Chapter 2: Metrics

WE BELIEVE that it is not possible to develop a science of Information Security—without first establishing an observational science that identifies what we are dealing with in the first place (i.e. recognition of particular security-related things/events and subsequent definition of object/process classes etc). Ergo, we become able to know what kinds of phenomena to look for, measure, model and control etc. QED.

Accordingly, in this section we begin our new cybersecurity science by establishing all necessary definitions, classifications, and (in particular) fundamental axioms etc.

Axiomatic Approach

The Oxford English Dictionary gives the following definition of an Axiom:

  • A proposition that commends itself to general acceptance; a well-established or universally-conceded principle; a maxim, rule, law.
  • Logic. A proposition (whether true or false).
  • Logic and Math. ‘A self-evident proposition, requiring no formal demonstration to prove its truth, but received and assented to as soon as mentioned’ (Hutton).

As outlined on the back-cover of ‘The Science Of Cybersecurity’—presented here for the first time is a logical explanation of the fundamental theory and principal axioms of Cybersecurity as developed from first principles, and in a format ideally suited to both— the engineering-minded professional—and the less technically-oriented.

Communications Security

The British physicist Professor Donald MacKay (1922-1987) once said that the informational content of a message/representation consists of three components; metrical, descriptive, and selectional [1].

Accordingly, in terms of the point- to-point transfer of information units (datums) between two humans—or the one-to-one replication of meaning from a sender to receiver— we can differentiate between the information pattern that is sent (i.e the atomic, symbolic and/or metrical data being replicated—the digital 0s and 1s etc), and the descriptive and selectional capacity of the receiving system/human. In other words, the receiver engages in a process of interpretation by utilising his or her ‘beholder’s share’ [2].

Hence the meaning of a message is crucially dependent on the specific way(s) in which the receiver decodes and interprets the message. Ergo meaningful, effective and efficient communication between two parties depends upon a certain degree of synchronisation and agreement in terms of factors such as language, experience, truth, history, plus mode and context of the communication process itself.

Whereby it is important to realise that the entire subject matter of (communications) cybersecurity depends upon—and is (entirely) developed from— the axiomatic statements and principles presented in the previous three paragraphs. In sum, this paper (or section) is a characterisation of said axioms.

A Simple Question

We begin with a simple question—what is security—in-and-of-itself—and especially in terms of digital information sharing? In order to be able to formulate an answer we must narrow our eld of study—and concern ourselves solely with person- to-person (point-to-point) information transfer. We can differentiate this topic from all other information transfer types which involve either a source-point and/or end-point that is not a human being. Ignored methods include machine-to- machine, machine-to-person, and person-to- machine techniques.

In other words; we are not concerned with those cases where a computer initiates transfer(s) of information between machines, or does so automatically from machine to human or vice-versa.

Communication Of Meaning

A datum of any idea or thing is a pattern of meaning, an abbreviated description, definition or set of ‘facts’ concerning the thing in question; typically prescribing an event, object, feeling, etc.; in token of, as a sign, symbol, or evidence of something [Axiom 1].

Datums are typically expressed within the boundaries of a specific language, medium, media and/or code; and normally each datum has an inherent lifetime whereby it may be created, stored, communicated, replicated, lost and/or destroyed etc.

Each datum has a human and/or machine creator/ author, plus normally human owner(s) and user(s) (ref. social accessibility (or privacy) status) [Axiom 2].

Datums come in three kinds [Axiom 3]:

  • A private datum is accessible only by a restricted group of people—or a particular set of human beings; and is inaccessible to all other persons [Axiom 3.1].
  • A secret datum is accessible only by a single human being—typically the owner and often the author; and is inaccessible to all other persons [Axiom 3.2].
  • An open datum is (potentially) accessible by anyone—or by an unrestricted group of people [Axiom 3.3].

A communication system is a system or facility for transferring datum(s)/patterns-of-meaning between persons and equipment. The system usually consists of a collection of individual communication networks, transmission systems, relay stations, tributary stations and terminal equipment capable of interconnection and interoperation so as to form an integrated whole [Axiom 4].

Privacy And Security Defined

Prior to the widespread adoption of the Internet—information assurance concerned reliable data storage/processing. But today, whilst data backups and storage etc are vital, security is more often associated with data communications security— herein our primary concern.

Accordingly, in the present paper (or section) we shall explore just one of twelve possible security sub-system types (communication of private-datums): wherein we analyse transfer of private datum-copies existing on a point-to-point communication system (whilst super cially considering aspects of data storage and presentation wherever necessary). Other sub-system security measures may be necessary in a real system—and in order to protect standard computer processing, storage and presentation operations; and not only for private datums but for secret and open datums as well.

We ostensibly exclude from our discussion all systems of public information sharing (i.e. open- datums) and social networks whereby the information transfer is one-to-many, many-to-one or many-to-many (i.e. Facebook / Twitter).

