Sage Journals: Discover world-class research

Abstract

With the rapid development of Internet of Things technology (e.g. wireless sensor networks), security has become a global issue. Confidentiality, integrity, and availability (known as the CIA triangle) is widely used to define and model information security. However, this CIA triangle is insufficient to address rapidly changing security requirements. In this article, we divide information systems into four layers: physical layer, operational layer, data layer, and content layers (PODC). Corresponding, hierarchy of information security is proposed. Furthermore, we define the basic security properties for each layer and show that the four properties (i.e. confidentiality, availability, controllability, and authentication, called CACA) are minimally complete and independent for information security. Based on PODC and CACA, a new definition of information security is proposed, which acts as a secure foundation for information systems.

Keywords

Information security Internet of Things security definition CIA CACA

Introduction

Internet of Things (IoT) technology has brought great changes to our daily lives over recent years. It has profoundly affected almost all industries today, from retail to medicine. Wireless sensor networks (WSNs), an integral part of the IoT, play a key role in collecting and conveying isolated information. We have already benefited these novel services, from smart city, self-service store to wearable devices and tiny medical aids. According to the forecast of Gartner,¹ the WSN devices in IoT will reach 20.4 billion in 2020. However, information security has become one of the main problems that hinder the development of WSNs in IoT today. According to 2019 SonicWall Cyber Threat Report,² the IoT attacks increase during 2018 by 217.5% from the 10.3 million logged in 2017. An estimated $5.3 billion dollars were spent on security start-ups in 2018.³ However, the return to this expenditure is often a “warm feeling,” part because of “the lack of a generally accepted definition of information security.”⁴

Most definitions of information security focus on confidentiality, integrity, and availability (also known as the “Security Golden Triangle” or CIA triangle). For example, Matt Bishop states that “computer security rests on confidentiality, integrity and availability”⁵ and authoritative text offers another similar definition: “computer security attempts to ensure the confidentiality, integrity, and availability of computing systems’ components.”⁶ In this definition, security is only a kind of “attempt,” thus it is imprecise. In practice, with the rise of new techniques, security is only aligned with CIA no longer. A typical example is the Stuxnet worm. Known as the first cyber-warfare weapon, Stuxnet was used to attack the Natanz uranium enrichment facility in Iran and it is believed to have caused its production to drop by 15% in 2009.⁷ Although Stuxnet did not steal or erase any data, it was used to physically destroy infrastructures of IoT and thus is completely beyond the realm of CIA.^8–10 Therefore, the CIA triangle is not intrinsic and lacks completeness or precision. With the rise of new Internet of Thing technologies, there are more critical infrastructures needing in WSNs to be strictly controlled. This requires that information security should be re-defined to satisfy security requirements.

To address the above problem, in this article, from the perspective of information flow, we divide information systems into four layers: physical layer, operational layer, data layer, and content layer (PODC). Furthermore, we analyze their security threats. We define the basic security properties for each layer and show that the four properties (i.e. confidentiality, availability, controllability, and authentication, called CACA) are minimally complete and independent for information security. Based on PODC and CACA, a new definition of information security is proposed, which acts as a secure foundation for information systems of WSNs.

The rest of the article is organized as follows: the related work is introduced in “Hierarchy of information security” section, and “Connotation of information security” section presents the connotation of information security for this article. We propose the new definition of information security in “Defining information security” section. Finally, we conclude our work in “Conclusion” section.

Hierarchy of information security

In order to precisely define information security, we must analyze information systems. From the perspective of information flow, information systems can be summarized as follows: “data is processed by software programs running on physical systems before being utilized by users.” In this summarization, the four notions—physical systems, software program, data, and utilization—are critical. Based on the four notions, information systems can be divided into four layers: physical layer, operational layer, data layer, and content layer. The physical layer, consisting of physical devices and related infrastructures, is the fundamental layer underlying the logical structures of the higher level functions. The operational layer is composed of “a set of programs, procedures, algorithms and its documentation concerned with operations of a data processing system,” and tells a computer what to do and how to do it. The data layer deals with operations involving information. Such operations include collection, processing, retrieval, transmission, exchange, and display of information. Different from the data layer, the content layer focuses on “information semantics,” dealing with how to use the information reasonably. As information systems consist of these four layers, the corresponding security problems exist in each layer. As such, from bottom to up, information security can also be divided into four layers—physical, operational, data, and content security (PODC), as shown in Figure 1.

Figure 1.

Hierarchy of information security.

Physical security

The goal of “physical security” is to protect physical devices and infrastructures from being attacked and damaged. With an increasing number of physical devices being located outside of homes or offices, physical security is becoming more urgent. According to Kaspersky Lab ICS (industrial control systems) research, almost 40% of critical infrastructure and are facing a cyber-attack infrastructure and ICS, including electricity grids, water supplies, and cellphone networks in 2017.¹¹ These attacks have increased in other parts of the world as well; for example, Ukrainian power system was attacked by a supervisory control and data acquisition (SCADA) cyber-attack in 2015. This attack left around 230,000 people in the West of the country without power for hours. Today, the majority of the control systems that run critical infrastructures are vulnerable to attack.^12–15

The main threats to the physical layer come from two sources: (1) physical environments such as earthquake, fire, equipment failure and (2) attacks such as electromagnetic leakage, communication interference, signal injection, theft. The major approaches to protecting the physical layer from being threatened by physical environments include fault tolerance and disaster tolerance.

Fault tolerance

A system is fault-tolerant, if it can provide normal services, even facing the failures of one or more components.^16–18 Fault tolerance reduces the risk induced by random errors. Generally, a fault-tolerance system has the following basic characteristics: (1) all single points cannot fail simultaneously; (2) it must be equipped with mechanisms to isolate the failure components and prevent the spread of failure. Typical technologies include replication, redundancy, and diversity.

Disaster tolerance

Consider that a system is deployed in one site; the failure of the site results in the failure of fault-tolerant technology.^19,20 To solve this problem, disaster-tolerance technology is proposed. In disaster-tolerance technology, subsystems with the same functions are deployed in more than one site. Once one site fails (e.g. it is physically damaged), system automatically switches to other site to ensure the continuation of services. Apart from the environment factor, the physical layer is often vulnerable to human attacks, including invasive attacks and non-invasive attacks.

Invasive attacks

In invasive attacks, adversaries observe, manipulate, tamper, and interfere with systems by way of getting into the devices or institute internals.²¹ At the chip level, the typical ways include micro-probing, reverse engineering, injecting or changing control signal, or reconstructing the internal circuit. Correspondingly, three types of techniques are used to prevent invasive attacks: physical invasion prevention, reverse attack prevention and invasion detection and forensics technology.

Non-invasive attacks

Non-invasive attacks, as the name indicates, do not require the device to be opened.²¹ They include two types: side-channel attacks (SCA) and fault induction attacks (FIA). In SCA, attackers observe and analyze different boundary characteristics (such as timing information, power consumption, electromagnetic leaks or even sound.) gained from the physical implementation, rather than brute force or theoretical weaknesses in the algorithms to obtain relevant information. Typical SCA involve timing, electromagnetic radiation, energy consumption, visible light, frequency, and scanning attacks. Using the antenna radiation keyboard, a Swiss scholar could restore information as far as over 20 m away with an accuracy of up to 95%.¹²

In FIA, attackers induce and analyze logical errors of systems by changing the system parameters to obtain information. Adversaries can obtain software code, data, and even the confidential information through FIA. Fault induction technologies include radiation imprinting, temperature imprinting, voltage imprinting.

