Security implications of structure

Computer security is an important issue in determining the dependability of computer systems. It becomes even more crucial when we talk about computer-based systems (CBS), where we take into consideration the roles played by the human actors (or human components) involved in the system.

In this chapter, we begin to explore the security of complex CBS (sometimes called socio-technical systems). We do this by putting forward a common structuring abstraction for technical systems (that of component-based systems), then extending this abstraction to computer-based systems, in order to take into account the socio-technical structure of the system.

Section 2 introduces some basic notions of computer security largely developed within the technical domain, and in Section 2.2 we look at a well known model of how these systems are protected (the Swiss Cheese model [9]). In Section 3 we consider more closely the component-based architecture, and consider how well this architectural model copes with introducing people as components. The security implications of this architectural model are presented in Section 3.3, together with a new diagrammatic representation of the model, and an attempt to adapt Reason’s Swiss Cheese model to socio-technical systems. A short discussion of socio-technical security policies is presented in Section 4, and we conclude in Section 5.