The Abstraction Layers
of the OSI Model
The PCF builds on the Open Systems
Interconnection model (OSI) stack fa-
miliar to most computer scientists. It
treats the stack primarily as a concep-
tual framework for organizing how we
understand computing systems, par-
ticularly in the security domain. The
OSI model describes abstraction layers
that enable the student or practitioner
to focus on where a problem may ex-
ist, such as the physical, network, or
application layer. While retaining the
abstraction layers from the OSI model,
the PCF does not emphasize the role
of the OSI model as a standardizing
model. Instead, it broadens students’
understanding by focusing attention
on the critical domains that introduce
well-documented and well-understood
risks from management, government,
and international affairs. I provide
supplemental materials online that
further discuss the relationship of the
PCF to the OSI model and expand other
points made in this column.c
As a conceptual framework for un-
derstanding computer systems, the
seven traditional layers apply intuitive-
ly to cybersecurity risks, as discussed
by Glenn Surman in his 2002 article
“Understanding Security Using the OSI
Model.” 2 Surman concluded: “The most
critical thing you should take from this
paper is that for every layer there are at-
tacks being created, or attacks awaiting
activation as a result of poor defence.”
Bob Blakley from Citicorp assisted with
these illustrations of vulnerabilities
that exist at each of the seven layers,
and I have added vulnerabilities exist-
ing at layers 8, 9, and 10.
As a way to introduce layers 8 through
10, each horizontal layer highlights important types of cybersecurity vulnerabilities. At layer 8, organizations face
a wide range of cyber-risks, and take
many actions to mitigate such risks. At
layer 9, governments enact and enforce
laws—good laws can reduce cybersecurity risks, while bad laws can make
them worse. At layer 10, the international realm, no one nation can impose
its laws, but treaties or discussions with
Russia and China, for instance, may improve cybersecurity. As shown in Table
c Supplementary materials on the framework
are available at https://bit.ly/2MJCrZq
Table 1. Vulnerabilities at each layer of the expanded OSI stack.
Layer Vulnerability
1. Physical Cut the wire; stress equipment; wiretap
2. Data link Add noise or delay (threatens availability)
3. Network DNS and BGP attacks; false certificates
4. Transport Man in the middle
5. Session Session splicing (Firesheep); MS SMB
6. Presentation Attacks on encryption; ASN- 1 parser attack
7. Application Malware; manual exploitation of vulnerabilities; SQL injection; buffer overflow
8. Organization A: Insider attacks; poor training or policies
B: Sub-contractors with weak cybersecurity; lack of information sharing
C: Weak technical or organizational standards
9. Government A: Laws prohibiting effective cybersecurity (for example, limits on encryption);
weak laws for Io T or other security
B: Badly drafted cybercrime laws (for example, prohibiting security research)
C: Excessive government surveillance
10. International A: Nation-state cyberattacks
B: Lack of workable international agreements to limit cyberattacks
C: Supranational legal rules that weaken cybersecurity
(for example, some International Telecommunications Union proposals)
As discussed in the column, for layers 8–10, “A” refers to vulnerabilities
and risk mitigation arising within the organization or nation; “B” refers
to vulnerability and risk mitigation in relation with other actors at that
level; and “C” refers to other limits created by actors at that level.
Table 2. The pedagogic cybersecurity framework.
Layer of the
Expanded OSI
Stack
A: Risk Mitigation
Within an
Organization or
Nation
B: Relations with
Other Actors
C: Other Limits
from This Level
Protocol
Data Unit
8: Organization 8A: Internal
policies or plans
of action to reduce
risk within an
organization (for
example, incident
response plans).
8B: Vulnerability
management in
contracts with
other entities,
like vendors (for
example, cyber-insurance).
8C: Standards and
limits originating
from the private
sector (for
example, PCI DSS
standard, led by
the PCI Cyber
Security Standards
Council).
Contracts
9: Government 9A: Laws that
govern what an
individual or
organization can
or must do (for
example, HIPAA
Security Rule).
9B: Laws that
govern how
organizations
and individuals
interact (for
example,
Computer Fraud
and Abuse Act).
9C: Government
limits on its
own actions (for
example, Fourth
Amendment,
limits on illegal
searches).
Laws
10: International 10A: Unilateral
actions by one
government
directed at one
or more other
nations (for
example, U.S.
Cyber Command
launching a
cyberattack on a
hostile nation).
10B: Formal
and informal
relationship
management with
other nations
(for example,
the Budapest
Convention’s
provisions about
cybercrime and
Mutual Legal
Assistance).
10C: Limits on
nations that
come from
other nations
(for example, the
United Nations and
international law).
Diplomacy
