Obligations to enforce prohibitions: on the adequacy of security policies

Wolter Pieters; Julian Padget; Francien Dechesne; Virginia Dignum; Huib Aldewereld

doi:10.1145/2523514.2523526

Obligations to enforce prohibitions: on the adequacy of security policies

Wolter Pieters, Julian Padget, Francien Dechesne, Virginia Dignum, Huib Aldewereld

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

3 Citations (Scopus)

Abstract

Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use graph-based and logic-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. The framework can assist organisations in aligning security policies with their threat model.

Original language	Undefined
Title of host publication	SIN '13 - Proceedings of the 6th International Conference on Security of Information and Networks
Place of Publication	New York
Publisher	Association for Computing Machinery (ACM)
Pages	54-61
Number of pages	8
ISBN (Print)	978-1-4503-2498-4
DOIs	https://doi.org/10.1145/2523514.2523526
Publication status	Published - 26 Nov 2013

Publication series

Name	Proceeding
Publisher	ACM

Keywords

EWI-24433
SCS-Cybersecurity
Security policies
Prohibitions
Refinement
Obligations
IR-89273
EC Grant Agreement nr.: FP7/261696
EC Grant Agreement nr.: FP7/318003
Graphs
Logics
METIS-302695
EC Grant Agreement nr.: FP7/2007-2013

Access to Document

10.1145/2523514.2523526

http://eprints.eemcs.utwente.nl/secure2/24433/01/TREsPASS.pdf

Cite this

Pieters, W., Padget, J., Dechesne, F., Dignum, V., & Aldewereld, H. (2013). Obligations to enforce prohibitions: on the adequacy of security policies. In SIN '13 - Proceedings of the 6th International Conference on Security of Information and Networks (pp. 54-61). (Proceeding). New York: Association for Computing Machinery (ACM). https://doi.org/10.1145/2523514.2523526

@inproceedings{a51154ea62144138a77effdecd6e035d,

title = "Obligations to enforce prohibitions: on the adequacy of security policies",

abstract = "Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use graph-based and logic-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. The framework can assist organisations in aligning security policies with their threat model.",

keywords = "EWI-24433, SCS-Cybersecurity, Security policies, Prohibitions, Refinement, Obligations, IR-89273, EC Grant Agreement nr.: FP7/261696, EC Grant Agreement nr.: FP7/318003, Graphs, Logics, METIS-302695, EC Grant Agreement nr.: FP7/2007-2013",

author = "Wolter Pieters and Julian Padget and Francien Dechesne and Virginia Dignum and Huib Aldewereld",

note = "Foreground = 25{\%}; Type of activity = Conference; Main leader = TUD; type of audience = scientific community; Size of audience = 10; Countries addressed = International",

year = "2013",

month = "11",

day = "26",

doi = "10.1145/2523514.2523526",

language = "Undefined",

isbn = "978-1-4503-2498-4",

series = "Proceeding",

publisher = "Association for Computing Machinery (ACM)",

pages = "54--61",

booktitle = "SIN '13 - Proceedings of the 6th International Conference on Security of Information and Networks",

address = "United States",

}

Obligations to enforce prohibitions: on the adequacy of security policies. / Pieters, Wolter; Padget, Julian; Dechesne, Francien; Dignum, Virginia; Aldewereld, Huib.

SIN '13 - Proceedings of the 6th International Conference on Security of Information and Networks. New York : Association for Computing Machinery (ACM), 2013. p. 54-61 (Proceeding).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Obligations to enforce prohibitions: on the adequacy of security policies

AU - Pieters, Wolter

AU - Padget, Julian

AU - Dechesne, Francien

AU - Dignum, Virginia

AU - Aldewereld, Huib

N1 - Foreground = 25%; Type of activity = Conference; Main leader = TUD; type of audience = scientific community; Size of audience = 10; Countries addressed = International

PY - 2013/11/26

Y1 - 2013/11/26

N2 - Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use graph-based and logic-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. The framework can assist organisations in aligning security policies with their threat model.

AB - Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use graph-based and logic-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. The framework can assist organisations in aligning security policies with their threat model.

KW - EWI-24433

KW - SCS-Cybersecurity

KW - Security policies

KW - Prohibitions

KW - Refinement

KW - Obligations

KW - IR-89273

KW - EC Grant Agreement nr.: FP7/261696

KW - EC Grant Agreement nr.: FP7/318003

KW - Graphs

KW - Logics

KW - METIS-302695

KW - EC Grant Agreement nr.: FP7/2007-2013

U2 - 10.1145/2523514.2523526

DO - 10.1145/2523514.2523526

M3 - Conference contribution

SN - 978-1-4503-2498-4

T3 - Proceeding

SP - 54

EP - 61

BT - SIN '13 - Proceedings of the 6th International Conference on Security of Information and Networks

PB - Association for Computing Machinery (ACM)

CY - New York

ER -