ACM Transactions on Information and System Security (TISSEC)
| Hi-index | 0.00 |
A security policy is intended to regulate the behaviour of a socio-technical system (computers, networks and humans) in such a way as to ensure that certain properties are maintained or goals achieved. Two problems arise here: regulating the behaviour of humans is non-trivial and, secondly, many security goals are not ”enforceable” in the Schneider sense,[1]. Thus, security policy mechanisms inevitably involve approximations and trade-offs. We discuss the theoretical and practical limitations on what is technically enforceable and argue for the need for models that encompass social as well as technical enforcement mechanisms.