EEMCS EPrints Service
Pieters, W. (2011) Representing humans in system security models: An actor-network approach. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 2 (1). pp. 75-92. ISSN 2093-5374
This is the latest version of this eprint.
Full text available as:
Official URL: http://isyou.info/jowua/papers/jowua-v2n1-5.pdf
System models to assess the vulnerability of information systems to security threats typically represent a physical infrastructure (buildings) and a digital infrastructure (computers and networks), in combination with an attacker traversing the system while acquiring credentials. Other humans are generally not included, as their behaviour is considered more difficult to express. We propose a graph-based reference model for reasoning about access in system models including human actions, inspired by the sociological actor-network theory, treating humans and non-humans symmetrically. This means that humans can employ things to gain access (an attacker gains access to a room by means of a key), but things can also employ humans to gain access (a USB stick gains access to a computer by means of an employee), leading to a simple but expressive model. The model has the additional advantage that it is not based on containment, an increasingly problematic notion in the age of disappearing boundaries between systems. Based on the reference model, we discuss algorithms for finding attacks, as well as examples. The reference model can serve as a starting point for discussing representations of human behaviour in system models, and for including human behaviour in other than graph-based approaches.
Available Versions of this Item
Export this item as:
To correct this item please ask your editor
Repository Staff Only: edit this item