Operational security

Even if the physical layer is secure, security risks exist in the operational layer because of the uncertainty of software domain, openness of software development, and complexity of various operating environments. Operational security is a process protecting software from abnormal operations such as sudden failing or being attacked. According to a recent estimate, 4180 vulnerabilities in operating systems, application software, and web sites were found between May and July of 2019, with 30.9% of these vulnerabilities labeled as “high” severity.²² Due to these vulnerabilities, the number of computer viruses and malwares introduced in 2018 was found to exceed 137.47 million.²³ Up to 32% of the world’s computers are infected with some type of malware.²⁴ Cybersecurity Ventures predict cybercrime will cost the world in excess of $6 trillion annually by 2021.²⁵ Vulnerability, malicious attacks, and non-malicious human errors are the main factors that influence the security of operations.

Vulnerability is a weakness which allows adversary to reduce a system’s information assurance and always accompanies in the all lifecycle of software.^26,27 In modern software practice, developers are profoundly aware that an efficient software development process, covering a series of management activities from requirement analysis to software destruction, is the main way to decrease the software vulnerability. Typical methods of software process managements involve²⁸ capability maturity model integration (CMMI)^29,30 and software process assessment and improvement, represented by ISO/IEC 15504. Under the thought that “software processes are software too,” the software process models can be used not only to control the software process but to improve software process theory, thus providing automatic support for lowering software vulnerabilities.

Malicious attacks, and non-malicious human errors are the two factors in the operational layer that lead to two types of insecure consequences: denial of service and error output. The Department of Homeland Security and MITER listed 519 kinds of attack methods.³¹ To avoid the artificial attack and non-malicious human errors, the assessment, policy, protection, detection, reaction, and restoration (APPDRR) model is often adopted in practice. The first step of APPDRR model is to assess all risks caused by attacks and non-malicious disoperation. If risks are affordable, then security policies are formulated to balance risks and security costs. Generally, policies are dynamically updated with the change of risks and requirements. Once policies are formulated, the corresponding protection techniques are configured to prevent malicious attacks and non-malicious human errors. Because protection techniques are always incomplete, we must monitor its running state and detect possible failures for a security-critical system. Once failures are detected, reaction must be really made for decreasing the loss caused by failures. For a disaster event, quick restorations are needed to provide contiguous services. The six steps of the APPDRR model evolve by a dynamic and spiral way.

Data security

Even if both the physical and operational layers are secure, the data layer may be insecure, because these two layers only guarantee that systems themselves (not including data within the systems) are secure. Data security is a process to prevent data in transmission, processing, or storage from being disclosed, imitated, tampered, repudiated, and stolen. According to the Identity Theft Resource Center (ITRC), 668 breaches compromised 22,408,258 records between 1 January and 2 July, 2018, with at least 1.7 million Banking/Credit/Financial records involving exposure of individual’s name plus Social Security Number, driver’s license number, medical record, or financial record/credit/debit card.³² The organizational cost for a company to recover from a data breach has grown to $3.86 million.³³ The main threats in the data layers include passive eavesdropping, active listening, unauthorized access, man-in-the-middle attack, session hijacking, false identity, replay attack, control flow analysis. The corresponding protection technologies are cryptography and security protocols, and so on.

Content security

Content security, related with the utilization of information, is a process to control which content can be published, propagated, and used. In the content layer, there are two kinds of information: harmful information and non-harmful information; thus, the research fields addressing this layer can be correspondingly divided into two kinds: (1) how to protect non-harmful information to legally be propagated and used; (2) how to prevent harmful information be published, propagated, and used. The essential difference between data security and content security is that data security focuses on information self, while content security deals with the utilization of information.

In the content security, two roles are worthy to be distinguished: one is “content producers” $p$ and the other is “content consumers” $c$ . Each role has two expectations of using information: (1) $p$ is willing to his information produced to be consumed by $c$ , denoted by $e_{p}$ ; if $p$ is unwilling, the expectation is denoted by $\bar{e_{p}}$ ; (2) $c$ is willing to use information produced by $p$ , denoted by $e_{c}$ ; if $c$ is unwilling, the expectation is denoted by $\bar{e_{c}}$ . So there exist four patterns: $(e_{p}, e_{c})$ , $(e_{p}, \bar{e_{c}})$ , $(\bar{e_{p}}, e_{c})$ , and $(\bar{e_{p}}, \bar{e_{c}})$ . In pattern $(e_{p}, e_{c})$ , consumers are willing to use information produced by producers and these producers also expect this information to be consumed by these consumers; therefore, human intervention is not needed. In pattern $(e_{p}, \bar{e_{c}})$ , although producers expect information produced by them to be consumed by consumers, these consumers do not expect to use this information. $(\bar{e_{p}}, e_{c})$ is just opposite to $(e_{p}, \bar{e_{c}})$ . Typical examples for mode $(e_{p}, \bar{e_{c}})$ and $(\bar{e_{p}}, e_{c})$ are SPAM (which is the use of email systems to send unsolicited bulk messages, especially advertising, indiscriminately) and Digital Rights Management (DRM), which controls the use of digital content and devices after sale is in pattern $(e_{p}, \bar{e_{c}})$ . Pattern $(\bar{e_{p}}, \bar{e_{c}})$ does not happen in practice.

If supervisors are considered, another pattern becomes very important: a consumer is willing to use information produced by a producer and this producer also expect his information to be consumed, but a supervisor do not agree on the utilization. A typical example for this is “content filtering,” which controls what content is permitted to a reader via the Internet.

Connotation of information security

Information security is often represented by CIA. As shown above, the rise of new technologies (e.g. Internet of Vehicles,^34–37 Heterogeneous Sensor Networks,^38–43 Edge Computing,^44,45 Smart City,⁴⁶ Blockchain)^47–49 makes CIA unsuitable. In this section, we will answer two fundamental problems: which security properties are fundamental? What are connotations of these properties? In order to solve the first problem, we define the following definition.

Definition 1

A set of security properties is complete if all security requirements can be deduced from these properties.

Because security requirements might variety in the different layers, we will redefine the completeness for each layer in the next subsections. Because a number of complete subsets could exist for the same requirements, it is necessary to define its minimal complete subset.

Definition 2

Given a complete set P of properties and its subset P_i, P_i is minimal if, for any complete subset $P_{x} (P_{x} \subseteq P)$ , $| P_{i} | \leq | P_{x} |$ , that is, the cardinality of P_x is greater than or equal to that of Pi.

Definition 3

A set of security properties is independent, if any property within it cannot imply another property.

Definition 4

A set of security properties is fundamental, if it is complete, minimal, and independent.

System security

In the system layer (including the physical layer and the software layer), we may not care who provides services to whom, but we do care about the capability of service. Generally, two kinds of service capabilities exist: (1) the first type is that the expected services, representing the requirements of users, can actually be provided, and (2) the second type is that the actual services, representing services that a system can provide, are consistent with the expected services. In order to analyze which security properties are fundamental for the system layer, the first priority is to define these services. Although services provided may dynamically change as the requirements themselves change, they typically remain fixed within a given time period (thus allowing them to be defined). Thus, the expected and actual services are formally modeled as sets, denoted as $ExpServ$ and $ActServ$ , respectively. For a given system, if any expected service can actually be provided, we can conclude that the system meets the availability requirements. Likewise, if any provided service proves to be consistent with the user’s expectations, then the system meets the authentication requirements. Next, we define availability and authentication.

Definition 5: availability

The availability of the system layer (denoted by $Avai l_{SYS}$ ) is defined as follows: for any expected service $x$ , there exists an actual service $y$ which satisfies $x$ , that is, $Avai l_{SYS} \equiv \forall x \in ExpServ$ . $\exists y \in ActServ$ . $x = y$ .

Note that the meaning of “satisfaction” varies for different formal systems; here, equality is adopted. Because availability is used to describe the capability of a system to provide services, the other three kinds for availability can be stemmed from Definition 1 as follows.

