A Descriptive Enterprise System Model (DESM) Optimized for Cybersecurity Student and Practitioner Use

Abstract

This paper introduces the notion of a novel descriptive enterprise system model that is optimized for cybersecurity student and practitioner use, in a controlled classroom setting. Model-based system engineering theory provides guidance for the model design and use. The model is presented as a framework that needs to be detailed out for the enterprise being defended. There are two model benefits. First, is the analysis of how enterprise behavior impacts its attack surface structure and condition. Second is the ability to either abstract or decompose the enterprise attack surface structure at a level required for use case realization. The use case for this paper is the development of an enterprise risk treatment plan with a four-step work process. The four-step work process is shown to align with triple loop learning, a method recommended for improving cognitive skill levels and decision-making quality. Research shows enterprise cyber-defenders need high level cognitive skills.