Alignment of organizational security policies : theory and practice


Dimkov, Trajce (2012) Alignment of organizational security policies : theory and practice. thesis.

open access
Abstract:To address information security threats, an organization defines security policies that state how to deal with sensitive information. These policies are high-level policies that apply for the whole organization and span the three security domains: physical, digital and social. One example of a high-level policy is: ”The sales data should never leave the organization.” The high-level policies are refined by the Human Resources (HR), Physical Security and IT departments into implementable, low-level policies, which are enforced via physical and digital security mechanisms and training of the employees. One example of low-level policy is: ”There should be a firewall on every external-facing system”.
The erroneous refinement of a high-level policy into a low-level policy can introduce design weaknesses in the security posture of the organization. For example, although there is a low-level policy that places firewalls on every external-facing system, an adversary may still obtain the sales data through copying it on a USB stick. In addition, the erroneous enforcement of a low-level policy using a specific security mechanisms may introduce implementation flaws. For example, although there might be a firewall on every external-facing system, the firewall might not be configured correctly. The organization needs assurance that these errors are discovered and mitigated.
In this thesis we provide methods for testing whether (a) the high-level policies are correctly refined into low-level policies that span the physical, digital and social domain, and (b) whether low-level policies are correctly enforced is specific mechanisms. Our contributions can be summarized as follows:
1. We propose a formal framework, Portunes, which addresses the correct refinement of high level policies by generating attack scenarios that violate a
high-level policy without violating any low-level policies. Portunes binds
the three security domains in a single formalism and enables the analysis of
policies that span the three domains. We provide a proof of concept implementation of Portunes in a tool and polynomial time algorithms to generate
the attack scenarios.
2. We propose a modal logic for defining more expressive high-level policies.
We use the logic to express properties of Portunes models and model evolutions
formally. We provide a proof of concept implementation of the logic in the Portunes tool.
3. We propose two methodologies for physical penetration testing using social
engineering to address the correct enforcement of low-level policies. Both
methodologies are designed to reduce the impact of the test on the employees
and on the personal relations between the employees. The methodologies result in a more ethical assessment of the implementation of security mechanisms in the physical and social domain.
4. We provide an assessment of the commonly used security mechanisms in
reducing laptop theft. We evaluate the effectiveness of existing physical
and social security mechanisms for protecting laptops based on (1) logs
from security guards regarding laptop thefts that occurred in a period of two
years in two universities in the Netherlands, and (2) the results from more
than 30 simulated thefts using the methodologies in contribution 3. The
results of the assessment can aid in reducing laptop theft in organizations.
5. We propose a practical assignment of an information security master course
where students get practical insight into attacks that use physical, digital and
social means. The assignment is based on the penetration testing methodologies
from contribution 3. The goal of the assignment is to give a broad overview of security to the students and to increase their interest in the field.
Besides for educational purposes, the assignment can be used to increase the
security awareness of the employees and provide material for future security
awareness trainings.
Using these contributions, security professionals can better assess and improve
the security landscape of an organization.
Item Type:Thesis
Additional information:IPA Dissertation Series no. 2012-04
Electrical Engineering, Mathematics and Computer Science (EEMCS)
Research Group:
Link to this item:
Official URL:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page

Metis ID: 286279