Making the Case for Cybersecurity
claim:“ Asset Ai is viable”— that is, it performs a mission-relevant function or contributes to a critical operation, making it worth protecting.
Beyond individual assets, the argument must justify completeness: that the union of all identified assets represents all viable assets within the system ' s operational and mission context. This claim is essential, as risk reasoning hinges on understanding what is at stake. If critical assets are omitted, derived risks may be incomplete or misleading. The justification for this completeness claim typically draws on system and mission models( e. g. via SPECTRA), mapping system units and data types to operational goals and verifying their inclusion through traceability.
Figure 6-1: Contextualized risk and asset objects.
In a risk-centric DevSecOps framework, the assurance case does more than structure justification— it orchestrates the construction of the risk model itself. While the top-level claim is that all viable assets have been identified( i. e. the completeness claim), this cannot be evaluated in isolation. It must be operationalized through a synergy of claim templates, a risk metamodel, and inference rules. As the controller executes, it dynamically instantiates claims such as existence and viability, generating asset objects and their corresponding justifications based on foundational system facts.
The argument for completeness involves two subclaims: first, that the set of asset categories is exhaustive( e. g. all information, capability, and mission assets are covered); and second, that the input system facts are themselves complete with respect to the system of interest. Because inference rules are aligned with asset categories, executing the controller ensures that all category-relevant elements are explored. In this way, the assurance case becomes a self-tailoring
52 May 2025