Analysing the Efficacy of Security Policies in Cyber-Physical Socio-Technical Systems

  • Gabriele LenziniEmail author
  • Sjouke Mauw
  • Samir Ouchani
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9871)


A crucial question for an ICT organization wishing to improve its security is whether a security policy together with physical access controls protects from socio-technical threats. We study this question formally. We model the information flow defined by what the organization’s employees do (copy, move, and destroy information) and propose an algorithm that enforces a policy on the model, before checking against an adversary if a security requirement holds.


Socio-Technical-Physical Systems Modelling security and policies 



The research leading to the results presented in this work received funding from the Fonds National de la Recherche Luxembourg, project “Socio-Technical Analysis of Security and Trust”, C11/IS/1183245, STAST, and the “European Commissions Seventh Framework Programme”, FP7/2007-2013, TREsPASS.


  1. 1.
    Cremers, C., Mauw, S.: Operational Semantics and Verification of Security Protocols. Information Security and Cryptography. Springer, Heidelberg (2012)CrossRefzbMATHGoogle Scholar
  2. 2.
    Baxter, G., Sommerville, I.: Socio-technical systems: from design methods to systems engineering. Interact. Comput. 23(1), 4–17 (2011)CrossRefGoogle Scholar
  3. 3.
    De Nicola, R., Ferrari, G.L., Pugliese, R.: KLAIM: a kernel language for agents interaction and mobility. IEEE Trans. Softw. Eng. 24(5), 315–330 (1998)CrossRefGoogle Scholar
  4. 4.
    Meadows, C., Pavlovic, D.: Formalizing physical security procedures. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 193–208. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38004-4_13 Google Scholar
  5. 5.
    Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(3), 363–373 (2013)CrossRefGoogle Scholar
  6. 6.
    Lenzini, G., Mauw, S., Ouchani, S.: Security analysis of socio-technical physical systems. Comput. Electr. Eng. 47(C), 258–274 (2015)CrossRefGoogle Scholar
  7. 7.
    Dimkov, T., Pieters, W., Hartel, P.: Portunes: representing attack scenarios spanning through the physical, digital and social domain. In: Armando, A., Lowe, G. (eds.) ARSPA-WITS 2010. LNCS, vol. 6186, pp. 112–129. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-16074-5_9 CrossRefGoogle Scholar
  8. 8.
    Fong, P.W.L.: Relationship-based access control: protection model and policy language. In: The First ACM Conference on Data and Application Security and Privacy, CODASPY 2011, pp. 191–202 (2011)Google Scholar
  9. 9.
    Jaume, M.: Semantic comparison of security policies: from access control policies to flow properties. In: IEEE Symposium on Security and Privacy, pp. 60–67 (2012)Google Scholar
  10. 10.
    Ranise, S., Traverso, R.: ALPS: an action language for policy specification and automated safety analysis. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 146–161. Springer, Heidelberg (2014)Google Scholar
  11. 11.
    Tschantz, M.C., Datta, A., Wing, J.M.: Formalizing and enforcing purpose restrictions in privacy policies. In: IEEE Symposium on Security and Privacy, pp. 176–190 (2012)Google Scholar
  12. 12.
    Hartel, P., Eck, P., Etalle, S., Wieringa, R.: Modelling mobility aspects of security policies. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 172–191. Springer, Heidelberg (2005). doi: 10.1007/978-3-540-30569-9_9 CrossRefGoogle Scholar
  13. 13.
    Ch, B., Katoen, J.-P.: Principles of Model Checking. MIT Press, Cambridge (2008)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Interdisciplinary Centre for Security, Reliability and TrustUniversity of LuxembourgLuxembourgLuxembourg
  2. 2.CSC/Interdisciplinary Centre for Security, Reliability and TrustUniversity of LuxembourgLuxembourgLuxembourg

Personalised recommendations