Cybersecurity from the Safety Engineer’s Perspective

The February 2014 issue of CACM (Communications of the Association of Computing Machinery) has a thought-provoking “Inside Risks” column by William Young and Nancy G. Leveson with the title “An Integrated Approach to Safety and Security Based on Systems Theory – Applying a more powerful new safety methodology to security risks.”

In a nutshell, the article proposes using a security extension of STPA (System Theoretic Process Analysis) called STPA-Sec, which comprises the following steps:1.

  1. Identifying the losses to be considered
  2. Identifying system hazards or security vulnerabilities
  3. Drawing the system functional control structure
  4. Identifying unsafe or insecure control actions
  5. Identifying intentional actions in the generation of causal scenarios

It is asserted that it is the last item (No. 5) that differentiates STPA-Sec from STPA (classic?). “An STPA Primer, Version 1, August 2013” is available at

That additional step becomes more readily understood when you consider the roles of safety and security experts, as defined in the column, namely:

“Safety experts see their role as preventing losses due to unintentional actions by benevolent actors. Security experts see their role as preventing losses due to intentional actions by malevolent actors.”

I happen to disagree with these definitions since “bad actors” can compromise the safety of systems, and well-meaning users cause security-related losses accidentally. In my book “Engineering Safe and Secure Software Systems,” I chose different definitions, which were introduced by Barry Boehm, namely:

  • Safety – the system must not harm the world
  • Security – the world must not harm the system

Be that as it may, I was particularly taken by the comment in the CACM article that “[t]he key question facing security analysts should be how to control vulnerabilities, not how to avoid threats.” Actually I would have substituted the words “prevent attacks being successful” for “avoiding threats” since I am an advocate of avoidance and less so of prevention, which latter approach hasn’t been too effective of late. Controlling vulnerabilities is the essence of avoidance.

By the way, I referenced a 1983 paper co-authored by Professor Leveson on page 65 of my book. Unfortunately, I did not pick up on her more recent work … until now. Of particular note is her 2011 book “Engineering a Safer World – Systems Thinking Applied to Safety,” published by MIT, which is available as a free download at  It should be noted that the word “security” does not show up, even once, in the book’s index. Clearly the CACM article represents new thoughts about the transfer of systems approaches to safety and security.

There is much more to be discussed with respect to the Young-Leveson proposed approach to integrating safety and security into system-theoretic approaches, but that will have to wait for a subsequent column. Meanwhile, I recommend that infosec professionals become familiar with the Young-Leveson article, Leveson’s book and the STPA method. There is much to commend these documents.

Post a Comment

Your email is never published nor shared. Required fields are marked *