Alignment of Organizational Security Policies Theory and Practice

To address information security threats, an organization defines security policies that state how to deal with sensitive information. These policies are high-level policies that apply for the whole organization and span the three security domains: physical, digital and social. One example of a high-level policy is: ”The sales data should never leave the organization.” The high-level policies are refined by the Human Resources (HR), Physical Security and IT departments into implementable, low-level policies, which are enforced via physical and digital security mechanisms and training of the employees. One example of low-level policy is: ”There should be a firewall on every external-facing system”. The erroneous refinement of a high-level policy into a low-level policy can introduce design weaknesses in the security posture of the organization. For example, although there is a low-level policy that places firewalls on every external-facing system, an adversary may still obtain the sales data through copying it on a USB stick. In addition, the erroneous enforcement of a low-level policy using a specific security mechanisms may introduce implementation flaws. For example, although there might be a firewall on every external-facing system, the firewall might not be configured correctly. The organization needs assurance that these errors are discovered and mitigated. In this thesis we provide methods for testing whether (a) the high-level policies are correctly refined into low-level policies that span the physical, digital and social domain, and (b) whether low-level policies are correctly enforced is specific mechanisms. Our contributions can be summarized as follows: 1. We propose a formal framework, Portunes, which addresses the correct refinement of high level policies by generating attack scenarios that violate a high-level policy without violating any low-level policies. Portunes binds the three security domains in a single formalism and enables the analysis of policies that span the three domains. We provide a proof of concept implementation of Portunes in a tool and polynomial time algorithms to generate the attack scenarios. 2. We propose a modal logic for defining more expressive high-level policies. We use the logic to express properties of Portunes models and model evolutions formally. We provide a proof of concept implementation of the logic in the Portunes tool. 3. We propose two methodologies for physical penetration testing using social engineering to address the correct enforcement of low-level policies. Both methodologies are designed to reduce the impact of the test on the employees and on the personal relations between the employees. The methodologies result in a more ethical assessment of the implementation of security mechanisms in the physical and social domain. 4. We provide an assessment of the commonly used security mechanisms in reducing laptop theft. We evaluate the effectiveness of existing physical and social security mechanisms for protecting laptops based on (1) logs from security guards regarding laptop thefts that occurred in a period of two years in two universities in the Netherlands, and (2) the results from more than 30 simulated thefts using the methodologies in contribution 3. The results of the assessment can aid in reducing laptop theft in organizations. 5. We propose a practical assignment of an information security master course where students get practical insight into attacks that use physical, digital and social means. The assignment is based on the penetration testing methodologies from contribution 3. The goal of the assignment is to give a broad overview of security to the students and to increase their interest in the field. Besides for educational purposes, the assignment can be used to increase the security awareness of the employees and provide material for future security awareness trainings. Using these contributions, security professionals can better assess and improve the security landscape of an organization.