Accordingly—SECURITY—for a person-to- person communication system—can be defined as: ‘protection of secrecy, privacy or openness of meaning; or the safe transfer of single/multiple datum(s) between human(s)’ [Axiom 5].

In this context—PRIVACY—implies that:

  • A communication system exists that connects humans together via socially restricted access-nodes;
  • The source datum (+ meta-data) is sent from sender to receiver node as a single or uniquely accessible copy;
  • Both access-nodes may serve as memory- nodes for the datum, so long as socially unique access is preserved;
  • The datum is protected from unwarranted social access (i.e. who can see, know & change it) by the system;
  • Protection of datum access is for specified place(s) and time(s) and to achieve a state of persisted privacy.

We submit that the aforementioned list of axiomatic predicates—for secure and private communication—are valid, sound, consistent, self- evident and complete. QED.

N.B. In this context—‘uniquely accessible’ refers to protection of Social Accessibility Status (or Privacy Status (i.e secret, private, or open status)) for the communicated datum; whereby (within the boundaries of) the communication system—no change(s) to the pre-existing privacy status can happen (it is immutable in terms of accessibility).

Real World And Virtual Accessibility

It is salient (for upcoming discussion(s)) to consider how we obtain access to any item in the real-world. To access an item, we:

  • Look for the item—or scan a scene—and in order to identify/delineate the desired thing and so to discover its whereabouts, form and/or precise location (whilst distinguishing it from background clutter). Next we:
  • Move towards the item—or a navigate a path to its location—before grasping/touching it (whilst avoiding any path-blocking objects and/or overcoming any movement difficulties present); and finally we:
  • Study/map/open-up/decode the item— and in order to understand its contents and/or meaning (may require prior knowledge/special techniques and/or unlocking methods and/or unique key(s)).

In a similar fashion, we can define—

INFORMATION SECURITY—sometimes shortened to InfoSec, as the practice of defending information (datums) from unauthorised access —including unapproved: inspection, use, copy, disclosure, disruption, modi cation, recording or destruction of said item(s). Cybersecurity is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).

Cybersecurity is the (continuous) state of preventing unauthorised communication-system actors/intruder(s) from:

  • Locating the item; and/or
  • Grasping the item; and/or
  • Opening-up the item.

Accordingly, we now define a process of secure information transfer—that consists of private data shared during a one-to-one information replication. Our exposition defines (for the rst time) a comprehensive set of cybersecurity—definitions— and axiomatic first principles.

Let us now establish some logical truths.

Firstly, in summary, we can state that— SECURITY—for a private, secret and/or open datum is the preservation of social accessibility status (or privacy status)—by means of the explicit protection of said datum’s status. Protection implies the use of systems and procedures—both human and/or machine—to defend said privacy status.

Social Accessibility (Privacy) Status

Social Accessibility (Privacy) Status = The ability of a person to see, know and/or change a datum’s form and/or content [Axiom 6].

Security = Protect accessibility status of item.

  • Access = Find, contact and/or know an item.
  • Possess = Find (see/locate) plus contact (reach/grasp/hold) an item.
  • Protect = Lock, Block or Conceal an item [Axiom 7].

Privacy [cp. secrecy=datum is accessible by only one person]: A private-thought/datum is distributed/available to a limited number of people; and hence some form of social sharing (& trust), plus protection is implied; and in order to prevent it from morphing into an open-thought/datum (or partially open-thought/datum).

Protection Methods

In sum, to protect an item you may need to:

  • Lock—unsafe-actor(s) cannot open/know an item’s form/content.
  • Block—unsafe-actor(s) cannot reach/grasp an item’s form/content.
  • Conceal—unsafe-actor(s) cannot see/find an item’s form/content.

Note that within the concept/remit of locking an item; ofttimes there is a difference between having and knowing an item. Locking creates a gap/barrier or unbridgeable chasm—between possession and full access/understanding—for unauthorised parties—and especially in relation to the inner meaning of information.

Practical Security System

Now that we have established the fundamental theory of secure communication of meaning; we need to specify the basic features of a practical security system.

We begin by identifying a secret-datum (analogous to a secret-thought)—which has not yet left the source-point (or sender’s mind); and which is assumed to be unique in that nobody else can know (or discover) the precise form or content of the datum at the source-point. Once the datum arrives at the destination-point; then it is a private- datum; because it now exists—ostensibly solely—as an identical copy in both locations simultaneously (it is a private-thought).

As an aside, an open-datum is one that anyone may access—but open-thoughts/datums are not a subject of this paper. Note also that the terms private, secret and open thought, are simply analogues of the relevant datum types. Henceforth adjudging that a point-to-point communication is private and secure; is equivalent to saying that the original unit of meaning existing at the ‘source’ node has, as a result of the one-to- one replication, only one accessible copy—at the ‘receiver’ node.