Definition 6: weak availability

The weak availability of the system layer (denoted by ${Avail}_{SYS}^{W}$ ) is defined as follows: there exists an expected service $x$ , such that any actual service $y$ satisfies $x$ , that is, ${Avail}_{SYS}^{W} \equiv \exists x \in ExpServ$ . $\forall y \in ActServ$ . $x = y$ .

Definition 7: weakest availability

The weakest availability of the system level (denoted by ${Avail}_{SYS}^{LW}$ ) is defined as follows: there exists an expected service $x$ and an actual service $y$ such that $y$ satisfies $x$ , that is, ${Avail}_{SYS}^{LW} \equiv \exists x \in ExpServ$ . $\exists y \in ActServ$ . $x = y$ .

Definition 8: strong availability

The strong availability of the system level (denoted by ${Avail}_{SYS}^{S}$ ) is defined as follows: for any expected service $x$ and any actual service $y$ , $y$ satisfies $x$ , that is, ${Avail}_{SYS}^{S} \equiv \forall x \in ExpServ$ . $\forall y \in ActServ$ . $x = y$ .

Proposition 1

${Avail}_{SYS}^{S} \Rightarrow Avai l_{SYS}$ , ${Avail}_{SYS}^{S} \Rightarrow {Avail}_{SYS}^{W}$ , $Avai l_{SYS} \Rightarrow {Avail}_{SYS}^{LW}$ , ${Avail}_{SYS}^{W} \Rightarrow {Avail}_{SYS}^{LW}$ , where ⇒ is logical implication.

From Proposition 1, we can say that, if ${Avail}_{SYS}^{W}$ or ${Avail}_{SYS}^{S}$ holds, then $| ActServ | = 1$ . That is, if a given system meets either weak or strong availability, the number of the actual service provided is 1. This makes Definition 6 and Definition 8 impractical. Definition 5 implies Definition 7, thus indicating that Definition 5 is the most suitable for the system layer. In addition, Definition 5 has the following characteristics: (1) an identifiable and expected actual service exists for any expected service; (2) although both the expected services and the actual services are denoted by sets, it does not necessarily specify what the expected and the actual services are. The two characteristics make Definition 5 remain general enough. Due to the generality of Definition 5, many other properties can be instantiated from it, such as survivability.

Definition 9: survivability

Survivability (denoted by $Surv$ ) is defined as follows: for any expected core service $x$ , there exists an actual service $y$ , such that $y$ satisfies $x$ , that is, $Surv \equiv \forall x \in ExpCoreServ$ . $\exists y \in ActServ$ . $x = y$ , where $ExpCoreServ$ is a set of the core services.

Proposition 2

If $ExpCoreServ \subseteq ExpServ$ , then $Avai l_{SYS} \Rightarrow Surv$ .

As mentioned above, the other capability of the system layer involves that the provided service is consistent with the user’s expectations. This consistency with expectation is related to authentication. The Oxford Dictionary defines authentication as “(the ability to) prove or show (something, especially a claim or an artistic work) to be true or genuine.” In order to decide whether authentication is satisfied, two schemes are often used: one is based on comparison while the other is based on logical reasoning. In the first scheme, a key factor involves defining templates. Once templates have been defined, the remaining work involves comparing the actual service with the templates. If they are consistent, then the service is genuine. In the second scheme, should a logical contradiction be found, the service is determined to be untrue. In the system layer, the first scheme is often adopted. Based on this analysis, we define authentication as follows.

Definition 10: authentication

The authentication of the system layer (denoted by $Aut h_{SYS}$ ) is satisfied, if for any actual service $x$ , an expected service $y$ exists, such that $x$ satisfies $y$ , that is, $Aut h_{SYS} \equiv \forall x \in ActServ$ . $\exists y \in ExpServ$ . $x = y$ .

Similar to availability, three other types of authenticity are discussed here.

Definition 11: weak authentication

The weak authentication of the system layer (denoted by ${Auth}_{SYS}^{W}$ ) is satisfied, if there exists an actual service $x$ such that for any expected $y$ , $x$ satisfies $y$ , that is, ${Auth}_{SYS}^{W} \equiv \exists x \in ActServ$ . $\forall y \in ExpServ$ . $x = y$ .

Definition 12: weakest authentication

The weakest authentication of the system layer (denoted by ${Auth}_{SYS}^{LW}$ ) is satisfied, if there exists an actual service $x$ and an expected service $y$ such that $x$ satisfies $y$ , that is, ${Auth}_{SYS}^{LW} \equiv \exists x \in ActServ$ . $\exists y \in ExpServ$ . $x = y$ .

Definition 13: strong authentication

The strong authentication of the system layer (denoted by ${Auth}_{SYS}^{S}$ ) is satisfied, if for any actual service $x$ and any expected service $y$ , $x$ satisfies $y$ , that is, ${Auth}_{SYS}^{S} \equiv \forall x \in ActServ$ . $\forall y \in ExpServ$ . $x = y$ .

Proposition 3

$Aut h_{SYS} \Rightarrow {Auth}_{SYS}^{LW}$ , ${Auth}_{SYS}^{W} \Rightarrow {Auth}_{SYS}^{LW}$ , ${Auth}_{SYS}^{S} \Rightarrow Aut h_{SYS}$ , ${Auth}_{SYS}^{S} \Rightarrow Aut h_{SYS}$ .

Proposition 4

Given a system, if ${Auth}_{SYS}^{S}$ holds, then $| ExpServ | = | ActServ | = 1$ .

Proposition 5

Given a system, if ${Auth}_{SYS}^{W}$ holds, then $| ActServ | = 1$ .

The above two propositions show that, if ${Auth}_{SYS}^{S}$ and ${Auth}_{SYS}^{W}$ are true, then the numbers of the actual services and the expected services are equal to 1, respectively, which means that Definition 11 and Definition 13 are impractical. Definition 10 implies Definition 12, meaning that Definition 10 is the strictest.

Definition 14: completeness in the system layer

Given a set $P$ of security properties, set $ExpServ$ and set $ActServ$ , $P$ is called $P_{SYS}$ -complete in the system layer, if all $p$ ( $p \in P$ ) holding under both $ExpServ$ and $ActServ$ implies $ExpServ = ActServ$ .

Because only services are considered in the system layer, the corresponding security goal is to ensure that the services actually are equal to those of the expected services. As such, we have the following theorem.

Theorem 1

{ $Avai l_{Sys}$ , $Aut h_{Sys}$ } is $P_{SYS}$ -complete.

Proof

If $Avai l_{Sys}$ is satisfied, then for any $x \in ExpServ$ , $x \in ActServ$ holds, that is, $ExpServ \subseteq ActServ$ ; and if $Aut h_{Sys}$ is satisfied, then for any $x \in ActServ$ , we have $x \in ExpServ$ , that is, $ActServ \subseteq ExpServ$ . Thus, { $Avai l_{Sys}$ , $Aut h_{Sys}$ } is $P_{SYS}$ -complete.

Theorem 2

If $| ExpServ | > 1$ , then { $Avai l_{Sys}$ , $Aut h_{Sys}$ } is minimally $P_{SYS}$ -complete.

Proof

According to Propositions 4 and 5, if $| ExpServ | > 1$ , then $Avai l_{Sys}$ , $Aut h_{Sys}$ , and ${Auth}_{SYS}^{W}$ will be false; likewise, if $| ActServ | > 1$ , then ${Avail}_{SYS}^{W}$ will be false. As a result, ${Avail}_{SYS}^{W}$ , ${Auth}_{SYS}^{LW}$ , $Avai l_{Sys}$ , or $Aut h_{Sys}$ is not $P_{SYS}$ -complete. Thus, { $Avai l_{Sys}$ , $Aut h_{Sys}$ } is minimally $P_{SYS}$ -complete.

