Before i can start to define a cyber security strategy there are a number of prerequisites that need to be covered in order to ensure the right levels of formality and control of the design process. They include the use of different standards and design methods to enable the strategy to have consistency, accuracy and transparency in the requirements of inputs and production of output.
To begin i am going to use as a reference to use case development a great resource called http://www.uml-diagrams.org/ – it provides a comprehensive guide to UML. I am also going to highlight a quote from the UML-Diagrams website referring to Business Use Cases:
While support for business modeling was declared as one of the goals of the UML, UML specification provides no notation specific to business needs.
It is a shame that business modelling was included as a goal but has not yet been further expanded upon in the specification. That, however, does not stop use cases being used in business design and i have found that by complementing both UML and Archimate together this more than covers the requirements to model both behaviour and structure in conceptual diagrams.
The second item that i will highlight is the need for the support of metamodeling to provide the necessary modeling guidance – wikipedia provides a good overview at https://en.wikipedia.org/wiki/Metamodeling. A cyber security strategy will include a number of different domains each of which should be governed by a metamodel. There already exist a number of principle metamodels including:
- TOGAF for enterprise architecture
- IEEE for enterprise architecture
- UML for system and behaviour modeling
- SABSA for security architecture
- Open Security Architecture (OSA) for security architecture
- COBIT for governance
- ITIL for service management
Otherwise you can define and declare your own metamodel or hybrid metamodel of domain concepts and relationships supported by taxonomy and controlled vocabularies. Thus ensuring you have in place some controls to support model development. Additionally you can also consider the ISO specification ISO/IEC 24744. A google image search for security metamodels will bring up a lot of examples.
The diagram below is a simple representation of the metamodel i use to identify the right concepts required for a cyber security strategy. It is just an example as selecting the right standards or controls will depend upon the type of strategy being defined. I will reference this diagram on many occasions as i cover each stage of developing a cyber security strategy, use case by use case.