The Attributer's blog


Sometimes an enterprise has to get out of some business arrangement for some reason. It may be something the business has been considering for some time and finally comes to a decision after some trigger event, or it may occasionally be a totally unexpected requirement to find a way out, triggered by an event totally unexpected or at least uncertain.


An important aspect of good system design is that users should understand how the system works for their benefit. The attribute ‘informed’ is defined in the Big Blue Book of SABSA (Enterprise Security Architecture: A Business Driven Approach, Sherwood, Clark and Lynas) as follows:

“The user should be kept fully informed about services, operating procedures, operational schedules, planned outages, and so on.”


In this article we pick up the thread of the previous article on the attribute ‘emergent’ with regard to system properties and follow it through on a specific path – that of systems safety. By ‘safety’ we mean not being injurious or dangerous to human life and health. Safety and security are closely related concepts. In the French and Dutch languages they share a single term – ‘sécurité’ and ‘veilig’ respectively, and in English language these terms are often found together in single phrases, such as ‘safe and secure’.


SABSA thinking is based heavily on systems engineering concepts. We see the enterprise itself as a system of systems, hierarchically complex, with layered tiers of sub-systems and component interactions at every level of decomposition and abstraction. Systems are designed to have certain functionality to meet the system requirements, and in SABSA we articulate these requirements and functional properties through a series of Business Attributes.

Data Centric

It is some years since the Jericho Forum published its ‘Commandments’ on how to plan for a de‐perimeterized future digital business environment. The most recent version 1.2 was published in May 2007. The conclusion of that document included the following words:

“De‐perimeterization has happened, is happening, and is inevitable; central protection is decreasing in effectiveness: It will happen in your corporate lifetime.Therefore, you need to plan for it and should have a roadmap of how to get there.”

2015 Seasonal Special: COLLABORATIVE

(First published in December 2012 in Informatiebeveiliging magazine in the Netherlands)

Pollution Controlled

The Attributer tries to choose subjects that are topical, so it is important to choose a ‘title attribute’ that is self-explanatory. When it was agreed that the VW scandal would be a good topic, finding a suitable title/attribute was at first puzzling. In calling it ‘pollution controlled’ there is explicit intent to explore the wider meaning of ‘polluted’. Not just atmospheric pollution, but pollution of corporate values and trust in technological industry in general. There are many aspects of ‘pollution’ to be explored with this SABSA attribute.

Business Context Aligned

The British Computer Society June newsletter featured an article by Neil Cordell. The article opens with the following statement: “When it comes to dealing with cyber security, technologists must focus more on threats and controls and less on risk”. Mr. Cordell is concerned that implementing security controls is entirely in the hands of technologists, who have no real idea of what impact these controls might have on business productivity or the protection of real business assets. So far, so good, but what’s this about ‘less risk’?