Theorem 3

$Avai l_{Sys}$ and $Aut h_{Sys}$ are independent of each other, i.e. $Avai l_{SYS} ⇏ Aut h_{SYS}$ and $Aut h_{SYS} ⇏ Avai l_{SYS}$ .

Proof

Let $ExpServ = {a, b}$ and $ActServ = {a, b, c}$ , then $Avai l_{Sys}$ holds, and $Aut h_{Sys}$ is false, therefore $Avai l_{SYS} ⇏ Aut h_{SYS}$ ; Let $ExpServ = {a, b}$ and $ActServ = {a}$ , $Aut h_{Sys}$ is true, and $Avai l_{Sys}$ is false, therefore $Aut h_{SYS} ⇏ Avai l_{SYS}$ .

Data security

The main security goals of the data layer are to protect data from being stolen, tampered with, and repudiated during the period of data storage, retrieval, transmittal, and display. In order to analyze the security requirements in this layer, three basic security roles should be distinguished: initiator (subjects in the source), responder (subjects in the destination), and attacker, as shown in Figure 2.

Figure 2.

Attack model in the data layer.

Figure 2 models an attack of the strongest threat. In this model, attackers can steal, intercept, analyze, counterfeit, and store any data being transmitted between initiators and responders.

Definition 15

Let INIT, RESP, and DATA represent sets of initiators, responders, and data, respectively. The functions $Send$ and $Recv$ are defined as follows.

$Send : INIT \to 2^{INIT \times RESP \times DATA}$ denotes that an initiator sends data to a responder with the constraint that $Send (x) ↑_{1} = {x}$ , where $↑_{1}$ denotes the project on the first dimension. For example, ${(a, b, c)} ↑_{1} = {a}$ . $Send (x) = {(x, y, z)}$ means that initiator $x$ sends data $z$ to responder $y$ .

$Recv : RESP \to 2^{INIT \times RESP \times Data}$ denotes that a responder receives data from an initiator with the constraint that $Recv (y) ↑_{2} = {(y)}$ , where $↑_{2}$ denotes the project on the second dimension. For example, ${(a, b, c)} ↑_{2} = {b}$ . $Recv (y) = {(x, y, z)}$ means that responder $y$ receives data $z$ from initiator $x$ .

With an initiator able to send data to many responders at one time, and a responder able to receive multiple data sets at any given time, the domain of the function in Definition 15 is a power set.

Definition 16

The availability in the data layer, as denoted by $Avai l_{DATA}$ , is defined as follows

$\begin{matrix} Avai l_{DATA} & \equiv \forall x \in INIT . \forall y \in RESP . \forall z \in DATA . (x, y, z) \\ \in Send (x) \to (x, y, z) \in Recv (y) \end{matrix}$

Definition 16 can be instantiated as other properties, for example, as heartbeat availability. An example for heartbeat availability is emergency responses which stipulate that the priority is to receive data, and not necessarily the data sent by specified responders. This can be defined as heartbeat availability.

Definition 17

The heartbeat availability in the data layer, denoted by ${Avail}_{DATA}^{heart}$ , is defined as

$\begin{matrix} {Avail}_{DATA}^{heart} \equiv \forall x \in INIT . \forall y \in RESP . \\ \forall z \in DATA . (x, y, z) \in Send (x) \to \exists z_{1} \\ \in DATA . (x, y, z_{1}) \in Recv (y) \end{matrix}$

Proposition 6

$Avai l_{DATA} \Rightarrow {Avail}_{DATA}^{heart}$ .

In the data layer, one other important problem is whether data can be obtained only by the right responders. This concerns confidentiality, as follows.

Definition 18

The confidentiality in the data layer, denoted by $Cnfd t_{DATA}$ , is defined as follows: any unexpected responder cannot obtain any related data, that is

$\begin{matrix} {Cnfdt}_{DATA} \equiv \forall x \in INIT . \forall y \in RESP . \\ \forall z \in DATA . (x, y, z) \in Send (x) \to (x, y, z) \notin ⋃_{t \in \bar{{y}}} Recv (t) \end{matrix}$

As shown above, an attack can occur as a legal communicator, and we should be able to distinguish between the two. Let $Init = INIT - Atk$ and $Resp = RESP - Atk$ , where $Atk$ is a set of attackers. In Definition 18, the unexpected responders include attackers and the other occasional obtainers. If we limit the unexpected responders to attackers, then we have the following definition.

Definition 19

Confidentiality when attackers are considered, denoted by ${Cnfdt}_{DATA}^{Atk}$ is defined as follows: any attacker cannot obtain any data which is not related to it, that is

$\begin{matrix} {Cnfdt}_{DATA}^{Atk} \equiv \forall x \in Init . \forall y \in Resp . \\ \forall z \in DATA . (x, y, z) \in Send (x) \to (x, y, z) \notin ⋃_{t \in Atk} Recv (t) \end{matrix}$

Proposition 7

$Cnfd t_{DATA} \Rightarrow {Cnfdt}_{DATA}^{Atk}$ .

Similar to the system layer, one important property in the data layer is authentication. Generally, state $Y$ authenticates state $X$ if the following statement holds: “if state $Y$ occurs, then state $X$ must have occurred in the past.” For example, an authentication protocol contains at least two states: one is “principal $B$ begins a protocol run with principal $A ″$ ” (called state $X_{0}$ ), and the other is “principal $A$ finishes a protocol run with principal $B ″$ ” (called state $Y_{0}$ ). Principal $A$ authenticates principal $B$ if state $X_{0}$ precedes state $Y_{0}$ .²⁸ We give an intuitive example: in a bank system, an employee must type in his or her user name and correct password before beginning his or her routine tasks. In this case, typing in the correct username and password is the process of authenticating his identification.

Definition 20

The authentication in the data layer, denoted by $Aut h_{DATA}$ , decides whether the corresponding initiator has sent the related data when a responder receives data, that is

$\begin{matrix} Aut h_{DATA} \equiv \forall x \in INIT . \forall y \in Resp . \forall z \in \\ DATA . (x, y, z) \in Recv (y) \to (x, y, z) \in Send (x) \end{matrix}$

In Definition 20, authentication means that, if receiver $y$ receives message $z$ sent by $x$ , then $x$ has indeed sent $z$ to $y$ . Generally, there are two kinds of definitions surrounding authentication: identity authentication and message authentication. Identity authentication is the process of verifying an identity claimed by or for a system entity, while message authentication involves verifying an individual message. There are separate definitions for the initiator’s and responder’s data.

Definition 21

Identity authentication in the data layer, denoted by ${Auth}_{DATA}^{ID}$ , is used to decide whether a corresponding initiator has sent a message when a responder receives it, that is

$\begin{matrix} {Auth}_{DATA}^{ID} \equiv \forall x \in Init . \forall y \in Resp . \\ \forall z \in DATA . (x, y, z) \in Recv (y) \to \exists (x, y, z_{x}) \in Send (x) \end{matrix}$

Definition 22

Message authentication in the data layer, denoted by ${Auth}_{DATA}^{Msg}$ , is used to decide whether the corresponding message has been sent when a responder receives a message, that is

$\begin{matrix} {Auth}_{DATA}^{Msg} \equiv \forall x \in Init . \forall y \in Resp . \forall z \in \\ DATA . (x, y, z) \in Recv (y) \to \exists (x, y_{x}, z) \in Send (x) \end{matrix}$

Proposition 8

$Aut h_{DATA} \Rightarrow {Auth}_{DATA}^{Msg}$ , $Aut h_{DATA} \Rightarrow {Auth}_{DATA}^{ID}$ .

