Modelling human threats in security ceremonies1

Socio-Technical Systems (STSs) combine the operations of technical systems with choices and intervention humans, namely users systems. Designing such is far from trivial due to interaction heterogeneous components, including hardware components software applications, physical elements as tickets, user interfaces, touchscreens displays, notably, humans. While possible security issues about are well known yet continuously investigated, focus this article on various levels threat that human actors may pose, namely, ceremonies. The approach formally model threats systematically verify whether they can break properties a few running examples: two currently deployed Deposit-Return (DRSs) variant we designed strengthen them. real-world DRSs found support differently, some relevant fail, our verified meet all properties. Our distributed interacting: it formalises humans potential threatening because execute rules encode specific in addition being honest, is, follow prescribed system; additionally, exchange information or objects directly, hence practically favour each other although no form collusion prescribed. We start by introducing four different models, succumb against strongest model, four. question then arises what meaningful combinations would not This leads definition lattice models general methodology traverse verifying node executed example for sake demonstration. thus modular extensible include additional threats, potentially even borrowed existing works, and, consequently, growth corresponding lattice. STSs easily become very complex, deem modularity extensibility key factors. current computer-assisted tool put test but proves be sufficient.