Representing humans in system security models: An actor-network approach

Wolter Pieters

    Research output: Contribution to journalArticleAcademicpeer-review

    46 Citations (Scopus)
    232 Downloads (Pure)


    System models to assess the vulnerability of information systems to security threats typically represent a physical infrastructure (buildings) and a digital infrastructure (computers and networks), in combination with an attacker traversing the system while acquiring credentials. Other humans are generally not included, as their behaviour is considered more difficult to express. We propose a graph-based reference model for reasoning about access in system models including human actions, inspired by the sociological actor-network theory, treating humans and non-humans symmetrically. This means that humans can employ things to gain access (an attacker gains access to a room by means of a key), but things can also employ humans to gain access (a USB stick gains access to a computer by means of an employee), leading to a simple but expressive model. The model has the additional advantage that it is not based on containment, an increasingly problematic notion in the age of disappearing boundaries between systems. Based on the reference model, we discuss algorithms for finding attacks, as well as examples. The reference model can serve as a starting point for discussing representations of human behaviour in system models, and for including human behaviour in other than graph-based approaches.
    Original languageUndefined
    Pages (from-to)75-92
    Number of pages18
    JournalJournal of wireless mobile networks, ubiquitous computing, and dependable applications
    Issue number1
    Publication statusPublished - 2011


    • EWI-19934
    • SCS-Cybersecurity
    • Socio-Technical Systems
    • containment
    • Actor-Network Theory
    • vulnerability analysis
    • security modelling
    • METIS-279149
    • IR-76541
    • hypergraphs

    Cite this