Mismatches between models and the realities they are intended
to model cause the models to break down in ways exploitable by attackers.
Examples include use of the Bell-LaPadula model of security
a basis for designing secure operating systems - thus leaving disruption
uncovered, modeling attacks and defenses as if they were statistically
independent phenomena for risk analysis - thus ignoring synergistic effects,
and modeling misconfigurations as mis-set protection bits - when the content
of configuration files remains uncovered.
Complexity: There is some theory
about the adequacy of modeling, however, there is no general theory that
addresses the protection-related issues of modeling flaws. This appears to
be a very complex issue.