As shown above, the data layer has the three roles: initiators, responders, and attackers. Also there exist three basic requirements in this layer: (1) in the event that attacks take place, the data sent by initiators are able to reach the expected responders; (2) responders can receive the corresponding data from the expected initiators; and (3) attackers cannot obtain any data belonging solely to initiators and responders. We can prove that { $Aut h_{DATA}$ , $Avai l_{DATA}$ , $Cnfd t_{DATA}$ } is minimally complete and independent.

Definition 23: completeness in the data layer

Given a set $P$ of security properties, $P$ is called $P_{DATA}$ -complete in the data layer if all security properties in $P$ holding means that (1) for any $x \in Init$ , $Send (x) \subseteq ⋃_{y \in Y} Recv (y)$ , where $Y = Send (x) ↑_{2}$ ; (2) for any $x \in Resp$ , $Recv (x) \subseteq ⋃_{y \in Y} Send (y)$ , where $Y = Recv (x) ↑_{1}$ ; and (3) for any $x \in Atk$ , we have ${(z, y, d) | z \in INIT, y \in Resp, d \in DATA} \cap Recv (x) = ϕ$ .

Theorem 4

{ $Avai l_{DATA}$ , $Cnf t_{DATA}$ , $Aut h_{DATA}$ } is $P_{DATA}$ -complete.

Proof

(1) For any $(x, y_{0}, z_{0}) \in Send (x)$ , according to Definition 23, we have $(x, y_{0}, z_{0}) \in Recv (y_{0})$ . Because $Recv (y_{0}) \subseteq ⋃_{y \in Y} Recv (y)$ , where $Y = Send (x) ↑_{2}$ , thus $Send (x) \subseteq ⋃_{y \in Y} Recv (y)$ . Similarly, we have that $Recv (x) \subseteq ⋃_{y \in Y} Send (y)$ for any $x \in Resp$ . (2) Let $x \in Atk$ . For any $(y, z, d) \in Recv (x)$ , we have $z \notin Resp$ according to Definition 19 and Proposition 7; thus, ${(z, y, d) | z \in INIT, y \in Resp, d \in Data} \cap Recv (x) = ϕ$ .

Similarly, the following theorems hold.

Theorem 5

If $| Init \times Resp \times Data | > 1$ , then { $Avai l_{DATA}$ , $Cnf t_{DATA}$ , $Aut h_{DATA}$ } is minimally $P_{DATA}$ -complete.

Theorem 6

$Avai l_{DATA}$ , $Cnf t_{DATA}$ , and $Aut h_{DATA}$ are pair-independent of each other, that is, $Avai l_{DATA} ⇏ Cnf t_{DATA}$ , $Cnf t_{DATA} ⇏ Avai l_{DATA}$ , $Avai l_{DATA} ⇏ Aut h_{DATA}$ , $Aut h_{DATA} ⇏ Avai l_{DATA}$ , $Cnf t_{DATA} ⇏ Aut h_{DATA}$ , $Aut h_{DATA} ⇏ Cnf t_{DATA}$ .

Content security

As shown in “Introduction” section, the main security goals of content security are to protect information from being illegally used. Because this layer deals with information utilization, producers, consumers, and supervisors (e.g. trusted third parties (TTPs)) are its basic roles. One may also regard propagators as playing an important role; however, in the utilization level, the process of simply forwarding information can also be seen as a simple intersection between the producers and consumers of this information. Similar to data security, these roles have different user expectations and user actions.

Definition 24: user expectation

Let $Prvd = {p_{1}, p_{2}, \dots}$ , $Cnsm = {c_{1}, c_{2}, \dots}$ , and $Info = {i_{1}, i_{2}, \dots}$ denote sets of consumers, producers, and pieces of information, respectively. User expectation is defined as follows.

$PrvdExp : Prvd \to 2^{Cnsm \times Prvd \times Info}$ returns the producer expectation, and $PrvdExp (p) = {(c, p, i)}$ means that the producer p expects consumer c to use the information i produced by p. A constraint of $PrvdExp$ is $PrvdExp (p) ↑_{2} = {p}$ , where $↑_{2}$ denotes the project on the second dimension. For example, ${(a, b, c)} ↑_{2} = {b}$ .

$CnsmExp : Cnsm \to 2^{Cnsm \times Prvd \times Info}$ returns the consumer expectation, and $CnsmExp (c) = {(c, p, i)}$ means that the consumer $c$ hopes to use information $i$ produced by $p$ . A constraint of $CnsmExp$ is $CnsmExp (c) ↑_{1} = {c}$ , where $↑_{1}$ denotes the project on the first dimension, for example, ${(a, b, c)} ↑_{1} = {a}$ .

$CnsmAct : Cnsm \to 2^{Cmsm \times Prvd \times Info}$ returns the information which has actually been consumed. Its constraint is $CnsmAct (x) ↑_{1} = {x}$ , with $CnsmAct (c) = {(c, p, i)}$ meaning that information $i$ produced by $p$ can be consumed by $c$ .

In some cases, the expectations of some roles conflict with the other. For example, a spammer obviously hopes to push ad emails to all users; conversely, a user on the receiving end does not want to receive these emails.

Definition 25

In the utilization layer, information is available for consumers, denoted by ${Avail}_{UTIL}^{cnsm}$ , if, for any $(x, y, i) \in CnsmExp (x)$ , $(x, y, i) \in CnsmAct (x)$ holds, that is

$\begin{matrix} {Avail}_{UTIL}^{cnsm} \equiv \forall x \in Cnsm . \forall y \in Prvd . \\ \forall i \in Info . (x, y, i) \in CnsmExp (x) \to (x, y, i) \in CnsmAct (x) \end{matrix}$

Definition 25 defines availability from the point of view of consumers: a consumer is able to use the expected information produced by a given producer. Another important characteristic involves ensuring that the obtained information actually meets users’ expectations. This is related to authentication.

Definition 26

Authentication in the utilization level, denoted by ${Auth}_{UTIL}^{cnsm}$ , is defined as follows: if for any $(x, y, i) \in CnsmAct (x)$ , $(x, y, i) \in CnsmExp (x)$ holds, that is

$\begin{matrix} {Auth}_{UTIL}^{cnsm} & \equiv \forall x \in Cnsm . \forall y \in Prvd . \forall i \in Info . (x, y, i) \\ \in CnsmAct (x) \to (x, y, i) \in CnsmExp (x) \end{matrix}$

Definition 26 states that both the obtained information and its source should both meet expectations. Next, we define the completeness (called $P_{UTIL}$ -completeness) in utilization layer (the behaviors of producers and supervisors are not considered).

Definition 27

Given a set $P$ of security properties, $P$ is called $P_{UTIL}$ -complete in the utilization level, if, for any $x \in Cnsm$ , all $p$ in $P$ holding implies $CnsmExp (x) = CnsmAct (x)$ .

Theorem 7

{ ${Auth}_{UTIL}^{cnsm}$ , ${Avail}_{UTIL}^{cnsm}$ } is $P_{UTIL}$ -complete.

Theorem 8

If $| Cnsm \times Prvd \times Info | > 1$ , then { ${Auth}_{UTIL}^{cnsm}$ , ${Avail}_{UTIL}^{cnsm}$ } is minimally $P_{UTIL}$ -complete.

Theorem 9

${Auth}_{UTIL}^{cnsm}$ and ${Avail}_{UTIL}^{cnsm}$ are independent of each other, i.e. ${Auth}_{UTIL}^{cnsm} ⇏ {Avail}_{UTIL}^{cnsm}$ and ${Avail}_{UTIL}^{cnsm} ⇏ {Auth}_{UTIL}^{cnsm}$ .

In Definitions 25 and 26, only the expectations of consumers are considered with the expectations of producers excluded. In many cases, the expectations of producers are very important, specifically in the field of DRM.

