Abstract
A crucial question for an ICT organization wishing to improve its security is whether a security policy together with physical access controls protects from socio-technical threats. We study this question formally. We model the information flow defined by what the organization’s employees do (copy, move, and destroy information) and propose an algorithm that enforces a policy on the model, before checking against an adversary if a security requirement holds.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cremers, C., Mauw, S.: Operational Semantics and Verification of Security Protocols. Information Security and Cryptography. Springer, Heidelberg (2012)
Baxter, G., Sommerville, I.: Socio-technical systems: from design methods to systems engineering. Interact. Comput. 23(1), 4–17 (2011)
De Nicola, R., Ferrari, G.L., Pugliese, R.: KLAIM: a kernel language for agents interaction and mobility. IEEE Trans. Softw. Eng. 24(5), 315–330 (1998)
Meadows, C., Pavlovic, D.: Formalizing physical security procedures. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 193–208. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38004-4_13
Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(3), 363–373 (2013)
Lenzini, G., Mauw, S., Ouchani, S.: Security analysis of socio-technical physical systems. Comput. Electr. Eng. 47(C), 258–274 (2015)
Dimkov, T., Pieters, W., Hartel, P.: Portunes: representing attack scenarios spanning through the physical, digital and social domain. In: Armando, A., Lowe, G. (eds.) ARSPA-WITS 2010. LNCS, vol. 6186, pp. 112–129. Springer, Heidelberg (2010). doi:10.1007/978-3-642-16074-5_9
Fong, P.W.L.: Relationship-based access control: protection model and policy language. In: The First ACM Conference on Data and Application Security and Privacy, CODASPY 2011, pp. 191–202 (2011)
Jaume, M.: Semantic comparison of security policies: from access control policies to flow properties. In: IEEE Symposium on Security and Privacy, pp. 60–67 (2012)
Ranise, S., Traverso, R.: ALPS: an action language for policy specification and automated safety analysis. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 146–161. Springer, Heidelberg (2014)
Tschantz, M.C., Datta, A., Wing, J.M.: Formalizing and enforcing purpose restrictions in privacy policies. In: IEEE Symposium on Security and Privacy, pp. 176–190 (2012)
Hartel, P., Eck, P., Etalle, S., Wieringa, R.: Modelling mobility aspects of security policies. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 172–191. Springer, Heidelberg (2005). doi:10.1007/978-3-540-30569-9_9
Ch, B., Katoen, J.-P.: Principles of Model Checking. MIT Press, Cambridge (2008)
Acknowledgments
The research leading to the results presented in this work received funding from the Fonds National de la Recherche Luxembourg, project “Socio-Technical Analysis of Security and Trust”, C11/IS/1183245, STAST, and the “European Commissions Seventh Framework Programme”, FP7/2007-2013, TREsPASS.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Lenzini, G., Mauw, S., Ouchani, S. (2016). Analysing the Efficacy of Security Policies in Cyber-Physical Socio-Technical Systems. In: Barthe, G., Markatos, E., Samarati, P. (eds) Security and Trust Management. STM 2016. Lecture Notes in Computer Science(), vol 9871. Springer, Cham. https://doi.org/10.1007/978-3-319-46598-2_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-46598-2_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46597-5
Online ISBN: 978-3-319-46598-2
eBook Packages: Computer ScienceComputer Science (R0)