SABSA-at-Work

SABSA-at-Work™: SW100 - Cyber Security: How can SABSA®

help your business?
Case Study: The WIDGETT Company
The company develops and sells a package of software and consulting called Workflow
Integrated Development and Generation for Enterprise Transformation Toolkit (WIDGETT).
Alice, the CEO, started the company a few years ago. She had just left a career in one of the
large consulting companies to start up her own entrepreneurial business.
Alice is attending the CyberUK conference organised by the National Cyber Security Centre (part
of GCHQ). She hopes that she can get some insights into how to manage the cyber security
issues that are part of building and running a digital business such as hers. At the conference she
finds herself sitting next to Bob at lunchtime and they are now engaging in conversation. It’s a
chance encounter. Let’s listen in to what they have to say.
Alice: “Hello Bob. It says on your badge that you are a SABSA consultant. What does that
mean?”
Bob: “Well I’m pleased you asked me that Alice. I’m always looking to tell people about SABSA.
It’s a framework for building information security architectures, which these days pretty much
equates to cyber-defence strategy.
Alice: “Well I’m here to try to figure out what I should be doing for cyber defence in my own
company, so give me the pitch Bob. Why should I think about using SABSA? I know there are no
silver bullets so your story had better be good to get my interest.”
Bob: “Ok, well that’s quite a challenging way for us to begin but I’ll try to keep it short and
sweet. I’ll give you the five main reasons why SABSA can help people in managing their business
cyber risks. Are you ready Alice?”
Alice: “Yes Bob – shoot!”
SABSA Concept 1: Risk is a two-sided coin: Opportunity for Gain and Threat of Loss in a
single concept
Bob: “Doing business of any kind is about taking calculated risks. Every decision you make and
everything you do has risk involved in it. You can never avoid risk in general, only the specific
risks you don’t want to take. The wise thing to do is to pick and choose your risks within what we
call your ‘risk appetite’. That is, how much downside risk you are willing to take in order to make
gains and reap the rewards.”
Alice: “OK. That matches my own experience in starting a new business. I saw an opportunity but
recognised there were multiple reasons why it might fail. Fortunately, it’s doing well.”
Bob: “I’m pleased to hear that Alice. Obviously, starting a new business, as you did, is about
taking some of those calculated risks. These are both upside (the opportunities for gain) and
downside (the threats that might result in losses). You have to take a holistic view of the entire
business lifecycle to understand your true risk balance. The balanced risk approach is
conceptually similar to a cost/benefit analysis. Risk has to do with uncertainty of outcome of

1. Copyright © The SABSA Institute 1995 – 2018. All rights reserved.

The SABSA Institute C.I.C
Registered Address: 126 Stapley Road, Hove
East Sussex, BN3 7FG, United Kingdom
Email: info@sabsa.org Web: https://www.sabsa.org
Registered in England & Wales, Company Number 08439587
events. However, there’s a subtly here, in that the uncertainty factors are not necessarily the
same for both opportunities and threats. They have different sources. This means that you need
to start top-down in your business analysis, looking at the things that really matter to you.
Identify the things you most want to protect, such as your business reputation and the ability to
carry on your business operations uninterrupted, your intellectual property, keeping the cash
flow positive, and making a profit.”
Alice: “Ok, I get that, but what has all this got to do with cyber security?
SABSA Concept 2: Assets at risk – the Business Value Chain.
Bob: “More and more business is being done online. Cyberspace, the Internet and the web are
just new ways of supporting a business in how it creates its products and services and how it
markets, sells, and supports them in the field. In the modern world the Internet offers so many
opportunities to do business, but of course there are dangers – cyber threats. The problem that
many people have is that they believe that cyber security is just about having the right technical
solutions. They don’t see the connection to their primary business activity, which is creating
business value, whatever that means for them in their business world.”
Alice: “So you’re suggesting that cyber security needs more than technology? I must admit that
has never occurred to me before.”
Bob: “Yes. Cyber security is a sociotechnical thing. It involves people, processes and culture as
well as pure technology. It’s important to focus on the ‘people thing’ as well as the technology.
You have different players (stakeholders) in your business scenario, including yourself, your staff;
your technology services suppliers, and your customers. Possibly there are others too. Each
stakeholder has a different view because they are positioned at a different viewpoint. They see
the same business but from a different angle. I liken it to a valley landscape, surrounded by hills,
and the various stakeholders occupy positions on various hilltops, or even down by the river.
They all see the same valley, but their view of it depends on their viewpoint. It’s a good analogy
for understanding how the different players will have different priorities, all of which need to be
satisfied for everyone to be happy.”
Alice: “Oh, now I begin to see the connection – that a business is a sociotechnical thing too.”

