2veniences[65].Forinstance,theemployeesofacompanycangivetheircredentia - PDF document

2veniences[65].Forinstance,theemployeesofacompanycangivetheircredentialstoconsultantsinordertoallowthemaccesstospecicapplications.Thisbehaviorisclearlyagainsttheaccesscontrolpolicyandevenincreasestherisksofsecuritybreaches,sincethesharingofcredentialsdoesnotmakeitpossibletotracetheaccesstotheuserswhoactuallyaccessedacertainapplication.Moreover,thisbehaviorcanleadtoseveralothersecurityproblems,suchasroleusurpation.Thus,theaspirationtomakethesystemmoresecureactuallymakesthesystemmoreinsecure.AsstatedbySinclairandSmith[70],securitytendstoignoresuch\real-worldsubtleties".Real-worldsubtletiesencompasssocialdimensionsofsocio-technicalsystems,suchastheusability[5]andconviviality[40]ofthesystem.Thesehumanfactorsshouldbetakenintoaccountfromtheearlyphasesofthedevelopmentofsocio-technicalsys-tems.Severallinesofresearch(e.g.,[2,11,32,33,38,61])haveexploredtheproblemofdesigningsocio-technicalsystemsaimingtoachievetrade-osbetweenusabilityandsecurity.However,thereareothersocialdimensionsofsocio-technicalsystemswhichmaycon ictwithsecurity.Inthispaper,westudythetrade-obetweensecurityandconviviality.ConvivialityisaconceptfromthesocialsciencesdenedbyIllichas\in-dividualfreedomrealizedinpersonalinterdependence"[40].Clearly,atensionexistsbetweenconvivialityandsecurity:toomuchsecuritythreatensconviviality,whilebeingconvivialisapotentialthreattocondentialityandprivacy.Suchtrade-o/potentialcon ictsshouldbeidentiedandmanagedassoonaspossible,atrequirementlevelandearlydesignstages.Producingasecuritypolicymodelthatisnon-con ictualwithconvivialityexpectationsisdesirable,sinceitencouragesactorstorespectthesecuritypolicybeingused.Theseinitialconsiderationsraisethemainresearchquestionaddressedinthispa-per:Howtomanagethetwodierentorthogonalconcernsofsecurityandconvivialityintheelaborationofsystemoperationalrequirementsanddesignmodels?Themaincontributionofthepaperisin(1)bridgingthegapbetweentwoconceptsthatarerarelybroughttogether,i.e.,securityandconviviality,whichareoftenconsid-eredoppositedomainsofSocialSciencesandInformatics,bydeningasocio-technicalmappingthatbridgesthegapbetweenconvivialityandaccesscontrol;(2)handlingaccesscontrolpolicyupdateonthebasisofconvivialityrecommendations.Thepaperstudieshowtoenableasymbioticelaborationofasecuritypolicyto-getherwithaconvivialitymodel,sothatthepotentialcon ictsbetweenthesetwoviewpointscanbedetectedandsolved.Startingfrominitialoperationalrequirements,theapproachmakesthetrade-oexplicit,andresultsinarepresentationofconvivial-ityconsistentwiththesecuritypolicy(thatcanbeupdatedduringtheprocess).Theapproachdoesnotintendtoweaveorcomposetheseviewpoints[58,56];rather,itpro-ducestwoconsistentmodels,oneforsecurityandoneforconviviality.Ontheonehand,thesecuritymodel,inthehandofsecurityocers,describesthesecuritypolicytobeenforced;ontheotherhand,theconvivialitymodel,inthehandofbusinessexperts,isaformaltoolforreasoningandimprovingthissocialdimensionofasystem.Torecombinethesetwoviewpoints,weproposetheDN-ACalignmentmethodologywhichallowsthespecicationofaccesscontrolpoliciescompatiblewithaconviviality-drivenspecicationofasystem.Increasingconvivialitywhilekeepingasystemsecureraisesthequestionofhowtoadaptanaccesscontrolpolicywhileincreasingtheconvivi-alityofthesystem.Thus,ourmainresearchquestionbreaksdownintothefollowingsubquestions:1.Howtomodelaccesscontrolpoliciestomakeexplicititsadaptableparts? 4 Fig.1DN-ACAlignmentMethodologytaskstoachievethosegoals,requiredresources,andthesecurityandfunctionaldepen-denciesamongthem.Therequirementsmodelisformallyanalyzedagainstanumberofsecuritypropertiestoverifywhetherrequirementshavebeenspeciedcorrectly.Ifthemodelsatisestheseproperties,itisusedtodeterminetheauthorizationruleswhicharenecessarytoprotectthesystem(leftsideofFigure1)andtoanalyzetheconvivialityofthesystem(rightsideofFigure1).Anaccesscontrolpolicyisasetofauthorizationrulesthatspecifytheconditionsunderwhichusersareauthorized/deniedtoaccesstheprotecteddataorresources.Positiveauthorizationrulesrefertopermissionstoaccessresources,whilenegativeau-thorizationrulesrefertoprohibitionstoaccessresources.Inthispaper,wedistinguishbetweennegotiableandnon-negotiableauthorizationrules.Non-negotiableauthoriza-tionrulescorrespondtohardrequirements,i.e.requirementsthatmustbefullledtoguaranteethesecurityofthesystemand,therefore,theycannotbemodied;ontheotherhand,negotiableauthorizationrulescorrespondtotheadaptablepartoftheaccesscontrolpolicyandcanbemodied,forinstance,toincreasetheconvivialityofthesystem.Forthespecicationoftheaccesscontrolpolicy,weuseamodel-drivenapproachbasedon[51].Inparticular,theaccesscontrolpolicyisderivedbyanalyzingthedutiesandresponsibilitiesassignedtostakeholdersandsystemactors.Inparallelandindependentlyfromthespecicationofaccesscontrolpolicy,de-pendencenetworksarecreatedfromtherequirementsmodelandusedtoreasonaboutthepotentialameliorationstoincreasetheglobalconvivialityofthesystem.Dier-enttechniquesforimprovingconvivialityhavebeenproposedintheliterature[9,15],forexamplebychangingtheagentswithinthesystem,bychangingthedependenciesamongthem,byintroducingorchangingnormativedependencies,andbychangingthecompositionofthecoalitions.Inthispaper,weincreasethenumberofcoalitionsbetweenagentsbyadding/removingdependenciesbetweenagents.Theanalysisofthedependencenetworkmaysuggestsomepotentialdependen-ciesbetweenagentstoincreasetheconvivialityofthesystem.Furthermore,feedbackgatheredfromusers,forexamplethroughcommentsordirectinput,maybeusedasadditionalinformationtorepresentusersdependenciesamongeachotherinthedepen-dencenetworks.Suchdependenciesmayalsoimpactresourcesharingbetweenagents,andthustheauthorizationrulesshouldbeupdatedaccordingly. 5 ID ScenarioTitle ScenarioDescription 1 Heart-attack1 HCSmonitorsapatientpronetoheartfailuresandprovideherwithsocialsupport 2 Loneliness HCSarrangesabirthdaypartyforalonelyseniorcitizen 3 Isolation Sendingreminderstofamilymemberstocalltheirelderlyrelativesduringoccasions 4 Finances Financialsupportfromthefamilyandlegalsupportfromanex-pert,arrangedbyHCS 5 Fever Apatientwithfeverdoesnotfeelhelpless,aftertalkingtohisdoctorandreceivingtherightmedication 6 Medication HCSmonitorspatienttotakehermedication,andtakeactionifshedoesnot 7 Weight Signicantweightgain,recognizedandsolvedbyHCS 8 Depression1 Depression,expressedthroughinactivity,issurpassedwiththehelpofWAS 9 Alzheimer AlzheimerpatientndshiswayhomethankstohisGPS/videocapture/HCS 10 Depression2 HCSrecordsloweractivitylevelandcontactsaneighbortovisitseniorcitizen 11 Alcoholism AlcoholismpreventedbytheHCSwiththehelpofthecommunity 12 Heart-attack2 HCScapturespatient'sheartattackdangerandinferstocontactfamilyforhelp Table1UseCaseScenariosThenalstepoftheprocessaimstoreconcilethesecurityandconvivialityview-pointsinordertogenerate\secureandconvivial"system.Thisstepinvolvesasocio-technicalmappingbetweentheaccesscontrolpolicyandthedependencenetwork(re-ferredtoasDN-ACmappinginFigure1).Themappingrelateseachgoalofthede-pendencenetworktothecorrespondingauthorizationrules.Iftheauthorizationrulesarenegotiable,theymaybechangedinordertoincreasethesystemconviviality;oth-erwise,iftheauthorizationrulesarenon-negotiable,thecorrespondingameliorationsarediscarded.Indeed,therevisedpolicyshouldnotviolatethesecurityrequirementsofthesystem.3UseCaseScenarioWehaveconsidered12usecasescenariosthathavebeenelaboratedandvalidatedtogetherwiththeHotCityAmbientAssistantLiving(AAL)ofLuxembourg.Thesce-nariosillustratehowaHomeCareSystem(HCS)couldimproveitsusers'qualityoflifeinavarietyofcasesandcoverdierentareasandproblemsrelatedtoAALlikehealthproblems(Heart-attack,Fever,Medication,Alzheimer),psychologicalorsocialproblems(Loneliness,Isolation,Depression,Alcoholism)andeconomicalproblems(Fi-nances).Acompletedescriptionandanalysisofthesescenarioscanbefoundin[71]wherethescenariosarerepresentedgraphicallyusingdependencenetworks(DN).Theaccesscontrolpoliciesthatcouldbeappliedtothesescenariostoguaranteethesecurityofthesystemarealsogivenin[71].ThesescenariosaresummarizedinTable1.Inthispaper,wehaveselectedthescenarioentitled`Heart-attack1'fromtheusecases(Table1)asourrunningexample:Ms.AnnetteBeckeriseighty-veyearsold.Sheispronetoheartfailures;hencethehospitalhasinstalledasmartHomeCareSystem(HCS)atherhouse.Suddenly,asshewalksoutofthekitchen,shestumbles,fallsdownandcannotgetup.Inrealtime, 7 Fig.2SI*ModeloftheHotCityAmbientAssistantLiving(AAL)scenariothisissue,wemodelexplicitnegativeauthorizationsasin[37].Anegativeauthorizationexpressesadenialforanactortoachieveagoaloraccessaresource.Asforpositiveauthorizations,wedistinguishthreetypesofdenial.Theirmeaningisdualtotheoneofpositiveauthorizations(thehierarchyoftypesofpermissionisalsoreversed).Denialofaccess/modify/manageisgraphicallyrepresentedbyanedgewithlabelDla,DlmdandDlma,respectively.Inourapproach,negativeauthorizationstakeprecedenceoverpositiveones,i.e.wheneverauserhasbothapositiveandanegativeauthorizationonthesamegoal/resource,theuserispreventedtoaccessit.Moreover,anactorcandenypermissiontoanotheractoronlyifhehasmanagepermission.Figure2presentstheSI*modelcorrespondingtotheAALscenariopresentedinSection3.Thescenarioinvolvesveactors:Patient,Hospital,HCS,Neighbor,andSocialSupport.ThePatienthastheintention(objective)tofulllgoalstayhealthyandisthelegitimateownerofherdata,whiletheHospitalhasthecapabilitytoachievegoalupdatepatientrecord.Goalscanproduceorconsumeresources.Forinstance,goalmaintainpatientrecordrequiresresourcepatientprole.ThePatientreliesontheHCStofulllgoalstayhealthy.Inturn,thisgoalisdecomposedintoupdatepatientprole,determineemergencylevel,andprovidemedicalsupport.Inordertoachievethesegoals, 9 PositiveAuthorizations 1 hPatient;manage;patientdata;permiti 2 