Definition 28

In the case that the expectations of producers are considered, availability for customers, denoted by ${Avail}_{UTIL}^{prvd}$ , is satisfied, if, for any $(x, y, i) \in CnsmExp (x)$ and $(x, y, i) \in PrvdExp (y)$ , $(x, y, i) \in CnsmAct (x)$ holds, that is

$\begin{matrix} {Avail}_{UTIL}^{prvd} \equiv \forall x \in Cnsm . \forall y \in Prvd . \forall i \in Info . (x, y, i) \\ \in CnsmExp (x) \cap PrvdExp (y) \to (x, y, i) \in CnsmAct (x) \end{matrix}$

Definition 28 shows that if the consumer $x$ is glad to consume the information $i$ produced by the producer $y$ , and $y$ is willing to have its information $i$ be consumed by $x$ , and then $x$ can consume $i$ . In DRM, a consumer who is not authorized should be prohibited from consuming the related information. This principle is concerned with controllability, and defined as follows.

Definition 29

In the case that the expectation of producers is considered, controllability in the utilization level, denoted by ${Ctrl}_{UTIL}^{prvd}$ , is satisfied, if for any $(x, y, i) \notin PrvdExp (y)$ , then $(x, y, i) \notin CnsmAct (x)$ , that is, ${Ctrl}_{USAGE}^{prvd} \equiv (x, y, i) \notin PrvdExp (y) \to (x, y, i) \notin CnsmAct (x)$ One example in which ${Ctrl}_{UTIL}^{prvd}$ is violated involves the use of copyrighted content without permission. Next, we define the completeness (called $P_{UTIL}^{prvd}$ ) in utilization level when supervisors are considered.

Definition 30

Given a set $P$ of security properties, $P$ is called $P_{UTIL}^{prvd}$ -complete in the utilization level, if, for any $x \in Cnsm$ , $CnsmAct (x) = CnsmExp (x) \cap ⋃_{y \in Y} PrvdExp (y)$ holds, where $Y = CnsmExp (x) ↑_{2}$ .

Theorem 10

{ ${Avail}_{UTIL}^{prvd}$ , ${Ctrl}_{UTIL}^{prvd}$ , ${Auth}_{UTIL}^{cnsm}$ } is $P_{UTIL}^{prvd}$ -complete.

Proof

According to Definition 26, we have $CnsmAct (x) \subseteq CnsmExp (x)$ . From Definition 29, we have $CnsmAct (x) \subseteq ⋃_{y \in Y} PrvdExp (y)$ ; thus, $CnsmAct (x) \subseteq CnsmExp (x) \cap ⋃_{y \in Y} PrvdExp (y)$ . From Definition 28, we have $CnsmExp (x) \cap ⋃_{y \in Y} PrvdExp (y) \subseteq CnsmAct (x)$ .

Theorem 11

If $| Cnsm \times Prvd \times Info | > 1$ , then { ${Avail}_{USAGE}^{prvd}$ , ${Ctrl}_{USAGE}^{prvd}$ , ${Auth}_{USAGE}^{cnsm}$ } is minimally $P_{UTIL}^{prvd}$ -complete.

Theorem 12

${Avail}_{USAGE}^{prvd}$ , ${Ctrl}_{USAGE}^{prvd}$ , and ${Auth}_{USAGE}^{cnsm}$ are independent of each other, that is, ${Avail}_{UTIL}^{prvd} ⇏ {Ctrl}_{UTIL}^{prvd}$ , ${Ctrl}_{UTIL}^{prvd} ⇏ {Avail}_{UTIL}^{prvd}$ , ${Ctrl}_{UTIL}^{prvd} ⇏ {Auth}_{UTIL}^{cnsm}$ , ${Auth}_{UTIL}^{cnsm} ⇏ {Ctrl}_{UTIL}^{prvd}$ , ${Avail}_{UTIL}^{prvd} ⇏ {Auth}_{UTIL}^{cnsm}$ and ${Auth}_{UTIL}^{cnsm} ⇏ {Avail}_{UTIL}^{prvd}$ .

$P_{USAGE}^{prvd}$ -completeness states that a consumer can obtain information, if and only if (1) the user is willing to obtain it, and (2) the corresponding producers agree to provide it. $P_{USAGE}^{prvd}$ -completeness, however, does not deal with supervisors who are non-trivial in some cases. For example, pornography filtering systems are used to help parents (as supervisors) monitor their children and filter porn information. If supervisors are considered, we have the following definitions.

Definition 31

Availability in the case that the expectations of both supervisors and producers are considered, denoted by ${Avail}_{UTIL}^{spvs}$ , if, for any $(x, y, i) \in CnsmExp (x) \cap PrvdExp (y) \cap SpvsExp$ , $(x, y, i) \in CnsmAct (x)$ holds, that is

$\begin{matrix} {Avail}_{UTIL}^{spvs} \equiv \forall x \in Cnsm . \forall y \in Prvd . \\ \forall i \in Info . (x, y, i) \in CnsmExp (x) \cap \\ PrvdExp (y) \cap SpvsExp \to (x, y, i) \in CnsmAct (x) \end{matrix}$

Availability of Definition 31 shows that, if (1) a consumer $x$ is glad to consume information $i$ produced by producer $y$ , and (2) both $y$ and supervisors agree to this consumption, then $x$ can consume $i$ . Similarly, we have the following definition.

Definition 32

Controllability in the case that the expectations of both supervisors and producers are considered, denoted by ${Ctrl}_{UTIL}^{spvs}$ , if, for $(x, y, i) \notin PrvdExp (y)$ or $(x, y, i) \notin SpvsExp$ , $(x, y, i) \notin CnsmAct (x)$ holds, that is

$\begin{matrix} {Ctrl}_{UTIL}^{spvs} & \equiv (x, y, i) \notin PrvdExp (y) \lor (x, y, i) \\ \notin SpvsExp \to (x, y, i) \notin CnsmAct (x) \end{matrix}$

Definition 32 describes the ultimate goals of controllability: a consumer cannot obtain any information without the agreement of both producers and supervisors.

Definition 33

$P_{UTIL}^{spvd}$ -completeness in utilization level

Given a set $P$ of security properties, $P$ is called $P_{UTIL}^{spvd}$ -complete in the utilization level, if, for any $x \in Cnsm$ , $CnsmAct (x) = CnsmExp (x) \cap ⋃_{y \in Y} PrvdExp (y) \cap SpvsExp$ holds, where $Y = CnsmExp (x) ↑_{2}$ .

Theorem 13

{ ${Avail}_{UTIL}^{spvs}$ , ${Auth}_{UTIL}^{cnsm}$ , ${Ctrl}_{UTIL}^{spvs}$ } is $P_{UTIL}^{spvd}$ -complete.

Proof

From Definition 26 and Definition 32, we have shown that for any $x \in Cnsm$ , $CnsmAct (x) \subseteq CnsmExp (x)$ , $CnsmAct (x) \subseteq ⋃_{y \in Y} PrvdExp (y)$ , and $CnsmAct (x) \subseteq SpvsExp$ , where $Y = CnsmExp (x) ↑_{2}$ , so $CnsmAct (x) \subseteq CnsmExp (x) \cap ⋃_{y \in Y} PrvdExp (y) \cap SpvsExp$ . According to Definition 31, we have $CnsmExp (x) \subseteq CnsmAct (x)$ , $⋃_{y \in Y} PrvdExp (y) \subseteq CnsmAct (x)$ , and $SpvsExp \subseteq CnsmAct (x)$ , so $CnsmExp (x) \cap ⋃_{y \in Y} PrvdExp (y) \cap SpvsExp \subseteq CnsmAct (x)$ .

Theorem 14

If $| Cnsm \times Prvd \times Info | > 1$ , then { ${Avail}_{UTIL}^{spvs}$ , ${Auth}_{UTIL}^{cnsm}$ , ${Ctrl}_{UTIL}^{spvs}$ } is minimally $P_{UTIL}^{spvd}$ -complete.