In SABSA
we call these
Capabili es

Figure 1: Porter's Value Chain Model

2. Copyright © The SABSA Institute 1995 – 2018. All rights reserved.

The SABSA Institute C.I.C
 BAP BAP Business Value Chains BAP

Business Capabili es BAP

Business Risk

Knowledge, Skills, Competencies

People: Roles, Responsibili es

Support Services & Processes

Management
Business Processes BAP

Service Management
Business Services BAP

Applica ons BAP

(Logical Informa on Services)

ICT Infrastructure BAP Cyber Risk

(Physical Networks/Pla orms/Storage) Management

Technical Components BAP

(Standards, Products & Tools)
ã The SABSA Institute 1995 – 2016. All rights reserved.

Figure 2: The SABSA Business StackTM: Risk View

Bob: “Yes. SABSA borrows the idea from Porter’s value chain modeli shown in Figure 1. This
model views the running of a business as being a series of activities that comprise a ‘system’. The
system has a hierarchical series of processes that require you to manage resources efficiently
and effectively to optimise business performance. According to Porter, the optimisation depends
upon whether you want your business output to be ‘cheap and cheerful’ (low cost to a mass
market) or high quality and specialist (for a highly differentiated product or service in a niche
market). Both ‘low cost’ and ‘highly differentiated’ are possible business strategies, but you need
to be clear which one you go for. However, successful mixed business models are also possible,
especially with the new Internet businesses. SABSA helps you to analyse your value chain top-
down by breaking it into a series of layers (Figure 2). That’s why SABSA is such a useful approach
for making risk decisions. Do they add value or not? Is it ‘worth the risk’ or not.”
Alice: “Yes I get that. We aim WIDGETT at a highly specialised, niche market, competing to be
the best in class. So, tell me how SABSA can help me with my cyber risk management.”
Bob: “Cyber-attacks put your whole business at risk, so you have to think from the top down –
protecting your value creating activities – in order to know what sort of cyber defences you need.
Porter defines the primary activities that make up your value chain, along with some support
activities that every company needs to keep going. What do you think are your primary
activities?”
Alice: “We’re a knowledge company, using our expertise to build software and offer consulting
services to support it. That means that our inbound logistics are all about acquiring the right
people. Our operations are software development, both in the design of the functionality, and
building robust code, so I can see immediately the link to cyber defence. Our outbound logistics
are delivery of the software over the Internet – more cyber defence needed, and our marketing is
mainly via our website. Sales are consultancy led, sometimes on-site, but often by email and
teleconferencing, and our services are product support and consulting using the same remote
processes. I’m beginning to get it now. We should build our cyber defences in the lower layers of
the SABSA Business Stack™, but we should define the requirements for what assets we want to
protect in those top layers labelled ‘business risk management’.”
SABSA Concept 3: Top-down Decomposition of the Business Value Chain.

