Security Policy Alignment: A Formal Approach

Wolter Pieters, T. Dimkov, Dusko Pavlovic

    Research output: Contribution to journalArticleAcademicpeer-review

    22 Citations (Scopus)
    54 Downloads (Pure)

    Abstract

    Security policy alignment concerns the matching of security policies specified at different levels in socio-technical systems, and delegated to different agents, technical and human. For example, the policy that sales data should not leave an organization is refined into policies on door locks, firewalls and employee behavior, and this refinement should be correct with respect to the original policy. Although alignment of security policies in socio-technical systems has been discussed in the literature, especially in relation to business goals, there has been no formal treatment of this topic so far in terms of consistency and completeness of policies. Wherever formal approaches are used in policy alignment, these are applied to well-defined technical access control scenarios instead. Therefore, we aim at formalizing security policy alignment for complex socio-technical systems in this paper, and our formalization is based on predicates over sequences of actions. We discuss how this formalization provides the foundations for existing and future methods for finding security weaknesses induced by misalignment of policies in socio-technical systems.
    Original languageEnglish
    Pages (from-to)275-287
    Number of pages13
    JournalIEEE systems journal
    Volume7
    Issue number2
    DOIs
    Publication statusPublished - 2013

    Keywords

    • DIES-Cyber Security
    • SCS-Cybersecurity
    • Security logics
    • Security policies
    • Attack trees
    • Security policy refinement
    • System models
    • Socio-Technical Systems
    • Security policy alignment

    Fingerprint Dive into the research topics of 'Security Policy Alignment: A Formal Approach'. Together they form a unique fingerprint.

    Cite this