Theorem 15

${Avail}_{UTIL}^{spvs}$ , ${Auth}_{UTIL}^{cnsm}$ , and ${Ctrl}_{UTIL}^{spvs}$ are independent of each other, that is, ${Avail}_{UTIL}^{cnsm} ⇏ {Auth}_{UTIL}^{spvs}$ , ${Auth}_{UTIL}^{spvs} ⇏ {Avail}_{UTIL}^{cnsm}$ , ${Avail}_{UTIL}^{cnsm} ⇏ {Ctrl}_{UTIL}^{spvs}$ , ${Ctrl}_{UTIL}^{spvs} ⇏ {Avail}_{UTIL}^{cnsm}$ , ${Auth}_{UTIL}^{cnsm} ⇏ {Ctrl}_{UTIL}^{spvs}$ , and ${Auth}_{UTIL}^{spvs} ⇏ {Avail}_{UTIL}^{cnsm}$ .

Theorems 1–3 show that authentication and availability are minimally complete and independent from the perspective of services; Theorems 4–6 suggest that data security relies on confidentiality, authentication, and availability and the three properties are minimally complete and independent; Theorems 13–15 demonstrate that in the content layer, controllability, availability, and authentication are minimally complete and independent from the point of view of information utilization because CACA is minimally complete and independent.

Defining information security

As shown above, information security can be divided into four layers from bottom to top: physical, operational, data, and content security, respectively. Security of the first two layers depends on authentication and availability from the point of view of services; the third layer relies on confidentiality, authentication, and availability of data from the point of view of data self; and the fourth layer depends on controllability, availability, and authentication from the point of view of utilization. Because confidentiality, availability, controllability, and authentication are independent and complete in each layer, the four properties are called fundamental security properties, denoted by CACA, as shown in Figure 3. Based on this analysis, we give the definition of information security, as follows.

Figure 3.

CACA model.

Definition 34: information security

Information security, including physical, operational, data, and content security, is a process to guarantee systems to provide the expected service by way of protecting availability and authentication in the system layer; ensure data to be sent and received correctly via protecting confidentiality, availability, and authentication in the data layer; and protect information to be used within expectation by satisfying controllability, availability, and authentication in the utilization layers.

For instance, in sensor networks, if the sensors are stolen and maliciously embedded, then its physical security is not satisfied. Operation security guarantees the operation flow should keep away from malicious attacks and non-human errors. Data security insures that an attacker cannot obtain the data collected from sensors. Content security means that information content is not displayed to unauthorized users. In addition to the availability and confidentiality in traditional security scenarios, authentication improves the conception of integrity, and controllability emphasizes that the flow of information should be controlled by managers. In general, integrity only verifies the correctness of information self, and authentication also verifies the correctness of the user’s identity. Besides, controllability addresses the content of information and ensures that the flow of information conforms to the wishes of the system designer.

From the point of view of security property, Definition 34 emphasizes four properties: confidentiality, authentication, controllability, and availability. Compared with CIA model, in CACA, integrity is substituted with authentication and controllability is added. This makes up for limitations of CIA: (1) in CIA, integrity means that information can be modified only by authorized parties or only in authorized ways, This shows that the authenticity of the source and the destination of information is not concerned for integrity. As shown in “Hierarchy of information security” section, authentication expresses not only the authenticity of information source but also the authenticity of information self, where the latter precisely implies integrity; (2) a large number of annoying information greatly influences our life, controlling information to reasonably be used is becoming a urgent requirement. However, this cannot be expressed in CIA.

As shown in Figures 4 and 5, some layer models called BCDD (behavior, content, data, device security) and MDOD (management/people, data/information, operation, device/physical security) have respectively been proposed for defining information security. In BCDD, operational security is not considered. As shown in “Introduction” section, the operation layer instructs data how to be done. If the operation security is not secure, then data will not be secure, so BCDD model is unsuitable for complex security scenarios, such as massive amounts of equipment and data in IoT. Although MDOD takes into operational security, the utilization of information is considered in this model. As shown in “Introduction” section, a great deal of annoying information is flooding on the Internet; as a result, a model which does not include the utilization of information is inappropriate. Although BCDD and MDOD regard behavior security and management/people security as an independent layer, respectively, but we believe that the two securities should be throughout all layers. For example, in the physical layer, the policy about people security should be formulated to provide physical security. These demonstrate that PODC shown in “Introduction” section is more suitable for defining information security.

Figure 4.

BCDD model.

Figure 5.

MDOD model.

Conclusion

The existing definitions of information security might bring confusion and provide little guidance about the security objectives. In this article, a new definition of information security is proposed to provide guidance for further security practice. In the future, new definitions should be proposed to satisfy the increasing and changing security requirements.

Footnotes

Handling Editor: Zheng Chang

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research,authorship,and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research,authorship,and/or publication of this article: This research is funded by the National Key R&D Program of China (No. 2018YFB2100400),the National Natural Science Foundation of China (No. 61872100),the Guangdong Province Key Research and Development Plan (No. 2019B010137004),the Guangxi Natural Science Foundation (No. 2017GXNSFAA198372),and Guangdong Province Universities and Colleges Pearl River Scholar Funded Scheme (2019).

ORCID iDs

Zhe Sun

Zhihong Tian

References

Hung

. Leading the IoT—Gartner insights on how to lead in a connected world. https://www.gartner.com/imagesrv/books/iot/iotEbook_digital.pdf (accessed 10 August 2019).

SonicWall cyber threat report. https://www.sonicwall.com/lp/2019-cyber-threat-report-lp (accessed 10 August 2019).

Cybersecurity venture capital investment. https://scvgroup.net/2018-cybersecurity-venture-capital-investment (accessed 9 August 2019).

Anderson

. Why we need a new definition of information security. Comput Secur 2003; 4: 308–313.

Bishop

. Computer security: art and science. Boston, MA: Addison-Wesley, 2002.

Pfleeger

. Security in computing. Upper Saddle River, NJ: Prentice Hall, 2002.

Chen

. Stuxnet, the real start of cyber warfare? IEEE Netw 2010; 6: 2–3.

Langner

. Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur Priv 2011; 3: 49–51.

Virvilis

Gritzalis

. The big four-what we did wrong in advanced persistent threat detection? In: Proceedings of the IEEE international conference on availability, reliability and security, Regensburg, 2–6 September 2013, pp.248–254. New York: IEEE.

10.

Nourian

Madnick

. A systems theoretic approach to the security threats in cyber physical systems applied to Stuxnet. IEEE Trans Depend Secur Comput 2015; 15(1): 2–13.

11.

Threat landscape for industrial automation systems in the second half of 2016. https://ics-cert.kaspersky.com/reports/2017/03/28/threat-landscape-for-industrial-automation-systems-in-the-second-half-of-2016 (accessed 10 August 2019).

12.

Byres

Lowe

. The myths and facts behind cyber security risks for industrial control systems, 2004. https://pdfs.semanticscholar.org/a7eb/3cfc27ac190def5083e20ca7d0ac64f7a575.pdf

13.

Sadeghi

Wachsmann

Waidner

. Security and privacy challenges in industrial internet of things. In: Proceedings of the ACM/EDAC/IEEE design automation conference, San Francisco, CA, 7–11 June 2015, pp.1–6. New York: ACM.

14.

McLaughlin

Konstantinou

Wang

, et al. The cybersecurity landscape in industrial control systems. Proc IEEE 2016; 104(5): 1039–1057.

15.

Humayed

Lin

, et al. Cyber—physical systems security—a survey. IEEE Internet Thing J 2017; 4(6): 1802–1831.

16.