hHospital;manage;patientprofile;permiti 3 hHospital;manage;patientdata;permiti 4 hHCS;manage;phonecommunicationsystem;permiti 5 hHCS;access;patientdata;permiti 6 hHCS;access;patientprofile;permiti 7 hSocialSupport;manage;socialsupportresources;permiti NegativeAuthorizations 8 hHospital;access;phonecommunicationsystem;denyi 9 hHCS;access;socialsupportresources;denyi 10 hSocialSupport;access;patientdata;denyi 11 hSocialSupport;access;patientprofile;denyi 12 hSocialSupport;access;phonecommunicationsystem;denyi 13 hNeighbor;access;patientdata;denyi 14 hNeighbor;access;patientprofile;denyi 15 hNeighbor;modify;socialsupportresources;denyi Table2NonNegotiableAuthorizationsfortheAALscenarionotspecied(e.g.,noauthorizationonthephonecommunicationsystemaredenedforthepatient).Indeed,unlikelyelicitedrequirementscoverallpossiblecases.Weassumethattheauthorizationdecisionforcaseswhereanauthorizationruleisnotdened,isdeny.Althoughthissolutionguaranteesthatthedeployedaccesscontrolmechanismcomplieswiththeleastprivilegeprinciple,ithasthesideeectthatsuchamechanismmaybetoorestrictive.Toaddressthisissue,wedistinguishbetweennegotiableandnon-negotiableautho-rizationrules.Non-negotiableauthorizationrulesrepresentrigidauthorizationsthatcannotbemodiedtoguaranteethesecurityofthesystem.Essentially,theyarestrictconstraintsimposedbytherequirementsand,therefore,theycannotberelaxed.Ac-cordingly,theauthorizationsinTable2whicharetranslatedfromrequirementsarenon-negotiable.Negotiableauthorizationrules,ontheotherhand,regulatesituationsforwhichaconstraintisnotexplicitlydenedbytherequirements.Theserulesarederivedfromconvivialityrecommendations(Section7).Intuitively,thedistinctionbe-tweennon-negotiableandnegotiableauthorizationrulesresemblesthedistinctionbe-tweenhardrequirements(i.e.,compulsoryrequirements)andsoftrequirements(i.e.,optionalrequirements)[41].Byintroducingnegotiableauthorizationrules,weaimtoincreasethe exibilityofthesystembyhighlightingtheadaptablepartoftheauthorizationpolicy,ratherthanintroducingotherdecisionstypes.Inotherwords,unlikeXACML[1]whichextendsbinarydecisionsPermitandDenywithNotApplicabledecisiontoindicatethatnopoliciesareapplicabletoagivenaccessrequest,weassumethatthedefaultaccessdecisionisdenyandprovidethe exibilitynecessarytodealwithrequirementsevolutionthroughnegotiableauthorizations.6ConvivialityModelConvivialityhasrecentlybeenintroducedintomulti-agentandambientintelligencesystems[18,21]tohighlightsoftqualitativerequirementsliketheuserfriendlinessofsystems.Theconceptofconviviality,originatedfromsocialscience,waspopularizedby 116.2DependenceNetworksWenowintroduceourdenitionofdependencenetworks.Notethatinourmodel,thedependenciesareamongtheagents,soifanagentadependsonadistinctagentbforanaction,aresourceoraplantoachieveitsgoalg,thedependencyofagentatowardsagentbwillbeong.Goalsareconsideredthereasonsforwhichthedependenciesarise.Abstractingawayfromtheactions,resourcesandplansoftheagents,wedeneadependencenetworkasfollows:Denition2AdependencenetworkisatuplehA;G;dep;iwhere:Aisasetofagents,Gisasetofgoals,dep:AA!2Gisafunctionthatrelateswitheachpairofagents,thesetsofgoalsonwhichtherstagentdependsonthesecond,and:A!2G2Gisforeachagentatotalpre-orderonsetsofgoalsoccurringinhisdependencies:G1(a)G2.Inourmodel,thedependenciesinthedependencenetworkcorrespondtothedel-egationsofexecutionintheSI*model,whichaccountforgoalrenementassomedelegatedgoalsaresubgoalsofotherdelegatedgoals.Returningtoourscenario,considerthedependencenetworkDN=hA;G;dep;icorrespondingtotheSI*modelintroducedinSection4:{AgentsA=fP;H;HCS;N;Sg,respectively:patient,hospital,HCS,neighbor,andsocialsupport;GoalsG=fg1;g2;g3;g4;g5;g6;g7g:{dep(P;HCS)=fg1g:agentPdependsonagentHCStoachievegoalsfg1g,stayhealthy;dep(HCS;H)=fg2g:agentHCSdependsonagentHtoachievegoalsfg2g,updatepatientprole;dep(H;HCS)=fg3g:agentHdependsonagentHCStoachievegoalsfg3g,getreal-timedata;dep(HCS;N)=fg4g:agentHCSdependsonagentNtoachievegoalsfg4g,providerstaid;dep(P;S)=fg5g:agentPdependsonagentStoachieveitsgoalsfg5g,providesocialsupport;dep(S;P)=fg6g:agentSdependsonagentPtoachieveitsgoalsfg6g,getpatientparticipation.{AgentPpreferstostayhealthythantogetsocialsupport:fg5g�(P)fg6gThegraphicalrepresentationofthedependencenetworkisillustratedinFigure3.Thegureshouldbereadasfollows:theveagentsarerepresentedbythenodesinthegraph,andthedependenciesamongthemareindicatedbylabeledarrows.Thelabelindicatesthegoalonwhichthedependencyisbased.Forexample,thepatientdependsonitsHomeCareSystemtostayhealthy.Insocio-technicalsystems,agentsareinvolvedwitheachotherandmaysupporteachothers'goalsifanagentisnotabletoachievethembyitself.Dependencenet-worksandcoalitionalgametheoriescanbeusedtodenepotentialreciprocity-basedcoalitions,whicharesetsofagentstogetherwithasubsetofthedependenciesfortheseagents,suchthateachagentcontributessomethingandreceivessomethingfromthecoalition.Basedon[9],wedeneacoalitionasfollows:Denition3LetAbeasetofagentsandGbeasetofgoals.AcoalitionfunctionisapartialfunctionC:A2A2GsuchthatfajC(a;B;G)g=fbjb2B;C(a;B;G)g, 