A flexible method for information system security policy specification

  • Rodolphe Ortalo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1485)


This paper presents a method for the specification of the security of information systems. The proposed approach provides a flexible and expressive specification method, corresponding to the specific needs of organizations. First, we outline the overall guidelines of the security policy definition process, and the different consistency issues associated to the description of the security requirements of an organization information system. The specification language used is based on a convenient extension of deontic logic. The formalism and its extensions are defined briefly. To illustrate the use of this formalism, the paper presents how the method applies to the description of the security requirements of a real organization: a medium-size bank agency.


security policy specification information systems deontic logic 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    D. E. Bell, L. J. LaPadula, Secure Computer Systems: Unified Exposition and Multics Interpretation, The MITRE Corporation, Report ESD-TR-73-306, 1975.Google Scholar
  2. 2.
    L. Catach, “TABLEAUX: A General Theorem Prover for Modal Logics”, Journal of Automated Reasoning, vol. 7, pp. 489–510, 1991.MATHMathSciNetCrossRefGoogle Scholar
  3. 3.
    B. F. Chellas, Modal Logic: An Introduction, 295 p., ISBN 0-521-29515-7, Cambridge University Press, 1980.Google Scholar
  4. 4.
    L. Cholvy, F. Cuppens, “Analyzing Consistency of Security Policies”, in IEEE Symposium on Security and Privacy, Oakland, California, May 4–7, pp. 103–112, ISBN 0-8186-7828-3, IEEE Computer Society Press, 1997.Google Scholar
  5. 5.
    F. Cuppens, C. Saurel, “Specifying a Security Policy: A Case Study”, in 9th IEEE Computer Security Foundations Workshop, Kenmare, Ireland, June 10–12, pp. 123–134, ISBN 0-8186-7522-5, IEEE Computer Society Press, 1996.Google Scholar
  6. 6.
    L. Fariñas del Cerro, A. Herzig, “Modal Deduction with Applications in Epistemic and Temporal Logic”, in Handbook of Logic in Artificial Intelligence and Logic Programming, Epistemic and Temporal Reasoning (D. M. Gabbay, C. J. Hogger, J.A. Robinson, Eds.), vol. 4/5, pp. 499–594, ISBN 0-19-853791-3, Oxford Science Publications, 1995.Google Scholar
  7. 7.
    M. Fitting, “First-Order Modal Tableaux”, Journal of Automated Reasoning, vol. 4, no. 2, pp. 191–213, 1988.MATHMathSciNetCrossRefGoogle Scholar
  8. 8.
    M. Fitting, “Basic Modal Logic”, in Handbook of Logic in Artificial Intelligence and Logic Programming, Logical Foundations (D.M. Gabbay, C. J. Hogger, J.A. Robinson, Eds.), vol. 1/5, pp. 365–448, ISBN 0-19-853745-X, Oxford Science Publications, 1993.Google Scholar
  9. 9.
    J. Glasgow, G. McEwen, P. Panangaden, “A Logic for Reasoning About Security”, in Computer Security Foundations Workshop, Franconia, pp. 2–13, IEEE Computer Society Press, 1990.Google Scholar
  10. 10.
    ITSEC, Information Technology Security Evaluation Criteria, v1.2, 163 p., ISBN 92-826-3004-8, Office for Official Publications of the European Communities, Luxembourg, 1991.Google Scholar
  11. 11.
    ITSEM, Information Technology Security Evaluation Manual, v1.0, 262 p., ISBN 92-826-7087-2, Office for Official Publications of the European Communities, Luxembourg, 1993.Google Scholar
  12. 12.
    A. J. I. Jones, M. Sergot, “Formal Specification of Security Requirements using the Theory of Normative Positions”, in Second European Symposium On Research In Computer Security (ESORICS 92), (Y. Deswarte, G. Eizenberg, J.-J. Quisquater, Eds.), Toulouse, France, November 23–25, LNCS, 648, pp. 103–121, ISBN 3-540-56246-X & 0-387-56246-X, Springer-Verlag, 1992.Google Scholar
  13. 13.
    S. A. Kripke, “Semantical Considerations in Modal Logic”, Acta Philosophica Fennica, vol. 16, pp. 83–94, 1963.MATHMathSciNetGoogle Scholar
  14. 14.
    G. Kuper, “Logic Programming with Sets”, in 6th ACM Conference on Principles of Database Systems (PODS), San Diego, California, USA, March 23–25, pp. 11–20, ISBN 0-89791-223-3, ACM Press, 1987.Google Scholar
  15. 15.
    J.-J. C. Meyer, R. J. Wieringa (Eds.), Deontic Logic in Computer Science, 317p., ISBN 0-471-93743-6, Jon Wiley & Sons, 1993.Google Scholar
  16. 16.
    B. A. Myers, R. G. McDaniel, R. C. Miller, A. S. Ferrency, A. Faulring, B. D. Kyle, A. Mickish, A. Klimovitski, P. Doane, “The Amulet Environment: New Models for Effective User Interface Software Development”, IEEE Transations on Software Engineering, vol. 23, no. 6, pp. 347–365, June, 1997.CrossRefGoogle Scholar
  17. 17.
    R. Ortalo, Using Role-Based Abstractions for Security Policy Specification with Deontic Logic, 20 p., LAAS-CNRS, Report 97216, June, 1997.Google Scholar
  18. 18.
    R. Ortalo, Y. Deswarte, “Quantitative Evaluation of Information System Security”, in 14th IFIP International Information Security Conference (IFIP/SEC’98), August31–September 4, Vienna-Budapest, Austria-Hungary, Chapman & Hall, 1998. (to appear)Google Scholar
  19. 19.
    R. S. Sandhu, E. J. Coyne, H. L. Feinstein, C. E. Youman, “Role-Based Access Control Models”, IEEE Computer, vol. 29, no.2, pp. 38–47, February, 1996.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Rodolphe Ortalo
    • 1
  1. 1.LAAS-CNRSToulouse cedex 4France

Personalised recommendations