EEMCS

Home > Publications
Home University of Twente
Education
Research
Prospective Students
Jobs
Publications
Intranet (internal)
 
 Nederlands
 Contact
 Search
 Organisation

EEMCS EPrints Service


25052 Effectiveness of qualitative and quantitative security obligations
Home Policy Brochure Browse Search User Area Contact Help

Pieters, W. and Padget, J. and Dechesne, F. and Dignum, V. and Aldewereld, H. (2015) Effectiveness of qualitative and quantitative security obligations. Journal of Information Security and Applications, 22. pp. 3-16. ISSN 2214-2126

Full text available as:

PDF
- Univ. of Twente only
2298 Kb

Official URL: http://dx.doi.org/10.1016/j.jisa.2014.07.003

Exported to Metis

Abstract

Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use logic-based and graph-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. Finally, we extend the graph-based model with quantitative policies and associated quantitative analysis, based on the time an adversary needs for an attack. The framework can assist organisations in aligning security policies with their threat model.

Item Type:Article
Research Group:EWI-SCS: Services, Cyber security and Safety
Research Program:CTIT-General
Research Project:TREsPASS: Technology-supported Risk Estimation By Predictive Assessment Of Socio-technical Security
Additional Information:Foreground = 50%; Type of activity = publication; Main leader = TUD; Type of audience = scientific community;Size of audience = n.a.; Countries addressed = international;
Uncontrolled Keywords:Graphs, Logics, Obligations, Prohibitions, Refinement, Security policies
ID Code:25052
Status:Published
Deposited On:12 September 2014
Refereed:Yes
International:Yes
More Information:statisticsmetis

Export this item as:

To request a copy of the PDF please email us request copy

To correct this item please ask your editor

Repository Staff Only: edit this item