Obligations to enforce prohibitions: on the adequacy of security policies

Wolter Pieters, Julian Padget, Francien Dechesne, Virginia Dignum, Huib Aldewereld

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    3 Citations (Scopus)

    Abstract

    Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use graph-based and logic-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. The framework can assist organisations in aligning security policies with their threat model.
    Original languageUndefined
    Title of host publicationSIN '13 - Proceedings of the 6th International Conference on Security of Information and Networks
    Place of PublicationNew York
    PublisherAssociation for Computing Machinery (ACM)
    Pages54-61
    Number of pages8
    ISBN (Print)978-1-4503-2498-4
    DOIs
    Publication statusPublished - 26 Nov 2013

    Publication series

    NameProceeding
    PublisherACM

    Keywords

    • EWI-24433
    • SCS-Cybersecurity
    • Security policies
    • Prohibitions
    • Refinement
    • Obligations
    • IR-89273
    • EC Grant Agreement nr.: FP7/261696
    • EC Grant Agreement nr.: FP7/318003
    • Graphs
    • Logics
    • METIS-302695
    • EC Grant Agreement nr.: FP7/2007-2013

    Cite this

    Pieters, W., Padget, J., Dechesne, F., Dignum, V., & Aldewereld, H. (2013). Obligations to enforce prohibitions: on the adequacy of security policies. In SIN '13 - Proceedings of the 6th International Conference on Security of Information and Networks (pp. 54-61). (Proceeding). New York: Association for Computing Machinery (ACM). https://doi.org/10.1145/2523514.2523526