Leonardo

Seiji

Dimitri

, et al. FTI: high performance Fault Tolerance Interface for hybrid systems. In: Proceedings of the IEEE international conference for high performance computing, networking, storage and analysis, Seattle, WA, 29 December 2011, pp.1–12. New York: IEEE.

17.

Popov

. Models of reliability of fault-tolerant software under cyber-attacks. In: Proceedings of the IEEE international symposium on software reliability engineering, Toulouse, 23–26 October 2017, pp.228–239. New York: IEEE.

18.

Jiang

Zhan

, et al. Design of security-critical distributed real-time applications with fault-tolerant constraint: work-in-progress. In: Proceedings of the ACM international conference on embedded software, San Francisco, CA, 1–3 July 2018, pp.41–42. New York: IEEE.

19.

Shriram

Brendan

Ryan

, et al. SecondSite: disaster tolerance as a service. In: Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on virtual execution environments, London, 3–4 March 2012, pp.97–108. New York: ACM.

20.

Sterbenz

JPG

. Smart city and IoT resilience, survivability, and disruption tolerance: challenges, modelling, and a survey of research opportunities. In: Proceedings of the IEEE international workshop on resilient networks design and modeling, Alghero, 4–6 September 2017, pp.1–6. New York: IEEE.

21.

Weingart

. Physical security devices for computer subsystems: a survey of attacks and defenses, in Cryptographic Hardware and Embedded Systems. In: Proceedings of the Springer international workshop on cryptographic hardware and embedded systems, Worcester, MA, 17–18 August 2000, pp.45–68. New York: Springer.

22.

National Vulnerability Database. http://web.nvd.nist.gov (accessed 9 August 2019).

23.

Malware statistics & trends report. AV-TEST. https://www.av-test.org/en/statistics/malware (accessed 9 August 2019).

24.

Shocking Computer Virus Statistics. https://brandongaille.com/36-shocking-computer-virus-statistics (accessed 10 August 2019).

25.

Cybersecurity Ventures. 2017 cybercrime report. https://cybersecurityventures.com/2015-wp/wp-content/uploads/2017/10/2017-Cybercrime-Report.pdf (accessed 9 August 2019).

26.

Bishop

Bailey

. A critical analysis of vulnerability taxonomies. Department of Computer Science, University of California, Davis, 1996.

27.

Tipton

Nozaki

. Information security management handbook. CRC Press2007.

28.

Marrero

Clarke

Jha

. Model checking for security protocols. Technical Report CMU-SCS-97–139, 1997. Carnegie Mellon University. http://www.cs.cmu.edu/∼emc/papers/Conference%20Papers/Model%20Checking%20for%20Security%20Protocols.pdf

29.

Ehsan

Perwaiz

Arif

, et al. CMMI/SPICE based process improvement. In: Proceedings of the IEEE international conference on management of innovation & technology, Singapore, 2–5 Jun 2010, pp.859–862. New York: IEEE.

30.

Chrisis

Konrad

Shrum

. CMMI–guidelines for process integration and product improvement (SEI Series in Software Engineering). Boston, MA: Addison-Wesley, 2003.

31.

MITRE. Common attack pattern enumeration and classification. http://capec.mitre.org (accessed 9 August 2019).

32.

Identity Theft Resource Center. https://www.idtheftcenter.org/wp-content/uploads/2018/07/DataBreachReport_2018.pdf (accessed 10 August 2019).

33.

IBM. 2019 cost of a data breach report. https://www.ibm.com/security/data-breach (accessed 9 August 2019).

34.

Tian

Gao

, et al. Evaluating reputation management schemes of internet of vehicles based on evolutionary game theory. IEEE Trans Veh Technol 2019; 68(6): 5971–5980.

35.

Zhu

Zhang

, et al. ASAP: an anonymous smart-parking and payment scheme in vehicular networks. IEEE Trans Depend Secur Comput. DOI: 10.1109/TDSC.2018.2850780.

36.

Zhu

Zhang

, et al. Prif: a privacy-preserving interest-based forwarding scheme for social internet of vehicles. IEEE Internet Thing J 2018; 5(3): 2457–2466.

37.

Zhang

Leng

Peng

, et al. Artificial intelligence inspired transmission scheduling in cognitive vehicular communications and networks. IEEE Internet Thing. https://ieeexplore.ieee.org/document/8471165

38.

Xiao

Guizani

, et al. An effective key management scheme for heterogeneous sensor networks. Ad Hoc Netw 2007; 5(1): 24–34.

39.

Xiao

Zhang

, et al. Internet protocol television (IPTV): the killer application for the next generation internet. IEEE Commun Mag 2007; 45(11): 126–134.

40.

Chen

. Security in wireless sensor networks. IEEE Wirel Commun Mag 2008; 15(4): 60–66.

41.

Tian

Shi

, et al. A data-driven method for future internet route decision modeling. Fut Generat Comput Syst 2019; 95: 212–220.

42.

Guizani

Xiao

, et al. A routing-driven elliptic curve cryptography based key management scheme for heterogeneous sensor networks. IEEE Trans Wirel Commun 2009; 8(3): 1223–1229.

43.

Xiao

Rayi

Sun

, et al. A survey of key management schemes in wireless sensor networks. J Comput Commun 2007; 30(11–12): 2314–2341.

44.

Tian

Shi

Wang

, et al. Real time lateral movement detection based on evidence reasoning network for edge computing environment. IEEE Trans Indus Inform 2019; 15(7): 4285–4294.

45.

Zhang

Zhu

Leng

, et al. Deep learning empowered task offloading for mobile edge computing in urban informatics. IEEE Internet Thing J. DOI: 10.1109/JIOT.2019.2903191.

46.

Tian

Cui

, et al. A real-time correlation of host-level events in cyber range service for smart campus. IEEE Access 2018; 6: 35355–35364.

47.

Tian

Qiu

, et al. Block-DEF: a secure digital evidence framework using Blockchain. Inform Sci 2019; 491: 151–165.

48.

Zhang

Zhu

Maharjan

, et al. Edge intelligence and Blockchain empowered 5G beyond for industrial internet of things. IEEE Netw Mag 2019; 33: 12–19.

49.

Zhu

Gai

, et al. Controllable and trustworthy blockchain-based cloud data management. Fut Generat Comput Syst 2019; 91: 527–535.

Hierarchically defining Internet of Things security: From CIA to CACA

Abstract

Keywords

Introduction

Hierarchy of information security

Physical security

Fault tolerance

Disaster tolerance

Invasive attacks

Non-invasive attacks

Operational security

Data security

Content security

Connotation of information security

Definition 1

Definition 2

Definition 3

Definition 4

System security

Definition 5: availability

Definition 6: weak availability

Definition 7: weakest availability

Definition 8: strong availability

Proposition 1

Definition 9: survivability

Proposition 2

Definition 10: authentication

Definition 11: weak authentication

Definition 12: weakest authentication

Definition 13: strong authentication

Proposition 3

Proposition 4

Proposition 5

Definition 14: completeness in the system layer

Theorem 1

Proof

Theorem 2

Proof

Theorem 3

Proof

Data security

Definition 15

Definition 16

Definition 17

Proposition 6

Definition 18

Definition 19

Proposition 7

Definition 20

Definition 21

Definition 22

Proposition 8

Definition 23: completeness in the data layer

Theorem 4

Proof

Theorem 5

Theorem 6

Content security

Definition 24: user expectation

Definition 25

Definition 26

Definition 27

Theorem 7

Theorem 8

Theorem 9

Definition 28

Definition 29

Definition 30

Theorem 10

Proof

Theorem 11

Theorem 12

Definition 31

Definition 32

Definition 33

P UTIL spvd -completeness in utilization level

Theorem 13

Proof

Theorem 14

Theorem 15

$P_{UTIL}^{spvd}$ -completeness in utilization level