of attack, for all attack classes, will be
equally difficult, and above the cost and
risk thresholds of the attackers.
Implications. This depth-and-
breadth principle implies that the cy-
bersecurity engineer must have a firm
understanding of the entire spectrum
of cyberattacks, not just a few attacks.
More broadly, the principle suggests
the cybersecurity community must de-
velop better cyberattack taxonomies
that capture the entire attack space,
including hardware attacks, device
controller attacks, operating system
attacks, and cyberattacks used to af-
fect the beliefs of people. Further, the
principle also means that cybersecuri-
ty measures must be properly charac-
terized in terms of their effectiveness
against the various portions of the
cyberattack space. Those who create
or advocate for various measures or
solutions will be responsible for creat-
ing specific claims about their cyber-
attack-space coverage, and analysts
will be responsible for designing tests
to thoroughly evaluate the validity of
those claims. Lastly, cybersecurity
architects will need to develop tech-
niques for weaving together cyberse-
curity in ways that create true depth,
measured by how the layers alter the
probability of success an adversary
will have for the targeted attack class.
Said a different way, the effectiveness of
depth could be measured by how miser-
able it makes an attacker’s life.
• Failing to plan for failure guaran-
tees catastrophic failure { 20.06}.
Description. System failures are inevitable { 19.01, 19.05}. Pretending
otherwise is almost always catastrophic. This principle applies to both the
mission system and cybersecurity
subsystem that protects the mission
system. Cybersecurity engineers must
understand that their systems, like all
systems, are subject to failure. It is incumbent on those engineers to understand how their systems can possibly
fail, including the failure of the underlying hardware and other systems
on which they depend (forexample,
the microprocessors, the internal system bus, the network, memory, and
external storage systems). A student
of cybersecurity is a student of failure
{07.01} and thus a student of dependability as a closely related discipline.
Security requires reliability; reliability
requires security {05.09}.
Rationale. Too many cybersecurity engineers forget that cybersecurity mechanisms are not endowed with magical
powers of nonfailure. Requirements can
be ambiguous and poorly interpreted,
designs can be flawed, and implementation errors are no less likely in security
code than in other code. Indeed, security code often has to handle complex
timing issues and sometimes needs to
be involved in hardware control. This
involves significantly more complexity
than normal systems and thus requires
even more attention to failure avoidance, detection, and recovery {05.10}.
Yet the average cybersecurity engineer
today seems inadequately schooled in
this important related discipline.
Implications. Cybersecurity engineering requires design using dependability engineering principles. This means
that cybersecurity engineers must understand the nature and cause of faults,
how the activation of faults lead to errors, which can propagate and cause
system failures.
1 They must understand
this not only with respect to the cybersecurity system they design, but all the
systems on which the system depends
and which depend on it, including the
mission system itself.
•Strategy and tactics knowledge
enemy of cybersecurity because of the
difficulty of arguing that complex systems are correct { 19.09}.
• Depth without breadth is useless;
breadth without depth, weak {08.02}.
Description. Much ado has been
made about the notion of the concept
of defense in depth. The idea is often
vaguely defined as layering cybersecurity approaches including people,
diverse technology, and procedures to
protect systems. Much more precision
is needed for this concept to be truly
useful to the cybersecurity design process. Layer how? With respect to what?
The unspoken answer is the cyberattack space that covers the gamut of all
possible attack classes as shown in the
accompanying figure.
Rationale. One must achieve depth
with respect to specified attack classes.
Mechanisms that are useful against
some attack classes are entirely useless
against others. This focusing idea fosters an equally important companion
principle: defense in breadth. If a cybersecurity designer creates excellent depth
to the point of making a particular class
of attack prohibitive to an adversary, the
adversary may simply move to an alternative attack. Thus, one must cover the
breadth of the attack space, in depth. Ideally, the depth will be such that all avenues
Defense depth and breadth in a cyberattack.
Depth = 2
Depth = 1
Depth = 3
Attack space
Attack class within the attack space where size
corresponds to number of attacks in the class
The subset of attacks classes
covered by a security control