Furthermore this copy is— unequivocally—accessible only by the (trusted) human for whom the communication was intended (i.e. it is access-controlled).

We call such a process single-copy-send—or socially secure communication [Axiom 8]—whereby the process of communication may itself be private (no public meta-data exists); and there is no possibility of any nth-party obtaining a copy of the communicated datum.

A party might be able to guess the informational contents of the datum—or presuppose that the sender/receiver parties possess it and/or have exchanged it—but that is altogether different from certain knowledge. Note that for a secret-datum socially secure communication restricts access to just one person. Hence the sender and receiver/viewer are the same person; and the system simply ‘memorises’ the datum.

In a like manner, open-datums are memorised by the system; but are then somehow made available to any party; which assumes that the system itself has a special kind of security (social accessibility protection) whereby said datum(s) are broadcast by means of the system to many/all humans. Implied here is that the system must be open-access or ubiquitous in terms of meaning dissemination.

It seems prudent—at this point—to ask another straight-forward question; specifically:

What is the nature—and architecture—of secure and private cyber-communication?

In actual fact—answering this pivotal question— will be the primary task of this short paper (or section). And in order to formulate an answer; it is necessary to first establish the key facets of the desired communication ‘chain’ between the parties who wish to exchange information in a secure fashion.

Datums And Datum-Copies

Summary of findings thus far:

  • Human Communication: Transfer of discrete package(s) of meaning—messages— between people; or the one-to-one replication of datum(s) between minds, plus nominal meta-data (perhaps).
  • Socially Secure Communication: Communication that protects socially restricted access (secrecy or privacy) for the replicated meaning—datum(s) + nominal meta-data (perhaps). (see Addendum note below)
  • Open Communication: Communication that protects socially open access for the replicated meaning—datum(s)—and also any meta-data for the communication process itself (perhaps).
  • Single-Copy-Send: Communication of a datum (+ meta-data) with guaranteed social security.

Addendum: Note that accurate determination of the (measured/judged + time-bound) social accessibility status (i.e. Privacy Status)—and its associated protection status or Security Status (for a datum-copy)—means judging whether (or not) an (ostensibly) private-datum is/has-been/can-be (i.e. at-present/ in-the-past/future) communicated with absolute or partial/absent security—and this may sometimes be difficult to achieve with any degree of confidence /assurance. Privacy Status (for a datum-copy) is the legitimate (but potentially transitory/changeable) social accessibility status (i.e secret, private, or open). Whereas Security Status (for a datum-copy) is a protected or unprotected Privacy Status, and accordingly may be known or unknown at any specific epoch—and is equivalent to the measured/judged privacy protection status.A datum-copy’s Privacy Status works together with its Security Status to perpetuate and defend the datum’s inner meaning.

Copy-Centric Metric

Accordingly, we are now in a position to characterise Information Security (or cybersecurity/ InfoSec) in terms of an interesting new copy-centric metric which is defined by a few simple questions:

  1. How many copies are there?
  2. Where are the copies?
  3. Who can see, know and/or change a copy?
  4. How long do copies hang around?


 SCF 1.0 – InfoGraphic B

Replication Of A Primary Copy

Source: ‘The Science Of Cybersecurity’ (2017) – by Alan Radley


It is vital to understand that for a Datum existing on any type of a network computer system; that only three kinds of Datum-Copy types are possible as follows:


A primary-copy is a place-holder for a private datum of meaning—existing within the boundaries of a point-to-point communication system; whose content and form are restricted in terms of social access (i.e who can see, know & change the same); whereby the datum is (ideally) communicated via single-copy-send from the source-point to any (and all) designated receiver-point(s) [Axiom 9].


A secondary-copy is a (communicated/backup) replication of a primary-copy—existing within (or outside) the boundaries of a point-to-point communication system—that may be legitimately produced by the communication process itself (e.g. a central server copy); and/or be illegitimately created as a result of the unwarranted activities of a hacker [Axiom 10]. Legitimate secondary copies are compatible with single-copy-send because—for example—a central- server network creates (ostensibly private) secondary copies to facilitate off-line data sharing/storage. Christian Rogan pointed out to me that the peer-to-peer primary communication copy is also (from one perspective) the true version/copy, which leads to another solution often described as Self-Aware, whereby the object (file or data) enforces its own security protocols/policies.


A tertiary-copy is a replication of a primary or secondary copy—which is generated post- communication by extracting datum(s) from a large body of communication data (e.g. a transatlantic data pipe) [Axiom 11]. Tertiary copies (whilst nefarious) are compatible with socially secure communication or single-copy-send—because for example—the datum-copies may be protected from unsafe-actors by means of strong encryption and/or coding etc.


1. MacKay, Donald., Information, Mechanism and Meaning,The MIT Press,1969.2. E.Gombrich, Art And Illusion. Phidian Press, 1960.