To the uninitiated, the SABSA (Sherwood Applied Business Security Architecture) Matrix appears as a rigid taxonomy: six columns (Assets, Motivation, Process, People, Location, Time) intersecting with six rows (Contextual, Conceptual, Logical, Physical, Component, Operational). But this is not a table; it is a of an organization’s soul. It is the only security tool I know that forces a CEO and a network engineer to ask the exact same question in six different languages. The Vertical Truth: From Dreams to Dust The true genius of the SABSA Matrix lies in its vertical integration. Most security frameworks operate on a single horizontal layer. Governance documents live in the stratosphere; firewall rules live in the basement; they never meet. SABSA forces a vertical cascade of accountability.
Consider the top row: . Here, the business asks: Why are we securing this asset? The answer might be: “To protect customer credit card data so we don’t lose trust or face fines.” sabsa architecture matrix
: Where do the actual machines sit? (HSMs in a locked data center). To the uninitiated, the SABSA (Sherwood Applied Business
Using the SABSA Matrix feels less like engineering and more like cartography. You are mapping an unknown territory—the territory where business goals, human behavior, physics, and time all collide. And on a good day, when all 36 cells are filled and aligned, you don’t just have security architecture. You have a prophecy of resilience. The Vertical Truth: From Dreams to Dust The
Descend to : How is the system structured? (Encryption key management system, access control lists).
You may discover that your security model (row 2) assumes a “zero-trust network,” but your Physical reality (row 4) still has a shared switch in a broom closet. Or that your Motivation column (Why?) is full of heroic declarations (“to protect patient lives”), but your Operational row (Who?) has no names—just the phrase “To be determined.”
