Maixin Research

Demographics. Geopolitics. Innovation.

Identifying Domains In Security

Discussing Innovation

Security domains involve the areas which cover the risks and threats to a system requiring security, which can be a government, company, community or another type of entity. Objects and actors can be anything from people to design to reactions and anything that allows input and provides output, or is part of both. While we use examples of digital security and risks, these risks apply to security outside of the digital world and we can apply many of these domains to past systems before the digital world (or current systems outside the digital world).

External. External security covers actors and objects outside the system requiring security. If the system is a company, external threats could be foreign or local hackers outside the company, industry competitors, activists, etc. Almost all discussions about security involve external since this is what most discussions perceive to be the largest threat.

  • Risks. From allowing input to tying information to allowing any external access, external design involves anything intended for outside actors and objects of the system to review. APIs provide an example of a popular external risk vector, as they often receive input and provide output for external resources.
  • Threats. External threats differ from system to system. Companies may have entirely different threats than governments. Culture also has an impact since some cultural environments may favor eliminating a system while other cultural environments may favor intellectual property theft.

Internal. Internal security covers actors and objects within the system and linked to actors and objects within the system requiring security. The latter part of internal security is seldom understood: if an employee at a company reveals information to a friend, the friend becomes an internal security risk because of the link with the employee. Despite the common assumption that companies are most threatened by external security, internal security is by far the highest risk. Of the major cybersecurity compromises that Maixin Research investigated, most of them could be tied to internal information leaked to external sources.

  • Risks. From the internal design to the hierarchy, the internal organization of resources within the system creates attack vectors. Unqualified promotions show an example of this risk, as they have exposed several major companies to internal attacks due to a person with too much access relative to their skill.
  • Threats. Internal risks are ubiquitous in the system itself and links to the actors and objects within the system. Employees pose huge risks, but so does AI in many contexts, as AI like humanity can be manipulated.

Complexity. Complexity within systems creates risks that involve both internal and external and that can compound risks and threats. Unlike external and internal, complexity can involve both and has its own risks and threats regardless of internal or external actors. A comparison of a simple versus complex system:

  • Simple system: a business meets a customer’s need.
  • Complex system: if legal approves after a review with government and other legal entities, a business provides a resource that a customer must get through an intermediary, which has a license to be an intermediary from a legal entity, that has permissions from a federal legal entity.

We can see a comparison of a simple and complex system within the same country country – the Amish (simple system) versus medical bureaucracy in the United States. The Amish have a localized and simple system where businesses meet customers need without bureaucracy. The medical system in the United States ties hundreds of entities together that must exist for the entire system to function. An attack against an Amish community would do nothing to other Amish communities – the simplicity of their system offers not only robust security, but also a system that can withstand adversity. By contrast, an attack against one medical entity within the complex medical system could cause an entire system halt.

Consistent with behavioral laws, complex systems desire more complexity and increase their complexity until they collapse. All complex systems eventually collapse (the Ottoman Empire and the Soviet Union were two complex systems that collapsed in the 20th century).