13Ouraimistomaximizecooperationinthesystem.Thus,ourrequirementsare:R1maximizethesizeoftheagent'scoalitionsbyincreasingthenumberofagentsinvolvedinthecoalitions,R2maximizethenumberofthesecoalitions.Intuitively,thegoalishencenotonlytohaveasmanyagentstakingpartinthelargestcoalition(s),butalsohaveasmanycoalitionsamongtheparticipatingagents.Dependencecyclesinthenetworkindicatepotentialinteractionsandcoalitionsamongtheagents.Thus,weanalyzecyclesandtheircongurationsinthenetwork.ThedependencenetworkinFigure3containstwocycleswhichareindicativeoftwopotentialcoalitions,ontheonehandamongagentsHCSandH,andontheotherhandamongagentsPandS.Weindicatethetwopotentialcoalitionsasfollows:C1:f(H;HCS;g3);(HCS;H;g2)gandC2:f(P;S;g5);(S;P;g6)g,wherewewrite(a;b;g1)for(a;b;fg1g).NotethatagentNdoesnotdependonanyotheragent,whereasagentHCSdependsonagentNforgoalg4.Hence,agentNhasnoincentivetosatisfyagentHCS'sgoal,asitdoesnothaveanygoaltoreciprocate.Thisindicatesthattheremaybewaystoincreasetheconvivialityofthenetwork,forexamplebyincludingintoacoalitionagents,suchasagentN,whicharenotpartofthecoalition.6.3ConvivialityIncreaseAccordingtoBoellaetal.[9],coalitionsinadependencenetworkmaybechangedinthefollowingways:1)bychangingtheagents,e.g.,byenteringorleavingthesystem,2)bychangingthedependenciesamongtheagents,i.e.,byaddingordeletingdependenciesamongtheagents,3)byintroducingorchangingnormativedependencies,suchasobligationsandprohibitions,and4)bychangingthecompositionofthecoalitionswhiletheagentsanddependenciesremainthesame.Inthispaper,weassumethatthesetofagentswithinthedependencenetworkisgivenanditdoesnotchangeovertime.Similarly,wedonotconsiderchangesinthecompositionofthecoalitionswithinthenetworkduetointernalprocesses.Finally,wedonotintroducenormativedependenciesas,typically,policiesareconsideredasrulesandconstraintsthatmodelintendedbehaviors.Infact,theycontrastwithnormsconsideredasagreedpoliciesinthesensethattheyareagreedtobythemembersofacommunity.Convivialityforexample,isusuallyconsideredasasocialnorm.Normsapplytogroupsandregulatethebehavioroftheindividualsamongthemselves;theydierfrompolicies,suchasaccesscontrolpolicies,whichmayalsoapplytosingleindividuals.Forexample,privacypoliciesmayapplytoanindividualpatient,andmaillteringpoliciestoasingledoctor.Thus,amongtheapproachesmentionedin[9],weadoptthesecondapproach;accordingly,achangeinthenetworkisonlyduetothechangeofadependencybetweentwoagents.Werecallfromtheprevioussection,thetworequirementsforconviviality,i.e.,tomaximizethenumberofagentsinvolvedincoalitions(R1)andthenumberofcoalitions(R2).SatisfyingR1andR2willmaximizeconviviality.Considerthataneedforsocialinteractionsmaybeinferredfortheneighbor,ordirectlyexpressedbytheneighborthroughafeedbackloop.Suchanaspirationcouldbefullledbasedondistinctdependencies,i.e,agentN(i.e.,theneighbor)maydependonagentP(i.e.,thepatient),oronagentS(i.e.,SocialSupport)toachieveit.Asthe 15 Fig.4DynamicDependenceNetworkDDNwiththeaddedgoalg7,indashedlinerstlydenedbyEmerson[31],havebeendevelopedinthecontextofmulti-agentsys-temsbyConteandSichman[68].Sichman[67]presentscoalitionformationusingadependence-basedapproachwhereadependencesituationallowsanagenttoevaluatethesusceptibilityofotheragentstoadopthisgoals.Sauro[62,63]showshowtousedependencenetworkstodiscriminateamongdierentpotentialcoalitionsduringthecoalitionformationprocess.Heassumesthatacoalitioniseectivelyformedonlywhenallitsmembersagreeonitandtheycannotdeviatefromwhatwasestablishedintheagreement,oncetheydecidetoenterit.Bonzonetal.[10]usedependencenetworkstocomputepure-strategyNashequilibriuminasimplerway,withoutenumeratingallcombinationsofstrategies.Thenotionofdependencebetweenplayersandvariablesisusedtosplitupagameintoasetofinteractingsmallergames,whichcanbesolvedmoreorlessindependently.InSauroandVillata[64],abstractandreneddependencenetworksforcooperativebooleangamesareintroducedtoimprovethecomputationofthecore.KollerandMilch[43]introducearepresentationlanguageformulti-playergamescalledmulti-agentin uencediagrams.Itextendsthegraphicalmodelsdevelopedforprobabilitydistributionstoamulti-agentdecision-makingcontext.Likeindepen-dencenetworks,thesediagramsexplicitlyencodeastructureinvolvingthedependencyrelationshipsamongvariables.Manyexamplesofusingdependencenetworkscanbefoundinsoftwareengineer-ing.Forinstance,thei*modelinglanguage[73]andtheTropossoftwareengineeringmethodology[12]representthenetworkofdependencyrelationshipsamongtheactorstoanalyzetheorganizationalsettinginwhichthesystem-to-beoperates.Inparticular,theirnotationallowsthedescriptionofthestructuralaspectsoftheearlyrequirementsmodel,intermsofrelationshipsanddependenciesamongactors.Theseframeworkshavebeenextendedtodescribealsohowthenetworkofdependenciesevolvesovertimeandthecircumstancesunderwhichagivendependencyarisesandcanbespec-ied,aswellastheconditionsthatpermittoconsiderthedependencetobefullled[35,52].Oneofthemainadvantagesofdependencenetworksisthattheycanberewrittenaspowerstructures:a(social)dependencyofagentdonagentpforreasonecanbeconceptualizedasthe(social)powerofagentpoveragentdforthereasone.Moreover,thedistinctionbetweenreciprocalandmutualdependencies[69]involvesthedevel-opmentofasocialreasoningmechanismthatanalyzesthepossibilitiestodierentlyprotfromreciprocalthanfrommutualdependencies. 