The problem world description

The users' problem world description in PCUBE-SEC is the union of the already available knowledge base, plus the knowledge of the user, concerning the given problem to be solved.

This union need not be distinct, as the user might over-declare anything, that is already available. This can be intentional, but not necessarily so. PCUBE-SEC does not demand the studying of the already available receipts.

Experts can build such parts, that can be used by other users. These others can also build their own knowledge into the PCUBE-SEC knowledge base. Every PCUBE-SEC user is welcome to share his / her knowledge with the others. Their contribution will also suggest always necessary conditions, that, according to their knowledge, contributes to the described goals. This knowledge is never stated to be sufficient to achieve anything. To preserve the knowledge of predecessor users is not compulsory, of course, but it might be useful, even if the next user does not always benefits from it. Preserving means not deleting it, a kind of over-declaration is possible. This actually means giving such a new series of conditions, that is not yet present in the knowledge base. It will be seen, that this over-declaration comes into effect only if it is encountered earlier during program execution, than the already available list.

In this research work the author also would like to offer ready-made receipts, beyond the excellence criteria, a kind of experts' knowledge concerning given special, practical problems. These will illustrate the PCUBE-SEC way of program processing. As an advice, these can be taken as results of the PCUBE-SEC research, illustrating, how to extend the information security - IT audit methodologies to operational level.

The knowledge base form of the already mentioned "receipt" is actually a PCUBE-SEC program. In the case of the predecessor, PCUBE, the program itself, and the path, that the program execution traverses, are equally important, as this path describes the suggested series of process steps. For PCUBE this was the solution of the user's problem.

For the PCUBE-SEC user this path gives the order of the subgoals / activities to be to be achieved / performed, "according to" PCUBE-SEC, as necessary preconditions of the users' goal. This path shows the order of processing those "statements", that are related to the

given problem, that is the order of those statements, that express those relations, that the user already knows.

PCUBE provides for the automatic derivation process, that actually "computes" the consequences of a given set of information. Applying the PCUBE solution in PCUBE-SEC, this set of information will be the PCUBE-SEC program, that is prepared "to solve a given case". During this "processing" of a program, PCUBE- or now: PCUBE-SEC, never looks into the meaning of the information comprising the program. This processing works almost like an interpreter, when it processes a source program. This formal processing provides for double help. From the one hand it forces a coherent description, which is always good for documentation. From the other hand it derives, in a kind of automatic way, the consequences of the information, comprising this description, new connections might also be exlored. Thus PCUBE-SEC rewards documentations.

The knowledge in the knowledge base is expressed basically in two forms. One is an objective - a kind of subgoal, and the other is a condition, or series of conditions, that can contribute to the fulfillment of the goals. These conditions can be activities, criteria, or any other thing, that is able to help to achieve a goals. They help only, as nobody is able to ensure, that they would be enough. Every methodology, just as PCUBE-SEC, gives advice on necessary conditions, but there is no assurance, that they were sufficient.

In formulating these goals and conditions all of the notions described in the previous chapters can be of use. As from the arena of information security - IT audit they are already extended to the scope of operations, corporate governance, they will hopefully also be applied in this context.

The excellence criteria can surely be offered to be chosen to be either subgoals, or preconditions to other goals, as the user prefers. They are short ready-made receipts by themselves. The definitions of these criteria are not necessarily part of the PCUBE-SEC knowledge base. These can be taken as - kind of - self-explanatory "atomic" expressions.

For example, "availability" need not be further decomposed in the knowledge base. Either the user accepts the PCUBE-SEC meaning, or chooses a completely different one, this notion will probably be considered to be a known one, requiring no further preconditions.

Such parts of the knowledge base, that are not detailed further, are called as the atomic expressions of the "programming language" of PCUBE. As they have no preconditions, their fulfillment are outside of the scope of the PCUBE-SEC automatic reasoning. In other words, these atomic expressions are taken by the user "as granted". However, formerly

atomic expressions can be "transformed" to composite ones, if preconditions are assigned to them.

Investigating the possibilities of the fulfillment of a goal corresponds in PCUBE-SEC to the processing of this goal as a "user's question". Originally the user asks his /her final question, this is the final goal of the program, and answering it, PCUBE-SEC derives from this question other questions, other subgoals.

PCUBE-SEC answers these questions using the information to be found on the given goal or subgoal in the current problem world description. From the original question lower and lower-level questions are derived, untill PCUBE-SEC is able to express the "answer" solely by atomic expressions.

PCUBE-SEC "takes the user's question in its one hand, the problem world description in its other hand", and tries to make something out of it, by matching the question to suitable elements in the knowledge base.

PCUBE produces the description of a possible successful process execution and cooperation in the form of series of process steps to be performed in order to achieve the given goal(s). The path itself is the important result. In the case of PCUBE-SEC the derivation paths will also be the most interesting part of the result, as they show the road towards the goal.

The way of processing the users' question explains, what is the meaning of over-declaration of something, that is already detailed in a certain way, that is by certain atomic expressions. Over-declaring simply means another way of detailing this same thing. This matching proceeds taking the statements of the knowledge base one-by-one, from the beginning of the knowledge base towards its end. Thus the explanation, that is the details, that PCUBE-SEC finds, will be those details, that stand first among the explanations of this same more complex thing. This is why the users' over-declaration "comes to live" only if it is encountered by the program execution.

An important advantage of the PCUBE-SEC way of implementation its users' knowledge is, among others, that it shows very well the value of documenting everything, that we know of. PCUBE-SEC, as any other tool, can use only the information, that it had been

"told". Thus, if the user wants to benefit from the processing of his / her question, then he / she has to put everything into the knowledge base, what is already known about the problem. Concrete examples will show, how to formulate this knowledge.

Another advantage of PCUBE-SEC, and reward for the documentation, at the same time, will also be shown. This is the already mentioned exploration of new connections of the already known relations between the parts of the knowledge base, giving a chance to identify new dependencies, even without any further outside help. These dependencies between goals and conditions, beyond those, that the user has already described, will be the result of matching the user's question to the elements of the knowledge base.

This matching process corresponds to the special way of PCUBE program execution, that can be interpreted, as it will be seen, as the traversing of certain trees. This traversing utilizes the net of connections between the building blocks of the PCUBE-SEC problem world description. This traversing is a kind of derivation process, proceeding step-by-step, starting from the users' question, as if from a higher-, strategic level goal, towards more and more concrete information, which is either more simple goal, or executable tasks.

The user's goal, the "question" is to be answered using the knowledge base. This answering is made step-by-step, this is the so-called PCUBE derivation process, that PCUBE-SEC inherited from PCUBE.