Procedural Security Analysis

Procedures in an election system are best practices mandated by law locally (within the province) or at the country level. These practices are intended to ensure that elections is carried out correctly and securely. From a practical point of view, procedures are often as important as the technical security features of the systems used in elections, since procedures define how critical assets are to be managed, elaborated, and transformed.

During elections, incorrect or malicious ``deviations'' from the procedures defined by the law may results in violations of fundamental rights of citizens (e.g. secrecy of vote) or, even, in threats to the integrity of electoral data and of the election results. Lawmakers, therefore, need to carefully consider and analyze what happens when a procedure is not followed as prescribed and have to define mechanisms to ensure that violations can be detected.

We are interested in providing methodologies and tools to help assessing security of procedures and the effects of deviations from the ``nominal'' behaviors, with the goal of highlighting security vulnerabilities. Procedural security, therefore, deals with the identification, modeling, establishment, and enforcement of security policies about the procedures that regulate the usage of a system and system processes. The breach of security objectives during the execution of the procedures is known as threat to the procedures (or procedural threats). We call procedural security analysis the process of understanding the impact and effects of procedural threats, namely courses of actions that can take place during the execution of the procedures, and which are meant to alter, in an unlawful way, the assets manipulated by procedures.

Figure 1: Procedural Security Analysis.

The situation is depicted in Figure 1. Our target of evaluation is a (complex) organizational setting in which procedures transform and elaborate assets, which may not necessarily be just digital (e.g. a printed ballot). The procedures are meant to add value to the assets and to protect them from attacks, which can either come from external sources or from insiders. In particular, we distinguish the following kinds of attacks:

1. Attacks on digital assets (item 1 and item 3 in Figure 1). These kinds of attacks are meant to alter one or more of the digital assets of an organization. Attacks can either be carried out from external sources (the environment) or from internal sources. Opportunities for attacks are determined by the organizational setting and by the security provided by the digital systems.

2. Attacks on other kind of assets (item 2 and item 4 in Figure 1). These attacks are meant to alter one or more of the non-digital assets of an organization. Attacks can either be carried out from external sources (the environment) or from internal sources or a combination of both that it forms coordinated attacks. Opportunities for attacks are determined by the organizational settings only.

Security assessment (like [8,10]) usually focuses on understanding items 1 and 3, namely, types and effects of attacks on (software) systems. In the next section we propose a tool-supported methodology to tackle also points 2 and 4 above, namely types and effects of attacks on assets that are not (necessarily) digital and that derive from the way in which procedures are implemented and carried out.