17 Fig.5DependenceNetworkandAccessControlOntologiesontology.Therefore,adaptinganaccesscontrolpolicyonthebasisofdependencyrela-tionsbetweenagentsrequiresclosingthesemanticgapbetweenthesetwoontologies.Intheremainderofthesection,wediscusshowtocreateamappingbetweendependencenetworkconceptsandaccesscontrolconceptstonarrowthesemanticgapbetweenthetwoparadigms.7.2MappingBetweenAccessControlPolicyandDependenceNetworksPotentialdependenciesarebuiltupontheachievementofaspecicgoalbetweenadependerandadependee.Tobeabletoanalyzetheimpactofsuchdependenciesontheexistingaccesscontrolpolicy,itisnecessarytodeterminewhichauthorizationrulesanagentneedsinordertocarryouttheassignedduties(i.e.,tofulllthedelegatedgoal).Tobridgethegapbetweendependencenetworksandaccesscontrol,weproposetomapeachgoalinthedependencenetworktothesetofactionsandresourcesthatarerequiredtofulllthegoal.Thismappingisillustratedbyasocio-technicalmappingmatrixdenedasfollows.Denition5Asocio-technicalmappingmatrixisanmmatrixwhererowsdenotepairs(resource;action),andcolumnsdenotegoals.Thesocio-technicalmappingmatrixshows,foreachgoalinthedependencenetwork,whichresourcesareneededfortheachievementofthegoaltogetherwiththeactions(i.e.,access,modifyandmanage)thatcanbeperformedonsuchresources.ThelinkbetweenresourceandgoalsisderivedfromtheSI*modelthroughAND/ORrene-mentanddelegationsofexecution(Section2)usingtheapproachpresentedin[51].Intuitively,ifaresourceislinkedtothegoal(viaameans-endrelation),thenthere-sourceisneededfortheachievementofthegoal.Ifagoalisdecomposedintosubgoals,eachsubgoalisiterativelyanalyzed.Inparticular,resourceslinkedtoasubgoalare 18 (Resources,Actions)/Goals StayHealthy UpdatePatientProle GetReal-TimeData Providerstaid ProvideSocialSupport GetPatientParticipation GetSocialInteraction Patientdata Access + + + + NA NA NA Modify NA NA NA NA NA NA NA Manage NA NA NA NA NA NA NA Patient Access + + NA NA NA NA NA prole Modify + + NA NA NA NA NA Manage NA NA NA NA NA NA NA Phone Access + NA NA NA NA NA NA communication Modify NA NA NA NA NA NA NA system Manage NA NA NA NA NA NA NA Social Access NA NA NA NA + + + support Modify NA NA NA NA + + NA resources Manage NA NA NA NA NA NA NA Table3Socio-technicalmappingmatrixneededfortheachievementoftheupperlevelgoals.3Ifa(sub)goalisdelegatedtoanotheractors,thecorrespondinggoalmodelrootedintherationaleofthedelegatorisanalyzedasdescribedabove.Thus,thesetofresourcesneededtoachieveagoalin-cludesallresourcesneededfortheachievementofitssubgoalspossiblyviadelegation.Theactionstobeperformedontheseresources(i.e.,access,modify,manage)arede-rivedbytheanalysisofthegoalsforwhichtheresourceisdirectlylinked.Forinstance,goalmaintainpatientproleinFigure2(andthusgoalupdatepatientprole)requires`modify'rightsonthepatientprole.Goalelicitedthroughthedependencenetworktoincreasetheconvivialityofthesystem(e.g.,getsocialinteractioninourscenario)areanalyzedinsimilarway.Forinstance,theanalysisofgoalgetsocialinteractionshowsthatitsachievementrequires`access'rightsforsocialsupportresources.Inthiswork,werelyonthetoolpresentedin[48],whichimplementstheapproachin[51],toautomaticallyinferthelistofresourcesneededtoachieveagoal.Table3presentsthesocio-technicalmappingmatrixforourscenario.Intheta-ble,\+"isusedtorepresentthatexecutingacertainactiononacertainresourceisnecessarytoachievethegoal,andNA(i.e.,notapplicable)torepresentthatacertainresource(oranaction)isnotneededfortheachievementofthegoal.Theanalysisofthedependencenetworkmayleadtoconsiderpotentialdependen-ciesbetweenagentstoimprovetheconvivialityofthesystem.However,theimpactofsuchdependenciesonthesystemsecurityshouldbeanalyzed.Indeed,dependenciescannotbedeployedinthesystemiftheyleadtosecuritybreaches.Toassesstheimpactofapotentialdependencyontheaccesscontrolpolicy,weidentifywhichauthorizationrulesareneededtoachievethedelegatedgoalusingthesocio-technicalmappingmatrix.Werefertothoseauthorizationsascandidateauthorizationrules,denotedbyca.Givenapotentialdependencydep(a;b;s)whereaisthedepender,bthedependee,andsistheagentcreatingthedependency,thecorrespondingsetofcandidateauthorizationrulesca(dep(a;b;s))isidentiedasfollows:{Foreachgsuchthatfg2GjG=dep(a;b;s)g,thepairs(resource;action)neededforachievementofgaredeterminedthroughthesocio-technicalmappingmatrix.{Eachidentiedpair(resource;action)isaugmentedwiththedependeeb.Theresultingsetformsthesetofcandidateauthorizationrules. 