Treatise: Theory

WE WISH to develop an elemental theory—or philosophy—of Cybersecurity. And it is to be a theory so fundamental in nature, so complete and broadly applicable—that it must form an actual Science Of Cybersecurity.

Now we have already asked the question: What Kind Of A Science Is Cybersecurity?

And we provided an answer—of sorts. We concluded that Cybersecurity is impossible to develop as a logical subject of study—without first establishing an observational science that identifies what we are dealing with in the first place. Our approach is akin to a Newtonian science that places emphasis on fundamental objects, processes, forces and their composability. Henceforth our new science of Cybersecurity will be—above all—a science that focusses on definition, classification, axioms and establishing taxonomies of threats and countermeasures—plus topic: structure/relationship ‘maps’ for all concepts etc.

Our key aim is established. Desired is a foundational theory for the entire subject matter of Cybersecurity. One theory to rule them all,  so-to-speak.


Theory is—all very well and good—but it must have purpose and be practical. In other words any valid theory must be held to account, and be testable, provable—plus useful.

It therefore seems clear that Cybersecurity theory must be—in one sense—a purely objective property. However because it is influenced by perceptions/judgements/predictions—it is at the same time a subjective property.

Evidently, factors such as: inadequate knowledge of any/all unsafe-actors; plus hidden and changing threat types—can cause incorrect and/or revised predictions in this respect. Henceforth making judgment(s)—as to the various capability, coverage and control aspects of security theory is especially difficult—because these are inevitably human assessed factors (automatic monitoring systems aside).

Security status is simultaneously a goal, metric, judgment and prediction; in addition to being a real-world fact/truth. Accordingly, many interrelating factors are evident for a particular system operating at any specific epoch.

At the very least—the person making the cybersecurity judgment(s)/decision(s) seeks to:

  • Be in possession of all the facts—or make accurate predictions on real-world: threats/defensive capabilities, and judge the effectiveness of threat-models; plus accuracy of monitoring system(s) etc; and
  • Adequately perceive/understand labyrinthine relationship(s) between multiple, complex, fixed and/or changing factors for relevant: systems/tools/networks/ actors/attackers etc—including future ones; and
  • Implement valid cybersecurity measures, plus avoid/correct mistakes etc.

The defender seeks to accurately: perceive, measure and understand all relevant factors; and so to assess which ones will influence overall cybersecurity strategy. Ergo privacy status may be partly a perception, model, prediction, belief and/or truth/falsehood; depending upon your point of view and information/knowledge level(s).

Science Of Cybersecurity Framework (SCF)

In order to establish a logically coherent statement of basic theory, and to enable orderly progression for the same; we have developed the Science Of Cybersecurity Framework (SCF). Whereby, the SCF comprises all of the various principles, axioms, concepts and term definitions contained on this site / book—amounting to a complete characterisation of the entire subject matter of Cybersecurity.

Real-World Scenarios

Ultimately, Cybersecurity involves assimilation of intelligence from as many as possible of the different: threats, actors, systems, entry and defensive methods present. Hence cybersecurity is an interdependent capability—and it must be constantly monitored and defended; plus—be (ideally) ever adapting to the changing needs/requirements of the open-network’s perilous environment.

Unfortunately, the real-life situation may be even worse than this, because whenever you share access to a digital item—you trust: A) any and all primary/secondary network users (i.e. multiple humans); plus; B) the communication-system itself (i.e. primary and secondary network security). Ergo, dangers may include both human and systematic vulnerabilities.

Accordingly, measuring/quantifying the effectiveness—of any and all of these protective factors— may also be seen as judgments/predictions—in and of themselves. This is because they are (likewise) human-made/fallible entities that must cope with other (perhaps unknown) entities; specifically ones that may have been designed to nullify said anti-discovery/defensive techniques. Potentially present also (in the future) are multiple human antagonists who work to sweep-aside any security measures that are put in place.

What to do—and how/by-which-means?

Feasibly we can apply a little—deeper theory—and ask what is the nature of protection—or what are the most effective defensive techniques? (i.e. risk-free ones). We can conclude that all of our  Cybersecurity related judgements, strategies, policies and defences are critically dependant on the development and application of sufficiently true, valid, integrated and holistic Cybersecurity theory.

