Obligations to enforce prohibitions: on the adequacy of security policies

Authors:
Wolter Pieters;Julian Padget;Francien Dechesne;Virginia Dignum;Huib Aldewereld
Affiliations:
Delft University of Technology & University of Twente, The Netherlands;University of Bath, United Kingdom;Delft University of Technology, The Netherlands;Delft University of Technology, The Netherlands;Delft University of Technology, The Netherlands
Venue:
Proceedings of the 6th International Conference on Security of Information and Networks
Year:
2013

Citing 10
Cited 0

A logic-based calculus of events

New Generation Computing
Value-sensitive design

interactions
Towards a logical formalization of responsibility

Proceedings of the 6th international conference on Artificial intelligence and law
Knowledge Representation, Reasoning, and Declarative Problem Solving

Knowledge Representation, Reasoning, and Declarative Problem Solving
Analyzing consistency of security policies

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Answer set programming for representing and reasoning about virtual institutions

CLIMA VII'06 Proceedings of the 7th international conference on Computational logic in multi-agent systems
Where can an insider attack?

FAST'06 Proceedings of the 4th international conference on Formal aspects in security and trust
Effectiveness of Physical, Social and Digital Mechanisms against Laptop Theft in Open Organizations

GREENCOM-CPSCOM '10 Proceedings of the 2010 IEEE/ACM Int'l Conference on Green Computing and Communications & Int'l Conference on Cyber, Physical and Social Computing
Foundations of attack trees

ICISC'05 Proceedings of the 8th international conference on Information Security and Cryptology
Security and management policy specification

IEEE Network: The Magazine of Global Internetworking

Quantified Score

Hi-index	0.00

Visualization

Abstract

Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use graph-based and logic-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. The framework can assist organisations in aligning security policies with their threat model.