3NotethatORdecompositionmayleadtoalternativesetsofresourcesthatmaybeneededtoachieveagoal.Forthesakeofsimplicity,wedonotaddressthisissuehereandreferto[51]fordetail. 20levelofsecurity.Thissectionrstdescribestwovalidationscenariosandtheprototypeimplementationoftherunningexample.Thesedescriptionsarefollowedbyapresen-tationoftheresultsinSection8.3andbyadiscussiononthethreatstovalidityinSection8.4.8.1ValidationScenariosThemethodologypresentedinthispaperhasbeenappliedtoaselectionoftwelvescenarios.Thereadermayrefertoatechnicalreport[71]formoredetailsconcerningthedierentscenariosbesidestheauthorizationrulesandthedependencenetworksrelatedtoeachscenario.ThisselectionwasdonebytheHotCityexpertsbasedonthefollowingtwocriteria:1)likelihood,i.e.,theprobabilitythatthescenariooccursand2)impact,i.e.,theconsequenceonhumanlifeofthefailureofthescenario.Here,wejustdetailtwoofthem,andpresenttheresultsoftheothersinSection8.3.Thetwoselectedscenariosillustratehowthesystemisadaptedgivenanewdepen-dency.Eachscenariohasbeenmodeledwithadependencenetwork.Later,weconsiderthemodelstoinferthepotentialgoalsanddependenciesthatmaybeaddedtoincreasethenumberofcyclesinthenetwork,i.e.,conviviality.Foreachpotentialdependency,weusedsocio-technicalmappingmatricestoinferthechangestotheauthorizationpoliciesgoverningthescenarios.8.1.1Scenario1:HeartAttack1Thisscenario,whichistherunningexample,hasbeenpresentedinthedependencenet-workofFigure3.Inthisscenario,theneighborisisolatedanddoesnotdependonanyanotheragentinthesystem.Theneighbormayhaveapotentialdependencywiththepatient,AnnetteBecker,togetasocialinteractionlikepresentedinFigure3.Suchade-pendencyismappedtoauthorizationrulehPatient;access;socialsupportresources;permitithroughthesocio-technicalmappingmatrixinTable3.Indeed,thefulllmentofgoalgetsocialinteractionrequiresaccesstosocialsupportresources.Sincetherearenohardrequirementscon ictingwiththisauthorizationrule,theruleisaddedtotheauthorizationpolicyasnegotiablerule(seeCase1intheprevioussection).Thus,theconvivialityofthesystemisincreased,whilethesystemstillcomplieswiththeelicitedsecurityrequirements.8.1.2Scenario2:Depression1Inthisscenario,Donaldisa32yearsoldsalesmanwholivesaloneandhasnosocialactivitybesideshisjob.ThescenarioisillustratedbythedependencenetworkofFig-ure6.DonalddependsontheWelfareAssistanceSystem(WAS)ofthelocalhospitalforgoalpreventdepression.Inturn,theWASdependsonDonaldtohavehispreferencesconcerningsocialactivitiesheenjoysandhisavailability.Inaddition,otherpatients,namelyNorman,StanandBob,dependontheWASfororganizingsocialactivities.TheWASusesaschedulingsystemtoorganizesocialactivitiesforpatients.Thepolicythatregulatesthescenarioincludesanumberofnon-negotiableautho-rizationrulesregulatingtheaccesstotheschedulingsystemandpatients'preferences:R1:hWAS;manage;schedulingsystem;permiti 22 Fig.6DependenceNetworkofScenario2:Depression1 Fig.7ScenarioSequenceDiagramafallalongwiththedatacollectedbythewatchsuchastemperatureandpulserate.Thefallisconsideredanemergencycase;howseriousthiscaseismustbeevaluatedbytheHC.Tothisend,thealertautomaticallytriggerstheexecutionoftheWMcomponent.Therststepistoconrmthefallusinganothersourceofinformation.TheVideoRecordercomponentcollectsandprocessesimagescapturedbyvideocamerasinthehouse.Oncesuchinformationhasbeengathered,theHCcanconrmthefall,andresumestheexecutionofthework ow.TheHCneedstocollecthealthinformationaboutthepatientinordertodecidewhetherthesituationisalow,amediumorahighlevelemergency.Patients'healthinformationisrequestedbythePHRtotheElectronicEmergencyResponderofthelocalhospital.Thedatacollectedaretheclinicalsummary(DR02)anddecisionsupportdata(DR17)asdescribedin[39].Bycompilingalltheinformationcollected,theHCmakesthedecisionaboutthelevelofemergency.Incaseofamediumemergency,theHChastondsomeonewhocanprovideassistancetothepatient.Tothisend,thework owactivatestheECLcomponent.The 24ourapproachin91.6%oftheselectedscenarios,withsometimesmajorimprovements(offactor3).Consequently,itappearsthatbyjustcombiningthesocialdimension,i.e.,conviviality,andaccesscontrolpolicymaybringimprovementsregardinghowusersperceivethesystem.Thismeansthatconvivialitymaybeeortlesslyimprovedwithoutdegradingthesecurityofthesystem.Indeed,wehaveonlyconsideredchangesthatdonotaectnon-negotiableauthorizationrules.Theadded-valueofourapproachistomakeexplicitdecisionsthatwerepreviouslytakeninanad-hocmannerbyconsideringsocialandsecurityaspectswhilereconsideringthesystemdesign.8.4ThreatstovalidityDuringthiswork,wehavehaveidentiedpotentialthreatstothevalidityofthepro-posedapproachanditsvalidation.Thissectionlistssomeofthosethreats.Asathreattointernalvalidity,wecanassumethatthemethodologyweproposerequiresanexperttomanuallycheckforconvivialityimprovement.Weneedtogobeyondamethodologydenitionandndasystematicapproachtoallowautomatedselfimprovementofthesystem'sconvivialitywhilekeepinginmindthesecuritypolicy.Thethreatstoexternalvalidityarerelatedtotheleveltowhichourscenariosarerepresentativeofreallifecasestudies.Thescenariosthatwehaveconsideredtovalidatetheapproachwerequitesimpleintermsofnumberofactorsorgoals.Inthefuture,weintendtoimprovethevalidationprocessusingmoreelaboratedscenarioswithmoregoals,andmoreactors,toshowtheeectivenessofourapproachtoachievescalability.9RelatedWorkThisworkspansfourmainresearchareas,namelyassistanceinpolicyspecication,pol-icyadaptation,requirementsnegotiationandconviviality.Inthedomainofassistanceinpolicyspecication,somecontributionshavebeenproposedtollthegapbetweenrequirementsanalysisandpolicesspecication.Basinetal.