Effectiveness of qualitative and quantitative security obligations

Wolter Pieters, J. Padget, F. Dechesne, V. Dignum, H. Aldewereld

Research output: Contribution to journalArticle

  • 6 Citations

Abstract

Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use logic-based and graph-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. Finally, we extend the graph-based model with quantitative policies and associated quantitative analysis, based on the time an adversary needs for an attack. The framework can assist organisations in aligning security policies with their threat model.
LanguageUndefined
Pages3-16
Number of pages14
JournalJournal of information security and applications
Volume22
DOIs
StatePublished - Jun 2015

Keywords

  • EWI-25052
  • SCS-Cybersecurity
  • Graphs
  • Logics
  • Prohibitions
  • Security policies
  • IR-91774
  • Obligations
  • EC Grant Agreement nr.: FP7/2007-2013
  • EC Grant Agreement nr.: FP7/318003
  • EC Grant Agreement nr.: FP7/261696
  • METIS-306025
  • Refinement

Cite this

Pieters, Wolter ; Padget, J. ; Dechesne, F. ; Dignum, V. ; Aldewereld, H./ Effectiveness of qualitative and quantitative security obligations. In: Journal of information security and applications. 2015 ; Vol. 22. pp. 3-16
@article{0a521acc90c54f318ab4e06ee9ecfbd9,
title = "Effectiveness of qualitative and quantitative security obligations",
abstract = "Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use logic-based and graph-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. Finally, we extend the graph-based model with quantitative policies and associated quantitative analysis, based on the time an adversary needs for an attack. The framework can assist organisations in aligning security policies with their threat model.",
keywords = "EWI-25052, SCS-Cybersecurity, Graphs, Logics, Prohibitions, Security policies, IR-91774, Obligations, EC Grant Agreement nr.: FP7/2007-2013, EC Grant Agreement nr.: FP7/318003, EC Grant Agreement nr.: FP7/261696, METIS-306025, Refinement",
author = "Wolter Pieters and J. Padget and F. Dechesne and V. Dignum and H. Aldewereld",
note = "Foreground = 50{\%}; Type of activity = publication; Main leader = TUD; Type of audience = scientific community;Size of audience = n.a.; Countries addressed = international;",
year = "2015",
month = "6",
doi = "10.1016/j.jisa.2014.07.003",
language = "Undefined",
volume = "22",
pages = "3--16",
journal = "Journal of information security and applications",
issn = "2214-2126",
publisher = "Elsevier Limited",

}

Effectiveness of qualitative and quantitative security obligations. / Pieters, Wolter; Padget, J.; Dechesne, F.; Dignum, V.; Aldewereld, H.

In: Journal of information security and applications, Vol. 22, 06.2015, p. 3-16.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Effectiveness of qualitative and quantitative security obligations

AU - Pieters,Wolter

AU - Padget,J.

AU - Dechesne,F.

AU - Dignum,V.

AU - Aldewereld,H.

N1 - Foreground = 50%; Type of activity = publication; Main leader = TUD; Type of audience = scientific community;Size of audience = n.a.; Countries addressed = international;

PY - 2015/6

Y1 - 2015/6

N2 - Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use logic-based and graph-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. Finally, we extend the graph-based model with quantitative policies and associated quantitative analysis, based on the time an adversary needs for an attack. The framework can assist organisations in aligning security policies with their threat model.

AB - Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use logic-based and graph-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. Finally, we extend the graph-based model with quantitative policies and associated quantitative analysis, based on the time an adversary needs for an attack. The framework can assist organisations in aligning security policies with their threat model.

KW - EWI-25052

KW - SCS-Cybersecurity

KW - Graphs

KW - Logics

KW - Prohibitions

KW - Security policies

KW - IR-91774

KW - Obligations

KW - EC Grant Agreement nr.: FP7/2007-2013

KW - EC Grant Agreement nr.: FP7/318003

KW - EC Grant Agreement nr.: FP7/261696

KW - METIS-306025

KW - Refinement

U2 - 10.1016/j.jisa.2014.07.003

DO - 10.1016/j.jisa.2014.07.003

M3 - Article

VL - 22

SP - 3

EP - 16

JO - Journal of information security and applications

T2 - Journal of information security and applications

JF - Journal of information security and applications

SN - 2214-2126

ER -