Conference Series, 1019(1), p. 012008. Available at: https://doi.org/10.1088/1742-6596/1019/1/012008.

Williams, T. (2023) ‘Securing Microservices with Bearer Tokens’, in Microservices Design Patterns In . NET. United Kingdom: Packt Publishing, Limited.

Recommendation for block cipher modes of operation: Galois/Counter mode (GCM) and GMAC (no date). Gaithersburg, MD.

Recommendation for block cipher modes of operation: Galois/Counter mode (GCM) and GMAC (no date). Gaithersburg, MD.

Cabaj, K. et al. (2018) ‘Cybersecurity education: Evolution of the discipline and analysis of master programs’, Computers & security, 75(C), pp. 24–35. Available at: https://doi.org/10.1016/j.cose.2018.01.015.

In comparing ethical frameworks and relating them to Van de Poel’s value clusters, I will argue that that Deontic ethics is a more suitable framework in Cyber Security because it is more adaptable than consequentialist ethics given the evolving nature of technology and need to adapt to changing social contexts, while consequentialist considers only the static importance of an good outcomes (which don’t change), this is particularly relevant as people, attitudes and social contexts do change, are complex and are multivariate. 

For example, not all security and actions that lead to good security is good. While consequentialists consider security as an enablement of desirable characteristics for social good, Deontic ethics would evaluate the context for appropriateness of the security measure itself.

For example, using an authentication mechanism such as a password (knowledge) to protect against unauthorised access to an intensive care unit’s medication dosage system, while a good consequentialist outcome (security), would not be a correct measure if when considering (as Deontologists would) the capability of current improvements in technology that can brute force passwords, and the relative weakness in password strengths chosen by humans, and the severity of the compromised security. 

Consequentialist ethics is short-sighted, inflexibly and in this case could lead to failing to protect/secure a particularly sensitive system adequately. Deontologists would assess the measures and the impact considering prevailing context and consider instead, that physical ownership (possession) of an access card and/or behavioural authentication (fingerprint) and is better and more reasonable approach to implementing security, considering the risk to critical patients.

This extends to not all privacy being good either, or all measures that lead to it being correct. Whilst confidentially, freedom and anonymity might be seen by consequentialist as a fundamental right that justify their approaches, it can also hide criminal information from the authorities. Should the freedoms of criminals be respected if they are perpetrating crimes that harm society? 

For example, a system that uses encryption to restrict access to another user’s actions (confidentiality/anonymity) is a generally a good thing , but should criminals’ data and their actions be allowed to be hidden or be unencrypted? Should criminals be allowed to be anonymous? Consequentialist would say so. The recent case concerning national security which involved Apple, the FBI and an encrypted iPhone is a case in point (Lowell, 2017). 

Deontologist would suggest that the platform must always be allowed to unencrypt data identified as criminal or of national importance considering the context and those affected by the crime.

A Deontic approach to better authentication mechanisms would be one that that requires a verified identity, known to the platform but which is not shared publicly such as requiring an identity certificate to use the platform which is issued and trusted by a 3^rd party authority. This, combined with an additional requirement to physically possess the private key associated with that verified identity (e.g., smart card), makes identities more reliable and more difficult to spoof (or hide) and makes privacy conditional on the context (criminal vs non, crime vs usual activity) possible.

Likewise consequentialist approaches to Accountability are not always correct, despite the pursuit of good intentions.

Consequentialists will consider a system that logs user actions based on username/password authentication as suitable for establishing responsibility for that user’s actions, however this authentication does not in of itself guarantee a claim of identity (knowledge) if the password was stolen and the identity spoofed. This can lead to incorrect accountability which has implications for blaming the wrong person, particularly if this information is presented to the authorities, for example. 

Deontologists would instead consider a more correct approach to verifying identity is using a provable means such as use of host/certificate authentication (eg. ssh) or using digital signatures to sign/authenticate operations and actions as this attaches a verifiable identity and therefore origin, and therefore can be used as a basis for reliable accountability.

Consequentialist approaches that implement fairness are not always fair either.

For example, it’s not fair to implement a strong authentication mechanism that is only accessible to able-bodied people. For example, a retina scanner placed at eye-level on a door where eye-level is dependent on having the ability to use legs to stand. This favours the desirability of good authentication, at the expense (or discrimination) of people with limited motor abilities.

While leaving the specific ethical approach taken at the discretion of its members, the ISC’s code of ethics refers to approaches that protect society, and this is comparable to preventing harm which is defined by the value of security, as the protection from or the absence of threat or harm.

The code also includes acting honestly and legally which is comparable to the value of fairness or accountability, especially considering that laws are social constructs created to be fair and just.

Furthermore, acting responsibly is being, and corresponds to, the value of being accountable, i.e., assigning and taking ownership for one’s actions and so is being competent and diligent in one’s own work.

Radwan, A.G., AbdElHaleem, S.H. and Abd-El-Hafiz, S.K. (2016) ‘Symmetric encryption algorithms using chaotic and non-chaotic generators: A review’, Journal of advanced research, 7(2), pp. 193–208. Available at: https://doi.org/10.1016/j.jare.2015.07.002.

Shostack, A. (2014) Threat modeling: designing for security. 1st edn. New York: John Wiley & Sons, Incorporated. Available from: ProQuest Ebook Central. [17 November 2020]. Available at: https://ebookcentral.proquest.com/lib/open/detail.action?docID=1629177&pq-origsite=primo (Accessed: 20 December 2020)

References

Spafford, S.G.& G. (1999) Practical UNIX & Internet Security, 1-56592-148-8. O’Reilly & Associates, Inc. Available at: https://www.cs.ait.ac.th/~on/O/oreilly/tcpip/puis/ch06_05.htm (Accessed: 1 May 2023).

van de Poel, I. (2020) ‘Core Values and Value Conflicts in Cybersecurity: Beyond Privacy Versus Security’, in M. Christen, B. Gordijn, and M. Loi (eds) The Ethics of Cybersecurity. Cham: Springer International Publishing (The International Library of Ethics, Law and Technology), pp. 45–71. Available at: https://doi.org/10.1007/978-3-030-29053-5_3.

Tim Maurer, Ariel Levite, and George Perkovich (2017) ‘Toward a global norm against manipulating the integrity of financial data’, Economics. The open-access, open-assessment e-journal [Preprint].

Danyang Cao and Bingru Yang (2010) ‘Design and implementation for MD5-based data integrity checking system’, in. IEEE, pp. 608–611. Available at: https://doi.org/10.1109/ICIME.2010.5477912.

Gollmann, D. (2019) ‘The Cyber Security Body of Knowledge v1.0, 2019’, in. University of Bristol. Available at: https://www.cybok.org/.

Crosman, P. (2016) ‘Carbanak Hackers Targeting Banks Again, Security Pros Say’, The American banker, 1(F354).

Bošnjak, L. and Brumen, B. (2019) ‘Shoulder surfing: From an experimental study to a comparative framework’, International journal of human-computer studies, 130, pp. 1–20. Available at: https://doi.org/10.1016/j.ijhcs.2019.04.003.

Lowell, K.G. (2017) ‘Civil Liberty or National Security: The Battle Over iPhone Encryption’, Georgia State University law review, 33(2), pp. 485-.