Print Email Facebook Twitter Obligations to enforce prohibitions: On the adequacy of security policies Title Obligations to enforce prohibitions: On the adequacy of security policies Author Pieters, W. Padget, J. Dechesne, F. Dignum, V. Aldewereld, H.M. Faculty Technology, Policy and Management Department Engineering, Systems and Services Date 2013-11-26 Abstract Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use graph-based and logicbased approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. The framework can assist organisations in aligning security policies with their threat model. Subject graphslogicsobligationsprohibitionsrefinementsecurity policies To reference this document use: http://resolver.tudelft.nl/uuid:ac539eb7-7415-4670-bf53-7dad084363d3 DOI https://doi.org/10.1145/2523514.2523526 Publisher ACM ISBN 978-1-4503-2498-4 Source SIN 2013: Proceedings of the 6th International Conference on Security of Information and Networks, Aksaray, Turkey, 26-28 November 2013 Part of collection Institutional Repository Document type conference paper Rights (c) 2013 The Author(s) Files PDF 303396.pdf 1.44 MB Close viewer /islandora/object/uuid:ac539eb7-7415-4670-bf53-7dad084363d3/datastream/OBJ/view