Alignment of Organizational Security Policies: Theory and Practice

Trajce Dimkov

Promotor: Prof.dr. P.H. Hartel (UT)
Universiteit Twente
Date: 23 February, 2012


To provide confidentiality, integrity and availability of its sensitive information, organizations use physical mechanisms, such as locks and video cameras, digital mechanisms, such as encryption and hashing, and social mechanisms such as chains of trust and delegation. These three types of mechanisms are three separate security domains and each domain requires different type of expertise.

To address the threats to its information, organizations provide general, organizational security policies that state how the organization should threat its sensitive information. These are high-level policies and hold for the whole organization. However, these policies are too general to be enforced directly in all the divisions, businesses and geographic regions in where the organization is present. Therefore, the high-level policies are distilled into low-level policies which provide enforceable information and are specific for each section in the organization.

As a result, the alignment of the high-level policies over the three security domains, their translation to low-level policies and finally their enforcement onto security mechanisms may introduce gaps in the security.

In this thesis we focus on the alignment of organizational security policies between the physical, digital and social domain, and the testing the enforcement of policies in specific mechanisms.

  1. We propose a formal framework, Portunes, that binds the three security domains in a single formalism and that enables the analysis of policies that span the three domains. We provide a proof of concept implementation of Portunes in a tool and polynomial time algorithms that produce possible behaviors for a given Portunes model.
  2. We propose a modal logic for defining high-level policies. We use the logic to describe high-level policies and to express properties of Portunes models and model evolutions formally. We provide a proof of concept implementation of the logic in the Portunes tool.
  3. We propose two methodologies for physical penetration testing using social engineering. Both methodologies are designed to reduce the impact of the test on the employees and the relationship between the employees.
  4. We provide an assessment of the commonly used security mechanisms in reducing laptop theft. we evaluated the effectiveness of existing physical and social security mechanisms for protecting laptops based on (1) logs of laptop thefts which occurred in a period of two years in two universities in Netherlands, and (2) the results from more than 30 penetration tests we orchestrated over the last three years, where students tried to gain possession of marked laptops in the same universities.
  5. We propose an assignment for increasing the security awareness for employees and future security professionals. We designed the practical assignment of an information security master course where students get practical insight on attacks that use physical, digital and social means. The goal of the security course is to give a broad overview of security to the students and to increase their interest in the field.