Automation of security policies in software systems

As our world increasingly digitizes, the security of software systems becomes paramount. There exists a wide variety of security policies and their modeling approaches. Existing security policy models, however, often lack accessibility for stakeholders without deep domain knowledge or include multiple aspects irrelevant to some stakeholders. Furthermore, these security policy models predominantly automate security policies based on the interests of a limited subset of stakeholders, consequently overlooking the concerns of others. This thesis addresses this gap by defining the concepts of Security Policy and Automation to determine the elements of Security Policies that are amenable to automation. In response, we introduce the Security Policy Meta Model (SPMM), designed to enable the creation of tailored Security Policy Models (SPM) that resonate with stakeholder concerns. Additionally, the SPMM incorporates an Automation Model (AM), which automates the modeled Security Policy, culminating in the Security Policy Automation Model (SPAM). Our methodology involves conducting a lightweight SLR to establish an overview of the current approaches of modeling security policy and there automation. Followed by developing a structured process for constructing a tailored SPAM. This process is validated through an application example, examining its applicability across multiple security policies and stakeholder groups. The findings from the application example highlight the SPMM’s effectiveness in enhancing stakeholder comprehension of security policies and in facilitating the tailored automation of these policies. The establishment of the SPMM, coupled with its construction process, marks a significant advancement in simplifying the complexity of security policies for a broad spectrum of stakeholders and in progressing the field of security policy automation within software systems.

Project information



Thesis for degree:



Badry Münker