I've been trying to come up with a list of attributes that a security solution needs to have to be complete and sufficient. The idea is to develop a set of attributes that can be used when analyzing security to see if it fulfills the needs of the situation. Obviously, risk management is the most important aspect of security analysis, but if we can distil a complex design into a small set of attributes that appropriate solutions generally would have then we could use that to analyze how good our solution is. This would be helpful when analyzing security solutions, be they security features in an operating system, an architectural design of a network, a physical security infrastructure, or any other type of security solution. The attributes also need to be a parsimonious set. Attributes of a solution need to be less complicated than the solution itself to be useful for analysis, otherwise why abstract the solution into its attributes?
I wrote these down a while ago and have been hoping I could refine them by doing what I always do - mull them over mentally for a while. However, I can't seem to come up with anything better, so I thought I would open up the thinking to the community and see if anyone else has any better ideas.