The constructs of a business model canvas are rooted in scientific modeling, business modeling, and system information modeling—all driven by logic. The business model canvased is modeled using the following:

1. Inputs (This is what we want to do)
   1. What are our goals and objectives? (Value Proposition)
   2. Who and where do we need to engage externally? (Key Partners)
   3. Who are the major internal stakeholders? (Key Resources)
   4. What are our ongoing expenditures? (Cost Structure)
   5. Who and what defines our target market? (Customer Segments)
2. Activities (This is how we do it)
   1. How do we support our customers? (Customer Relationships)
   2. How do we reach our customers? (Channels)
3. Outputs (These are the results)
   1. How is our Value Proposition quantified? (Key Activities)
4. Outcomes (This is the value)
   1. What are the realized investments (Revenue Streams)

Developing Models

Scientific modeling is the rendering of an object’s interoperable components. In this context, an object can be a concept, process, product, or structure. First, modeling conceptualizes the object, enabling qualification of interoperable components and conduits. Next, contextual models quantify the components as an operational system.

Business modeling is the conceptual rendering of an organization’s operations; it is a framework that quantifies value proposition, customers, partners, high-level critical path organizational structure, activities, channels, relationships, cost structure, and revenue streams.

The Value of a Model

Why is this important to information security professionals? An organization’s business model provides you with the blueprint of the organization’s priorities so you can appropriately align your information security program. It’s the first glimpse of the product you must protect, the partners who may traverse your infrastructure, the customers whose data you must protect, along with the various internal stakeholders you must influence to be successful. Overall, however, it also provides a perspective of what type of access your infrastructure must support and how information may be extracted. The business model provides the foundation for rationalized information modeling as one models based on organizational directives.

Modeling from this perspective allows one to influence by introducing information security through organizationally driven models. Well-developed business models are built on a blend of logic that addresses who, what, why, where, when, and how much. Information Security strategies modeled from such a foundation possess the same inherent logic, thereby reducing logic errors or misalignment of information security strategies to organizational objective, goals, and outcomes. Information modeling at its core is a technique for rationalizing and contextualizing a foundational model into a master model for Information Security. The master model provides the impetus for the contextualizing of models that are introduced based on the organization’s situations and circumstances.

An aggregate of models gives birth to systems within systems, all of which quantify interoperable components based on characteristics, conduits, and influences of the business. The foundational business model serves as your check and, with your resulting information, models the resulting balance to maintain continuous alignment through systemic consciousness.

Stay Tuned

This series is about modeling the business to identify access threats, thereby enabling the application of rationalized multidimensional control to reduce compliance gaps and opportunistic compromise.

If you’re an Information Security leader, consider asking your business leaders (based on the organization’s business model) what they think security professionals should be securing?

If you’re part of the technical staff, based on the business model above, what would you recommend as protections to keep your company’s security and data private? What can you infer regarding regulatory mandates?

In part 2 we’ll look at creating a master model based on business model. The master model is our basis for realizing defense in depth through a multi-dimensional protection strategy.