Information Systems Security: Specification and Quantitative Evaluation

This paper presents a method for the specification and evaluation of the security of information systems. This method is based on an extension of deontic logic, a formal language adapted for this task. First, we outline briefly the overall guidelines of the method and the various aspects of the security policy specification process. Then, the formalism is defined and extensions are proposed. To illustrate the use of this formalism, the paper presents how this method is applied to specify the security requirements of a real organization: a medium-size bank agency. In a second step, the paper focuses on the connection that can be established between this representation of the security needs of an organization and a methodology of quantitative evaluation of the operational security of the organization based on the privilege graph model. To illustrate the interest of these security measures, the security policy example introduced previously is used as a basis for applying the evaluation methodology taking into account some vulnerabilities of the bank agency.