3. Copyright © The SABSA Institute 1995 – 2018. All rights reserved.

The SABSA Institute C.I.C
Bob: “Correct! That’s why SABSA can help you because it decomposes your value chain top-
down. It’s not really significant that you are a knowledge company. If you were a manufacturing
company making ordinary widgets (forgive the pun!) you would have plenty of cyber technology
in your automated, remotely controlled, manufacturing processes. SABSA analysis of the value
chain can help any type of business whether it’s commercial or public service.”
“The important thing is to know what your business performance targets are, and SABSA has a
special way to do that called Business Attribute Profiling™. This process breaks down your value
chain into a series of measurable attributes that are the key characteristics of your business,
each one with a performance target. In SABSA your performance targets have a flip side too –
they are expressions of your risk appetite – how much risk you are prepared to take to do
business.”
“As you move down the SABSA Business Stack doing your analysis, the next level down inherits
and re-interprets attributes from the layer above, according to what’s going on at that level. So,
you begin to reveal the inter-dependencies between the various parts of your business, which in
most cases can be a quite complex ‘system of systems’.”
“For example: You will want to protect your intellectual property (IP). So, at the top value chain
level (because producing IP is your primary activity – your ‘crown jewels’ as it were) you might
define an attribute called ‘IP protected’. At the next level (Capabilities) you might have a linked
attribute called ‘Access Restricted’. At the Business Processes level, it might be ‘Identity & Access
Managed’. At the Business Services level, it might be ‘Access Controlled’, and then as you go
down the stack, by the time you reach the Logical level, the matching attribute might simply be
‘Confidential’ and at the Infrastructure level it might be ‘Encrypted’. Each attribute is derived
from the one above and contributes to supporting the higher-level tree structure of attributes.”
“We use the Business Attributes Profile (BAP) as a set of ‘proxy assets’ because they
conceptualise the real assets at risk (the value chain and its derivatives) and represent the upside
of risk (the opportunity). Then we do a threat assessment against those assets to make sure you
can meet your performance targets in the face of a cyber-attack.”
Alice: “So, you say that cyber security isn’t just a technology thing, but something that we should
drive from the highest business goals and objectives – the business value chain. I had never
thought of it that way before, but of course it makes perfect sense.”
“I would like to use these ideas to help grow my business, especially in grasping opportunities for
using cyber technologies to add business value whilst managing the cyber threats within my ‘risk
appetite’ as you call it. That’s a new term to me but I see what you mean – how much ‘cyber risk’
can I take and how should I manage the level so I can use new digital technologies. So how can I
go about that using SABSA?”
SABSA Concept 4: Business Attribute Profiling and Security Performance Measurement
Bob: “SABSA is a systems approach to cyber risk management. You can express any business
process, from the top-level value chain, right down through all the layers, to the management of
the IT infrastructure and the cyber defence tools and technologies that you use, as a set of key
characteristics that SABSA calls Business Attributes, as I just explained. Starting at the top
business layer (the value chain), I’m guessing that you would base some of your attributes on
being highly competitive in your niche market, being in control of the business, protecting the
reputation of your brand, and so on. You probably don’t need more than half a dozen to
characterise your key performance requirements at that level. However, you need to decide on a
measurement approach, a specific metric, and a performance target for the metric for each of
your key attributes. As an example, you might measure your competitiveness by the level of

4. Copyright © The SABSA Institute 1995 – 2018. All rights reserved.

The SABSA Institute C.I.C
uniqueness of your offering. The specific metric might be the number of unique selling points,
and the performance target might be to create and maintain at least three USPs versus
competing products and services. Am I right?”
Alice: “Yes you are. I can see straight away that one of my USPs would be Secure Online
Support. I can also see that a successful cyber-attack could damage our brand reputation, and
that it would definitely trash any sense of being in control. It would be really helpful to have a
way to measure and balance the downside risks of a cyber-attack against the business benefits
of using digital technologies. An approach that provides that balanced view will be valuable in
itself. So far, I’ve been confused by the cyber threats one reads about all the time. I hadn’t
realised that it’s a balancing act that I can learn to manage.”
SABSA Concept 5: Two-way traceability
Bob: “The really helpful thing about the SABSA approach is that as you go down the stack from
layer to layer, the higher layer makes demands on the layer below. It’s a supply and demand
model. The lower layer must inherit the requirements from above and supply them through a
series of attributes that serve the needs from above. When you get down into the nuts and bolts
of cyber defence technology you can be sure that you derived the attributes that characterise
those layers from the very highest business drivers. We call this SABSA Two-Way Traceability™.
You ensure that all your high-level attributes in the value chain itself are matched by lower level
attributes that contribute to a complete set of cyber security controls and business enablers. You
also justify your detailed cyber security solutions – when people ask ‘Why are we doing it this
way?’ you can trace back to top of the stack to find the business drivers that you are servicing.
That’s why it’s ‘two-way’ – providing both a completeness check and justifying the expenditure.”
“So, there you have it Alice: the five most important reasons why people like using SABSA to plan
their cyber security strategy. There’s a lot more detail published in various white papers and
blogs on The SABSA Institute web site. They also have a worldwide programme of SABSA training
and certification.”
Alice: “Wow! That is impressive. I would love to be sure we are balancing our investment in cyber
defence and the rest of the business in the most effective and efficient way. Thank you, Bob, for
all that. I think I need to get some official SABSA training to follow this up. I think using SABSA
will help me take the business forward and at the same time have measured confidence that our
cyber-defence is fit for purpose. It was good to meet you today. Do you have a business card?”

i Porter, Michael E., "Competitive Advantage". 1985, Ch. 1, pp 11-15. The Free Press. New York.

5. Copyright © The SABSA Institute 1995 – 2018. All rights reserved.

The SABSA Institute C.I.C