A Framework for Modelling Security Architectures in Services Ecosystems

  • Matthew Collinson
  • David Pym
  • Barry Taylor
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7592)


We develop a compositional framework for modelling security and business architectures based on rigorous underlying mathematical systems modelling technology. We explain the basic architectural model, which strictly separates declarative specification from operational implementation, and show architectures can interact by composition, substitution, and stacking. We illustrate these constructions using a running example based on airport security and an example based on (cloud-based) outsourcing, indicating how our approach can illustrate how security controls can fail or be circumvented in these cases. We explain our motivations from mathematical modelling and security economics, and conclude by indicating how to aim to develop a decision-support technology.


Services Security and Privacy Systems Modelling Architectural Models for Cloud Computing Economics Models and Services Composition of Services Service Modelling Service-oriented Analysis and Design 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Beautement, A., Pym, D.: Structured systems economics for security management. In: Moore, T. (ed.) Proc. WEIS 2010, Harvard (2010),
  2. 2.
    Coulouris, G., Dollimore, J., Kindberg, T.: Distributed Systems: Concepts and Design, 3rd edn. Addison Wesley (2000)Google Scholar
  3. 3.
    Collinson, M., Monahan, B., Pym, D.: A Discipline of Mathematical Systems Modelling. College Publications (2012)Google Scholar
  4. 4.
    Collinson, M., Monahan, B., Pym, D.: Semantics for structured systems modelling and simulation. In: Proc. Simutools 2010. ACM Digital Library (2010) ISBN 78-963-9799-87-5Google Scholar
  5. 5.
    Collinson, M., Monahan, B., Pym, D.: A logical and computational theory of located resource. Journal of Logic and Computation 19(b), 1207–1244 (2009)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Collinson, M., Pym, D.: Algebra and logic for resource-based systems modelling. Mathematical Structures in Computer Science 19, 959–1027 (2009), doi:10.1017/S0960129509990077MathSciNetCrossRefMATHGoogle Scholar
  7. 7.
  8. 8.
    Ioannidis, C., Pym, D., Williams, J.: Investments and Trade-offs in the Economics of Information Security. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 148–166. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Ioannidis, C., Pym, D., Williams, J.: Information security trade-offs and optimal patching policies. European Journal of Operational Research 216(2), 434–444 (2012)CrossRefGoogle Scholar
  10. 10.
    Collinson, M., Pym, D.: Algebra and logic for access control [and erratum]. Formal Aspects of Computing 22(2, 3-4), 83–104 (2010)CrossRefMATHGoogle Scholar
  11. 11.
    Milner, R.: Calculi for synchrony and asynchrony. TCS 25(3), 267–310 (1983)MathSciNetCrossRefMATHGoogle Scholar
  12. 12.
    Beautement, A., Pym, D.: The structure and dynamics of systems security economics,
  13. 13.
    Parsons, T.: The Social System. Routledge (1951)Google Scholar
  14. 14.
    Merton, R.: Social Theory and Social Structure. Macmillan (1968)Google Scholar
  15. 15.
    Brown, L., Harding, A.: Social modelling and public policy: application of microsimulation modelling in Australia. Journal of Artificial Societies and Social Simulation 5(4) (2002)Google Scholar
  16. 16.
    Johnson, H., Johnson, P.: Task knowledge structures: Psychological basis and integration into system design. Acta Psychologica 78(1), 3–26 (1991)CrossRefGoogle Scholar
  17. 17.
    Souchon, N., Limbourg, Q., Vanderdonckt, J.: Task Modelling in Multiple Contexts of Use. In: Forbrig, P., Limbourg, Q., Urban, B., Vanderdonckt, J. (eds.) DSV-IS 2002. LNCS, vol. 2545, pp. 59–73. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    Sterman, J.D.: Business Dynamics: Systems thinking and modeling for a complex world. McGraw Hill (2000)Google Scholar
  19. 19.
    Pidd, M.: Tools for Thinking: Modelling in Management Science. Wiley (2003)Google Scholar
  20. 20.
    Gonzalez, J., Sawicka, A.: A framework for human factors in information security. In: WSEAS International Conference on Information Security, Rio de Janeiro (2002)Google Scholar
  21. 21.
    Adams, A.L., Sasse, M.A.: Users are not the enemy: Why users compromise security mechanisms and how to take remedial measures. Comm. ACM 42(12), 40–46 (1999)CrossRefGoogle Scholar
  22. 22.
    Beautement, A., Sasse, M.: The compliance budget: The economics of user effort in information security. Computer Fraud & Security 10, 8–12 (2009)CrossRefGoogle Scholar
  23. 23.
    Beautement, A., Coles, R., Griffin, J., Ioannidis, C., Monahan, B., Pym, D., Sasse, A., Wonham, M.: Modelling the Hum. and Tech. Costs and Bens. of USB Memory Stick Sec. In: Johnson, M.E. (ed.) Managing Inf. Risk and the Econ. of Sec., pp. 141–163. Springer (2008)Google Scholar
  24. 24.
    Kabir, M., Han, J., Colman, A.: Modeling and coordinating social interactions in pervasive environments. In: Proc. 16th IEEE Int. Conf. on Eng. Complex Comp. Sys., pp. 243–252 (2011)Google Scholar
  25. 25.
    de Simone, R.: Higher-level synchronising devices in Meije-SCCS. TCS 37, 245–267 (1985)CrossRefMATHGoogle Scholar
  26. 26.
    Hoare, C.A.R.: Communicating Sequential Processes. Prentice-Hall International (1985)Google Scholar
  27. 27.
    Baldwin, A., Pym, D., Shiu, S.: Enterprise information risk management: Dealing with cloud computing. In: Pearson, S., Yee, G. (eds.) Privacy and Security for Cloud Computing: Selected Topics. Communications and Networks. Springer (2012)Google Scholar
  28. 28.
    Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. Journal of Systems Architecture 55(4), 211–223 (2009)CrossRefGoogle Scholar
  29. 29.
    Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: Proc. ARES 2009, pp. 41–48. IEEE (2009)Google Scholar
  30. 30.
    Blackwell, C.: A multi-layered security architecture for modelling complex systems. In: Proc. 4th Ann. Workshop on Cybersecurity and Information Intelligence Res. ACM (2008)Google Scholar
  31. 31.
    Beres, Y., Pym, D., Shiu, S.: Decision Support for Systems Security Investment. In: Proc. Business-driven IT Management (BDIM 2010). IEEE Xplore (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Matthew Collinson
    • 1
  • David Pym
    • 1
  • Barry Taylor
    • 1
  1. 1.University of AberdeenScotland, U.K.

Personalised recommendations