David Pym

David Pym
University College London | UCL · Department of Computer Science

About

200
Publications
10,611
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
2,742
Citations

Publications

Publications (200)
Article
Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressu...
Chapter
Full-text available
In a world of ever-increasing complexity, the smooth functioning of society is critically dependent on our ability to understand and manage both individual systems and complex ecosystems of systems. Models, combined with tools to reason about them, can provide a way to do this. In order for rigorous reasoning about models to be possible, they must...
Chapter
Full-text available
Organizations today face a significant set of sophisticated information security threats, including rapidly spreading malware that can affect many devices across the organization. The impacts of such attacks are amplified by customers’ rising expectations of high-quality and rapid delivery of products and services, as well as by organizational atte...
Chapter
Full-text available
As the world has evolved to become ever more dependent on complex ecosystems of large, interacting systems, it has become ever more important to be able to reason rigorously about the design, construction, and behaviour not only of individual systems—which may include aspects related to all of people, process, and technology—but also of their assem...
Chapter
Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressu...
Conference Paper
Security policy-makers (influencers) in an organization set security policies that embody intended behaviours for employees (as decision-makers) to follow. Decision-makers then face choices, where this is not simply a binary decision of whether to comply or not, but also how to approach compliance and secure working alongside other workplace pressu...
Preprint
Full-text available
The logic of Bunched Implications (BI) combines both additive and multiplicative connectives, which include two primitive intuitionistic implications. As a consequence, contexts in the sequent presentation are not lists, nor multisets, but rather tree-like structures called bunches. This additional complexity notwithstanding, the logic has a well-b...
Conference Paper
The Internet of Things concerns extensive ecosystems of'things' connected by interfaces. Researching such ecosystems is challenging given that devices extend into multiple administrative domains with different boundaries and communications structures. In this paper, we explore how formalism, based on systems thinking and mathematical logic, might b...
Conference Paper
Concurrent Kleene Algebra is an elegant tool for equational reasoning about concurrent programs. An important feature of concurrent programs that is missing from CKA is the ability to restrict legal interleavings. To remedy this we extend the standard model of CKA, namely pomsets, with a new feature, called boxes, which can specify that part of the...
Article
Full-text available
We present a substructural epistemic logic, based on Boolean BI, in which the epistemic modalities are parametrized on agents’ local resources. The new modalities can be seen as generalizations of the usual epistemic modalities. The logic combines Boolean BI’s resource semantics—we introduce BI and its resource semantics at some length—with epistem...
Preprint
Concurrent Kleene Algebra is an elegant tool for equational reasoning about concurrent programs. An important feature of concurrent programs that is missing from CKA is the ability to restrict legal interleavings. To remedy this we extend the standard model of CKA, namely pomsets, with a new feature, called boxes, which can specify that part of the...
Conference Paper
Controlling asset-access has traditionally been considered a matter for systems in which assets reside. Centralized approaches to access control are, however, problematic for the IoT. One reason for this is that devices may not be confined to a single system of control. In this abstract, we argue for a new paradigm in which assets are empowered to...
Preprint
We present a substructural epistemic logic, based on Boolean BI, in which the epistemic modalities are parametrized on agents' local resources. The new modalities can be seen as generalizations of the usual epistemic modalities. The logic combines Boolean BI's resource semantics --- we introduce BI and its resource semantics at some length --- with...
Article
Full-text available
One might poetically muse that computers have the essence both of logic and machines. Through the case of the history of Separation Logic, we explore how this assertion is more than idle poetry. Separation Logic works because it merges the software engineer’s conceptual model of a program’s manipulation of computer memory with the logical model tha...
Conference Paper
A security breach often makes companies react by changing their attitude and approach to security within the organization. This paper presents an in-depth case study of post-breach security changes made by a company and the consequences of those changes. We employ the principles of participatory action research and humble inquiry to conduct a long-...
Article
The Logic of Bunched Implications (BI) was introduced by O'Hearn and Pym. The original presentation of BI emphasised its role as a system for formal logic (broadly in the tradition of relevant logic) that has some interesting properties, combining a clean proof theory, including a categorical interpretation, with a simple truth-functional semantics...
Book
This book constitutes revised selected papers from the 5th International Workshop on Graphical Models for Security, GraMSec 2018, held in Oxford, UK, in July 2018. The 7 full papers presented in this volume were carefully reviewed and selected from 21 submissions. The book also contains one invited talk. The contributions deal with the latest resea...
Article
Information security is concerned with protecting the confidentiality, integrity, and availability of information systems. System managers deploy their resources with the aim of maintaining target levels of these attributes in the presence of reactive threats. Information stewardship is the challenge of maintaining the sustainability and resilience...
