Computing conspiracies [data integrity]

The concept of `segregation of duties´ is well-known in both organisational and security contexts. For example, the Clark-Wilson model stresses the importance of such a policy appropriate for regulating the involvement of subjects in acting upon business information and business values. However, it gives no guidelines on how to distinguish a proper policy from an improper one. Furthermore, the discipline of auditing has developed numerous schemes for segregation of duties. In this paper we use a model that allows quantification of-and reasoning about-audit-technical segregation of duties. Our approach is based on normative (`Soll´) and actual (`Ist´) specifications of a company´s circular flow of business values in terms of enriched Petri nets. In this type of Petri net the markers represent money, goods, debts and registrations of these business values, the places represent their buffer locations and the transitions represent transformation procedures. Associated to these Petri net elements are agents and their authorisations and abilities. Undetectable use of company assets can now be modelled in the `Ist´ net by the general Petri net notion of `T-invariant´. The design of a proper scheme for segregation of duties then reduces to maximisation of the number of agents that need to be minimally involved in order to establish a firing of such a T-invariant