The Attributer's blog

What is the Attributer Blog?

This is a series of articles based around SABSA Business Attributes. Each article takes a new Attribute and discusses it in some particular context. As often as possible this context has some current topical interest at the time of publication, but some topics are timeless and can have a more general context. The Attributer has been publishing these articles since mid 2012 in Informatiebeveiliging magazine in the Netherlands. Whilst the magazine is a totally Dutch publication, this series of articles has appeared in English. 

Info-Warfare Ready

It is January 2017, and as Donald Trump prepares to take over as the new President of the USA, the debate rumbles on about the possible hacking, leaking and disinformation associated with Hilary Clinton’s election campaign. So what should we make of these allegations? Let’s look at what we know.

In Control

The US Sarbanes-Oxley Act of 2002 has had a huge influence on both American businesses and those in the rest of the world, especially those who want to do business with or in the USA. Section 404 of the act tells us that the management has to be in control, and that the auditors must verify this. A manager must sign a formal statement to declare that he or she is in control. 

Business Strategic

The Attributer writes this just after the announcement by Yahoo that, back in 2014, “state-sponsored” hackers stole information from about 500 million users in what appears to be the largest publicly disclosed cyber-breach in history. What! And now you’re telling those users that they should “change their passwords”, some two years later. Isn’t that a bit late? Horses and stable doors come to mind.

Regression Planned

First reported in the Telegraph on 21st April 2016, and later by Channel Four News on 24th May 2016, was an incident affecting UK National Security that occurred during the previous year, on 13th June 2015.


Sometimes an enterprise has to get out of some business arrangement for some reason. It may be something the business has been considering for some time and finally comes to a decision after some trigger event, or it may occasionally be a totally unexpected requirement to find a way out, triggered by an event totally unexpected or at least uncertain.


An important aspect of good system design is that users should understand how the system works for their benefit. The attribute ‘informed’ is defined in the Big Blue Book of SABSA (Enterprise Security Architecture: A Business Driven Approach, Sherwood, Clark and Lynas) as follows:

“The user should be kept fully informed about services, operating procedures, operational schedules, planned outages, and so on.”


In this article we pick up the thread of the previous article on the attribute ‘emergent’ with regard to system properties and follow it through on a specific path – that of systems safety. By ‘safety’ we mean not being injurious or dangerous to human life and health. Safety and security are closely related concepts. In the French and Dutch languages they share a single term – ‘sécurité’ and ‘veilig’ respectively, and in English language these terms are often found together in single phrases, such as ‘safe and secure’.


SABSA thinking is based heavily on systems engineering concepts. We see the enterprise itself as a system of systems, hierarchically complex, with layered tiers of sub-systems and component interactions at every level of decomposition and abstraction. Systems are designed to have certain functionality to meet the system requirements, and in SABSA we articulate these requirements and functional properties through a series of Business Attributes.

Data Centric

It is some years since the Jericho Forum published its ‘Commandments’ on how to plan for a de‐perimeterized future digital business environment. The most recent version 1.2 was published in May 2007. The conclusion of that document included the following words:

“De‐perimeterization has happened, is happening, and is inevitable; central protection is decreasing in effectiveness: It will happen in your corporate lifetime.Therefore, you need to plan for it and should have a roadmap of how to get there.”