Chapter
Full-text available
In recent years, the key principles behind Separation Logic have been generalized to generate formalisms for a number of verification tasks in program analysis via the formulation of ‘non-standard’ models utilizing notions of separation distinct from heap disjointness. These models can typically be characterized by a separation theory, a collection...
Article
Full-text available
Stone-type duality theorems, which relate algebraic and relational/topological models, are important tools in logic because — in addition to elegant abstraction — they strengthen soundness and completeness to a categorical equivalence, yielding a framework through which both algebraic and topological methods can be brought to bear on a logic. We gi...
Conference Paper
A scientific incident analysis is one with a methodical, justifiable approach to the human decision-making process. Incident analysis is a good target for additional rigor because it is the most human-intensive part of incident response. Our goal is to provide the tools necessary for specifying precisely the reasoning process in incident analysis....
Conference Paper
We present a substructural epistemic logic, based on Boolean BI, in which the epistemic modalities are parametrized on agents’ local resources. The new modalities can be seen as generalizations of the usual epistemic modalities. The logic combines Boolean BI’s resource semantics with epistemic agency. We give a labelled tableaux calculus and establ...
Article
We prove strong completeness of a range of substructural logics with respect to a natural poset-based relational semantics using a coalgebraic version of completeness-via-canonicity. By formalizing the problem in the language of coalgebraic logics, we develop a modular theory which covers a wide variety of different logics under a single framework,...
Article
Stone-type duality theorems, which relate algebraic and relational/topological models, are important tools in logic because they strengthen soundness and completeness to a categorical equivalence, yielding a framework through which both algebraic and topological methods can be brought to bear on a logic. We give a systematic treatment of Stone-type...
Conference Paper
Full-text available
The U.S. Vulnerabilities Equities Process (VEP) is used by the government to decide whether to retain or disclose zero day vulnerabilities that the government possesses. There are costs and benefits to both actions: disclosing the vulnerability allows the vulnerability to be patched and systems to be made more secure, while retaining the vulnerabil...
Conference Paper
Our goal is to refocus the question about cybersecurity research from 'is this process scientific' to 'why is this scientific process producing unsatisfactory results'. We focus on five common complaints that claim cybersecurity is not or cannot be scientific. Many of these complaints presume views associated with the philosophical school known as...
Conference Paper
Models of complex systems are widely used in the physical and social sciences, and the concept of layering, typically building upon graph-theoretic structure, is a common feature. We describe an intuitionistic substructural logic that gives an account of layering. As in other bunched systems, the logic includes the usual intuitionistic connectives,...
Article
Full-text available
We introduce a substructural modal logic of utility that can be used to reason about optimality with respect to properties of states. Our notion of state is quite general, and is able to represent resource allocation problems in distributed systems. The underlying logic is a variant of the modal logic of bunched implications, and based on resource...
Article
Systems security is essential for the efficient operation of all organizations. Indeed, most large firms employ a designated 'Chief Information Security Officer' to coordinate the operational aspects of the organization’s information security. Part of this role is in planning investment responses to information security threats against the firm's c...
Conference Paper
We introduce a model for examining the factors that lead to the adoption of new encryption technologies. Building on the work of Brock and Durlauf, the model describes how agents make choices, in the presence of social interaction, between competing technologies given their relative cost, functionality, and usability. We apply the model to examples...
Article
Models of complex systems are widely used in the physical and social sciences, and the concept of layering, typically building upon graph-theoretic structure, is a common feature. We describe an intuitionistic substructural logic that gives an account of layering. The logic is a bunched system, combining the usual intuitionistic connectives, togeth...
Conference Paper
Full-text available
We propose a model, based on the work of Brock and Durlauf, which looks at how agents make choices between competing technologies, as a framework for exploring aspects of the economics of the adoption of privacy-enhancing technologies. In order to formulate a model of decision-making among choices of technologies by these agents, we consider the fo...
Conference Paper
Security breaches often arise as a result of users’ failure to comply with security policies. Such failures to comply may simply be innocent mistakes. However, there is evidence that, in some circumstances, users choose not to comply because they perceive that the security benefit of compliance is outweighed by the cost that is the impact of compli...
Conference Paper
Full-text available
Systems modelling can be used to help improve decisions around security policy. By modelling a complex system, the interactions between its structure, environment, technology, policies, and human agents can be understood and the effects of different policy choices on the system can be explored. Of key importance is capturing the behaviour of human...
Article
