Physical and digital security mechanisms

Abstract

We research the security of physical and digital systems. Starting point is a simple conceptual framework: systems range from being completely physical to completely automated. The former only use physical security mechanisms, whereas the latter only use digital security mechanisms. In between these lies a mixed category of hybrid systems, which can use both digital and physical security mechanisms. Following this framework we study the security of physical, digital and hybrid systems in four domains: access control, voting in elections, IT infrastructure and rights management. We begin with investigating the underlying properties of physical and digital systems: characteristics of a physical or digital object that, under specific conditions, have positive or negative effects on security. In total we present twenty physical and five digital security properties. These properties are then used to identify the differences between physical and digital security in each case. Next we examine hybrid systems to understand how to combine physical and digital security, and what the trade-offs are between these two. Finally, these results are used to create two methods that help improve information security: - A method for assessing security risks of physical, digital and hybrid systems. This method is built around security properties: they are used to understand the security of existing systems (by identifying the properties and how they could change) or to design new systems (by building in those properties and conditions that have positive effects on security). - A method for assessing the security of hybrid systems through security patterns. These patterns are reusable designs that show how to combine physical and digital security optimally. We present a total of thirteen patterns that are useful both to design and to evaluate the security of hybrid systems. Both methods were tested successfully in a focus group meeting with security experts.