Effectiveness of qualitative and quantitative security obligations

W. Pieters*, J. Padget, F. Dechesne, V. Dignum, H. Aldewereld

*Corresponding author for this work

    Research output: Contribution to journalArticleAcademicpeer-review

    10 Citations (Scopus)
    18 Downloads (Pure)

    Abstract

    Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use logic-based and graph-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. Finally, we extend the graph-based model with quantitative policies and associated quantitative analysis, based on the time an adversary needs for an attack. The framework can assist organisations in aligning security policies with their threat model.

    Original languageEnglish
    Pages (from-to)3-16
    Number of pages14
    JournalJournal of information security and applications
    Volume22
    DOIs
    Publication statusPublished - Jun 2015
    EventJournal of Information Security and Applications -
    Duration: 1 Jun 20151 Jun 2015

    Keywords

    • Refinement
    • SCS-Cybersecurity
    • Graphs
    • Logics
    • Prohibitions
    • Security policies
    • Obligations
    • EC Grant Agreement nr.: FP7/2007-2013
    • EC Grant Agreement nr.: FP7/318003
    • EC Grant Agreement nr.: FP7/261696
    • n/a OA procedure

    Fingerprint

    Dive into the research topics of 'Effectiveness of qualitative and quantitative security obligations'. Together they form a unique fingerprint.

    Cite this