Cybersecurity Theory: The Way Ahead

By what means then, can we summarise (in theoretical terms) how the system designer/user should go about protecting a data-processing stack from all possible attacks? The answer lies in asking and continually re-asking— the right questions—plus challenging assumptions—in relation to cybersecurity.

Firstly, we desire to know—what types of data require which types of protection and why—and for how long. In the past (prior to Bradley Manning, the Internet etc); military organisations were very good at this type of thing— categorisation of security access levels etc. That is assigning confidentiality/accessibility levels to every item of data— or individual unit of information/knowledge. However that was before open-network complexity exploded; and the attackers/attack-vectors multiplied in numbers, types, motivations and capabilities etc.

Nevertheless, a good rule-of-thumb—as detailed in coming sections—is to consider who needs to have access to the item/system and why. Physical and virtual denial/blocking techniques—to eliminate certain unsafe actors—may be the safest way to proceed.

Patently obvious—at the same time—is that we should involve all partners, stakeholders, and legitimate users in any cybersecurity analysis or strategy development; plus operation(s). Everyone must be adequately briefed—continually—and on the changing nature of likely threats/responses.

When an individual must rely on his/her own capabilities—it becomes difficult to know where to go for advice. Do we trust the cloud providers like Google and Apple—or else look for P2P solutions; or even avoid/ abandon the digital-world for our most private items? Finding answers is not so easy—because they depend upon a host of technical, human and situation-specific factors. It is often easier to make recommendations to people—in relation to cybersecurity—who know a lot about the technical aspects of security; but less-so for less-technical people. This is so partly because less-geeky people (perhaps understandably) have other concerns, and/or they are not interested in all of the (confusing) technical details.

Here on this site we have avoided technical details—so far as we were able. Instead we have placed our faith and trust in a logical approach; whereby we rely on understanding the implications (and applications) of fundamental Cybersecurity theory; in the belief that with great knowledge comes great power. Specifically it is our contention that if one can completely define plus understand the inherent nature of all the basic Entity Classes and also all of the Process Forms possible in any specific Cybersecurity scenario; then we are in a far better position to create (and control) positive outcomes.


The arguments developed on this site chart close-to-the-wind in terms of exploring relationships between a host of technical and human-centric concepts/principles (hopefully to useful effect). Overall, we are seeking to unify the technical and human—opportunities and risks—for information security.

As stated—security is protection of privacy of meaning. However the simple logical clarity of this statement changes in certain subtle and difficult to determine ways— when it crosses-over into the realm of cyber. In particular—in the digital-world—nothing is entirely private—and one must lock/block/conceal all illicit entry-methods for secret/private items. As many as possible of the physical, virtual and meaning gateways must be protected—and in order to retain any chance of achieving absolute security.

It is also my opinion, that attaining absolute security— or assured protection—in relation to the privacy of our interpersonal communication(s)—is not some impossible dream—mythical being—or paper-tiger. Rather, socially secure communication demands that the communicants abide by a relatively straight-forward set of principles and systemic/technological theory—and employ communication tools that do the same.

Nobody said it would be easy to communicate privately, safely and with integrity plus assurance; it isn’t; but despite the existence of many dangers/pitfalls, absolute security is eminently achievable [1][2].

Over coming sections we shall explore Cybersecurity theory with sufficient rigour, depth, breadth plus integration; such that a new all encompassing picture—and detailed philosophy—of the entire field is formed. Overall it is our contention that the resulting holistic point of view—amounts to nothing less than the beginning of an actual Science Of Cybersecurity.

We leave it to the reader to judge the extent to which we have achieved our aim.

Privacy is not for the passive.

— Jeffrey Rosen


[1]  Information Security is such a vastly complex—and rapidly evolving—technological field—that it is impossible to depict anything but a rudimentary facsimile (of a small sub-region) of the same in a single treatment. Nevertheless, holism is the key goal.

[2] The Science of Cybersecurity outlined here—whilst striving to be complete in terms of axioms, logic, founding principles and fundamental definitions etc; must (obviously) be seen as work in progress (for the security community as a whole).