[4]presentaUML-basedmodelinglanguage,calledSecureUML,formodelingaccesscontrolpoliciesandinte-gratingthese(policies)intoamodel-drivensoftwaredevelopmentprocess.Dardenneetal.[28]proposeaprocessforreningrequirementsandderivesecuritypoliciesfromthem.Inparticular,therenementprocessallowsthederivationofaccesscontrolpoli-ciesandobligationsexpressedinPonder[27].AnotherworkinthesamedirectionhasbeenpresentedbyCrooketal.[25]whoproposeaframeworkfordeningaccesscontrolpolicieswhichconsiderstheassignmentofuserstotheroleswithinanorgani-zation.Theseproposals,however,focusonthesystem-to-be,anddonotanalyzetheorganizationalenvironmentinwhichthesystemwilleventuallyoperate.Inparticular,theydonotconsiderthesocialrelationsbetweenstakeholderswhicharethebasisforspecifyingconviviality-drivenaccesscontrolpolicies.Massaccietal.[46,47]presentaquantitativeapproachtodeterminetheaccesscontrolpolicyforaninter-organizationalbusinessprocess,whichisminimalwithrespecttothesensitivityofdataandtheleveloftrustbetweenactors.Thisapproachallowsuserstoexpresstheirpreferencesintheformofprivacypenaltiesassociatedtopersonaldataandtothepartnerofthebusinessprocess.Then,itdeterminesthealternativewiththesmallestprivacypenaltyandthusguaranteesmaximalprivacyprotection.Incontrast,ourworkmainlyfocusesonthetrade-obetweenconvivialityandsecurity,wherethenumberandsizeofcoalitionsis 26toderiveanaccesscontrolpolicyfromtherequirementsmodel.Bryletal.[13]proposearequirementsanalysisapproachforsocio-technicalsystemswhichemploysplanningtechniquesforexploringthespaceofrequirementsalternativesandanumberofsocialcriteriafortheirevaluation.ThisapproachhasalsobeenappliedtoSI*toselecttheoptimalsecuritydesignamongasetofalternatives[14].Theplanobtainedusingtheapproachin[13,14]areoptimalwithrespecttothelengthoftheplan,whereoptimalityisdenedintermsoflengthminimization.Thisapproach,however,isnotapplicabletoconvivialitysincetheplanwithminimallengthisusuallynottheonethatmaximizesconviviality.Bryletal.[13]alsoproposemetricstostudythecriticalityofanactorinaplan.Ourapproachwouldbenetfromtheapplicationofsuchmetricstodependencenetworksastheyprovideinsightsontheresilienceofdependencenetworks.Convivialityhasbeenintroducedasasocialconceptinmulti-agentsystemsthatre ectsrelationsbetweenindividualstoemphasizesomehumanaspectslikeequalityandcommunitylife[22].Inpreviousstudies(e.g.,[16])convivialityismeasuredintermsofinterdependenciesbetweenagents.Thebasisideaisthatmoreopportunitiestoworkwithotherpeopleincreasestheconviviality,whereaslargercoalitionsmayde-creasetheeciencyandstabilityofthesecoalitions.Ourworkconsidersconvivialityfromadierentperspective:convivialitycanbeincreasedaslongasitdoesnotimpactthesystemsecurity.Convivialityhasbeencapturedthroughthreemodelsusingde-pendencenetworks[19]:therstmodelcapturestemporalpropertiestoreasonaboutconvivialityevolutionovertime;thesecondmodelcapturesstakeholdersviewpoints;andthethirdmodelcapturestransformationsofsocialdependenciesbyhidingpowerrelationsandsocialstructurestofacilitatesocialinteractions.Inourwork,wedonotconsiderthetemporaldimensionthatmayregulateagents'dependencies;thisaspectwillbeinvestigatedinfuturework.10ConclusionsandFutureWorkChangesinsocio-technicalrequirements,design,andenvironmentmayrequiretoadaptandupdatetheaccesscontrolpolicyregulatingthesystem.ThispaperpresentstheDN-ACalignmentmethodologyforanalyzingaccesscontrolpolicieswithrespecttotheconceptofconviviality.Wehaveusedagoal-orientedmethodologytocaptureandanalyzethesocialinteractionsbetweenstakeholders.Then,securityinteractionsareusedtodenetheaccesscontrolpolicy,whereasdependenciesareusedtoanalyze,throughdependencenetworks,theconvivialityofthesystem.Toreconcilethesecurityandconvivialityvisions,weproposedasocio-technicalmappingmatrixthatconnectsconceptsofaccesscontrolandconceptsrelatedtodependencenetworkstoanalyzetheimpactofconvivialityonexistingauthorizationrules.Wealsodenedhowtoadaptauthorizationrulesbasedontheimpactofconvivialityonthesystemsecurity.Tovalidatetheproposedmethodology,wehavebuiltaproof-of-conceptprototypefromtheAALusecaseofLuxembourgHotCity.Themainlessonlearnedfromthescenarioisthattheoutcomeofourmethodologyleadstocreatemorecoalitionsbetweenagentsandthustoincreasetheconvivialitywhilemaintainingthesecuritylevelofthesystem.FurtherworksinvolvereningtheprocessofautomaticderivationofdependencenetworksandACpolicyfromrequirements.Thiswillenabletosystematicallyanalyzecomplexscenariosinvolvingalargenumberofagentsanddependencies.Moreover,inthispaperweconsiderstaticmodels,whereasinvestigatingtheevolutionofmodelswouldprovidener-grainedanalysisovertheconvivialityimprovementandACpolicy 