Portunes: generating attack scenarios by finding inconsistencies between security policies in the physical, digital and social domain
نویسندگان
چکیده
The security goals of an organization are implemented through security policies, which concern physical security, digital security and security awareness. An insider is aware of these security policies, and might be able to thwart the security goals without violating any policies, by combining physical, digital and social means. This paper presents the Portunes model, a model for describing and analyzing attack scenarios across the three security areas. Portunes formally describes security alignment of an organization and finds attack scenarios by analyzing inconsistencies between policies from the different security areas. For this purpose, the paper defines a language in the tradition of the Klaim family of languages, and uses graph-based algorithms to find attack scenarios that can be described using the defined language.
منابع مشابه
Portunes: Representing Attack Scenarios Spanning through the Physical, Digital and Social Domain
The security goals of an organization are realized through security policies, which concern physical security, digital security and security awareness. An insider is aware of these security policies, and might be able to thwart the security goals by combining physical, digital and social means. A systematic analysis of such attacks requires the whole environment where the insider operates to be...
متن کاملAlignment of Organizational Security Policies Theory and Practice
To address information security threats, an organization defines security policies that state how to deal with sensitive information. These policies are high-level policies that apply for the whole organization and span the three security domains: physical, digital and social. One example of a high-level policy is: ”The sales data should never leave the organization.” The high-level policies ar...
متن کاملPortunes: analyzing multi-domain insider threats
The insider threat is an important problem in securing information systems. Skilful insiders use attack vectors that yield the greatest chance of success, and thus do not limit themselves to a restricted set of attacks. They may use access rights to the facility where the system of interest resides, as well as existing relationships with employees. To secure a system, security professionals sho...
متن کاملOn the computational complexity of finding a minimal basis for the guess and determine attack
Guess-and-determine attack is one of the general attacks on stream ciphers. It is a common cryptanalysis tool for evaluating security of stream ciphers. The effectiveness of this attack is based on the number of unknown bits which will be guessed by the attacker to break the cryptosystem. In this work, we present a relation between the minimum numbers of the guessed bits and uniquely restricted...
متن کاملGender Analysis of Social Security Policies in Post- Revolutionary Iran
Introduction: Due to the fact that gender is important as the most basic pillar of individuals ’identities in all social relations, it is helpful to identify current deficiencies in policymaking. Method: The method used is qualitative content analysis in the gender analysis approach. To this end, the documents and approvals of the main womenchr(chr(chr('39')39chr('39'))39chr(chr('39')39chr('3...
متن کامل