On The Relationship of Security & Reliability

By Roy D. Follendore III

December 11, 2002

The idea of security and reliability are technically derived from the requirement to describe correctness. The two words have grown up in different domains of thinking. In one context we may get a feeling of security because our cell phone is reliable. In another we may also may feel that our phone is reliable because it is secure. These are qualitative assumptions. When we actually attempt the measurement of security and reliability we are reaching past the qualitative concepts and into the realm of quantitative concepts. This is the technical definition of security and reliability and it is one where many experts become confused about the nature of the metric.

Security can be defined as a functional statistical statement of predictability where the essential question of being secure or not is whether a given system specified can be expected to continue to function for some period in some specifiable manner.

Reliability can be defined as a functional statistical statement of predictability where the the essential question of being in or out of a reliable state is whether a given system specified can be expected to continue to function for some specifiable period in some specifiable manner.

You will notice that these are identical and interdependent statements implying a specifiable functionality of purpose that determines the scope of the fitness criteria. They are two sides of the same philosophical coin. The security functionality of a reliable system is represented in terms of those systems which assure reliability. Take away the assurance of reliability and the probability of reliability is affected. Take away the security of subsystems which detect internal error and the probability of reliability can not be confirmed.

The "reliability of security" is often considered but the "security of reliability" is not often considered. A prediction of reliability must assume that the system will not be altered or affected by external forces which are not proscribed in the specification during the expected period of performance. Reliability assumes a degree of security which assures that there is a criteria difference between normal and abnormal functionality.

Assume that the Acme company purchases a standalone software system which is certified for reliability. Three months after installation there have been no problems reported concerning the purchased system. Does this necessarily mean that the system has been reliable? The answer is no. It could just as easily mean that a specific function within the software has been rarely used. It could mean that the system has not been stressed to the point of failure. It could also mean that failure have simply not been detected. Now let us assume the Acme company were to receive an update patch to add new functionality to the system. What would this do to the reliability certification?

In a similar manner, a prediction of security must account for the degree to which a statement of predictable reliability is true.

Neither the concept of Security nor Reliability are limited by the concept of scalability. The smallest particle may or may not be secure enough or reliable enough for a specifiable purpose and likewise the Universe itself may or may not be secure enough or reliable enough for a specifiable purpose.

When the scope of reliability and security are changed, the measurability of issues that are introduced or may arise with respect to each criteria also change and not necessarily proportionally. A software system that functions within a system which is isolated from a network may have one set of reliability and security criteria. When the hardware is connected to a network the reliability and security criteria change. The statement of connectivity is therefore also part of the system specification of security and and reliability because all systems involve functionality in the presence of external influences. Intentional and unintentional noise and other signals which influence reliability and security may be injected into the boundary of systems. Systems are also transmitters which propagate signals external to its boundaries. In reality, the boundaries which we place on the reliability and security of systems are artificial. Theoretically and to some degree, all systems are part of the same larger system and the statement of reliability so that security should include the probability of isolation.

It is foolish for those who assume to practice quality security and reliability testing and evaluation to base their verification and validation assumptions on invulnerable theory. The operational existence of the system determines the probability of the system statement being true or not true. There is a rational relationship between security and reliability that can not be severed. Hypothetical systems that do not simultaneously assume the exogenous complexity of both security and reliability do not really assume either. It is an anathema of the profession to ignore the existence of the relationship among those knowledgeable in the field.

The certification of security and reliability is a qualitative statement imposed upon a quantitative metric. The opposite is essentially a statement of inventory, but that is a different story.

For related information about this general subject read my 2002 paper on "Type I and Type II Security Engineering Errors."