2820.Caire,P.,vanderTorre,L.:Temporaldependencenetworksforthedesignofconvivialmultiagentsystems.In:Proceedingsofthe8thInternationalJointConferenceonAu-tonomousAgentsandMultiagentSystems,pp.1317{1318.InternationalFoundationforAutonomousAgentsandMultiagentSystems(2009)21.Caire,P.,Villata,S.,Boella,G.,vanderTorre,L.:Convivialitymasksinmultiagentsystems.In:Proceedingsofthe7thInternationalJointConferenceonAutonomousAgentsandMultiagentSystems,pp.1265{1268.InternationalFoundationforAutonomousAgentsandMultiagentSystems(2008)22.Caire,P.,Villata,S.,Boella,G.,vanderTorre,L.:Convivialitymasksinmultiagentsystems.In:Proceedingsofthe7thInternationalJointConferenceonAutonomousAgentsAndMultiagentSystems,pp.1265{1268.InternationalFoundationforAutonomousAgentsandMultiagentSystems(2008)23.Castelfranchi,C.:Themicro-macroconstitutionofpower.Protosociology18,208{269(2003)24.Cormen,T.H.,Leiserson,C.E.,Rivest,R.L.,Stein,C.:IntroductiontoAlgorithms,2ndedn.TheMITPress(2001)25.Crook,R.,Ince,D.,Nuseibeh,B.:Modellingaccesspoliciesusingrolesinrequirementsengineering.InformationandSoftwareTechnology45(14),979{991(2003)26.Damen,S.,Zannone,N.:PrivacyImplicationsofPrivacySettingsandTagginginFace-book.In:Proceedingsofthe10thVLDBWorkshoponSecureDataManagement.Springer(2013)27.Damianou,N.,Dulay,N.,Lupu,E.,Sloman,M.:ThePonderPolicySpecicationLan-guage.In:ProceedingsoftheInternationalWorkshoponPoliciesforDistributedSystemsandNetworks,LNCS1995,pp.18{38.Springer(2001)28.Dardenne,A.,vanLamsweerde,A.,Fickas,S.:Goal-directedrequirementsacquisition.In:Proceedingsofthe6thInternationalWorkshoponSoftwareSpecicationandDesign,pp.3{50.ElsevierSciencePublishersB.V.,Amsterdam,TheNetherlands(1993)29.Elahi,G.,Yu,E.S.K.:Modelingandanalysisofsecuritytrade-os-agoalorientedap-proach.DataKnowl.Eng.68(7),579{598(2009)30.Elahi,G.,Yu,E.S.K.,Zannone,N.:Avulnerability-centricrequirementsengineeringframe-work:analyzingsecurityattacks,countermeasures,andrequirementsbasedonvulnerabil-ities.Requir.Eng.15(1),41{62(2010)31.Emerson,R.:Power-dependencerelations.AmericanSociologicalReview27,31{41(1962)32.Flechais,I.,Mascolo,C.,Sasse,M.A.:Integratingsecurityandusabilityintotherequire-mentsanddesignprocess.Int.J.Electron.Secur.Digit.Forensic1(1),12{26(2007)33.Flechais,I.,Sasse,M.A.,Hailes,S.M.V.:Bringingsecurityhome:aprocessfordevelop-ingsecureandusablesystems.In:Proceedingsofthe2003WorkshoponNewSecurityParadigms,pp.49{57.ACM(2003)34.Frankl,P.G.,Weyuker,E.J.:Testingsoftwaretodetectandreducerisk.JournalofSystemsandSoftware53(3),275{286(2000)35.Fuxman,A.,Liu,L.,Mylopoulos,J.,Roveri,M.,Traverso,P.:SpecifyingandanalyzingearlyrequirementsinTropos.Requir.Eng.9(2),132{150(2004)36.Giorgini,P.,Massacci,F.,Mylopoulos,J.,Zannone,N.:ModelingSecurityRequirementsThroughOwnership,PermissionandDelegation.In:Proceedingsofthe13thIEEEInter-nationalConferenceonRequirementsEngineering,pp.167{176.IEEEComputerSociety(2005)37.Giorgini,P.,Massacci,F.,Mylopoulos,J.,Zannone,N.:Requirementsengineeringfortrustmanagement:model,methodology,andreasoning.Int.J.Inf.Sec.5(4),257{274(2006)38.Gutmann,P.,Grigg,I.:Securityusability.Security&Privacy,IEEE3(4),56{58(2005)39.HealthcareInformationTechnologyStandardsPanel(HITSP):EmergencyResponderElectronicHealthRecordInteroperabilitySpecication(IS04),Version2.0(2008)40.Illich,I.:ToolsforConviviality.MarionBoyarsPublishers,London(1974)41.Jureta,I.J.,Mylopoulos,J.,Faulkner,S.,Schobbens,P.Y.:Coreontologyforrequirementsengineering.Tech.rep.,InformationManagementResearchUnit,UniversityofNamur(2007)42.Kazman,R.,Klein,M.,Barbacci,M.,Longsta,T.,Lipson,H.,Carriere,J.:Thearchitec-turetradeoanalysismethod.In:Proceedingsofthe4thIEEEInternationalConferenceonEngineeringofComplexComputerSystems,pp.68{78.IEEEComputerSociety(1998)43.Koller,D.,Milch,B.:Multi-agentin uencediagramsforrepresentingandsolvinggames.GamesandEconomicBehavior45(1),181{221(2003) 3069.Sichman,J.S.,Demazeau,Y.:Onsocialreasoninginmulti-agentsystems.RevistaIberoamericanadeInteligenciaArticial13,68{84(2001)70.Sinclair,S.,Smith,S.W.:What'swrongwithaccesscontrolintherealworld?IEEESecurityandPrivacy8,74{77(2010)71.VasileiosEfthymiou,P.C.:DiagramAnalysisReport:UseCasesforConvivialityandPri-vacyinAmbientIntelligentSystems.UniversityofLuxembourg,SnT,Luxembourg(2012)72.Yee,K.P.:Aligningsecurityandusability.Security&Privacy,IEEE2(5),48{55(2004)73.Yu,E.:Modellingstrategicrelationshipsforprocessreengineering.Ph.D.thesis,UniversityofToronto,Canada(1995)