We develop and estimate a vector equation system of threats to ten important IP services, using SANS-reported data over the period January 2003 to February 2011. Our results reveal strong evidence of contagion between such attacks, with attacks on ssh and Secure Web Server indicating increased attack activity on other ports. Security managers who i...
Conference Paper
Models of complex systems are widely used in the physical and social sciences, and the concept of layering, typically building upon graph-theoretic structure, is a common feature. We describe an intuitionistic substructural logic that gives an account of layering. As in bunched systems, the logic includes the usual intuitionistic connectives, toget...
Article
Full-text available
We present a logic of separating modalities, LSM, that is based on Boolean BI. LSM's modalities, which generalize those of S4, combine, within a quite general relational semantics, BI's resource semantics with modal accessibility. We provide a range of examples illustrating their use for modelling. We give a proof system based on a labelled tableau...
Article
Full-text available
This paper provides for the presentation, in an integrated manner, of a sequence of results addressing the consequences of the presence of an information steward in an ecosystem under attack and establishes the appropriate defensive investment responses, thus allowing for a cohesive understanding of the nature of the information steward in a variet...
Article
Mathematical modelling and simulation modelling are fundamental tools of engineering, science, and social sciences such as economics, and provide decision-support tools in management. Mathematical models are essentially deployed at all scales, all levels of complexity, and all levels of abstraction. Models are often required to be executable, as a...
Conference Paper
Full-text available
We introduce a model for examining the factors that lead to the adoption of new encryption technologies. Building on the work of Brock and Durlauf, the model describes how agents make choices, in the presence of social interaction, between competing technologies given their relative cost, functionality, and usability. We apply the model to examples...
Article
Full-text available
Cybersecurity is now widely recognized as essential by individuals, firms, and governments. As society has grown more dependent on information systems and the Internet, the need for a secure and reliable cyber infrastructure is clear. As this need has spread beyond the domains of computing and information technology, the number of disciplines contr...
Conference Paper
We prove strong completeness of a range of substructural logics with respect to their relational semantics by completeness-via-canonicity. Specifically, we use the topological theory of canonical (in) equations in distributive lattice expansions to show that distributive substructural logics are strongly complete with respect to their relational se...
Article
Full-text available
Security managers face the challenge of designing security policies that deliver the objectives required by their organizations. We explain how a rigorous methodology, grounded in mathematical systems modelling and the economics of decision-making, can be used to explore the operational consequences of their design choices and help security manager...
Conference Paper
Full-text available
Security managers face the challenge of designing security policies that deliver the objectives required by their organizations. We explain how a rigorous modelling framework and methodology— grounded in semantically justified mathematical systems modelling, the economics of decision-making, and simulation—can be used to explore the operational con...
Article
We prove strong completeness of a range of substructural logics with respect to their relational semantics by completeness-via-canonicity. Specifically, we use the topological theory of canonical (in) equations in distributive lattice expansions to show that distributive substructural logics are strongly complete with respect to their relational se...
Article
Understanding the boundaries of trust is a key aspect of accurately modelling the structure and behaviour of multi-agent systems with heterogeneous motivating factors. Reasoning about these boundaries in highly interconnected, information-rich ecosystems is complex, and dependent upon modelling at the correct level of abstraction. Building on an es...
Article
We describe a uniform logical framework, based on a bunched logic that combines classical additives and very weak multiplicatives, for reasoning compositionally about access control policy models. We show how our approach takes account of the underlying system architecture, and so provides a way to identify and reason about how vulnerabilities may...
Article
Complex systems, be they natural or synthetic, are ubiquitous. In particular, complex networks of devices and services underpin most of society's operations. By their very nature, such systems are difficult to conceptualize and reason about effectively. The concept of layering is widespread in complex systems, but has not been considered conceptual...
Conference Paper
Full-text available
Security managers face the challenge of formulating and implementing policies that deliver their desired system security postures — for example, their preferred balance of confidentiality, integrity, and availability — within budget (monetary and otherwise). In this paper, we describe a security modelling methodology, grounded in rigorous mathemati...
Article
Full-text available
The matrix method, due to Bibel and Andrews, is a proof procedure designed for automated theorem-proving. We show that underlying this method is a fully structured combinatorial model of conventional classical proof theory.
Conference Paper
Information security is concerned with protecting the confi- dentiality, integrity, and availability of information systems. System managers deploy their resources with the aim of maintaining target levels of these attributes in the presence of reactive threats. Information stewardship is the challenge of maintaining the sustainability and resilien...
Conference Paper
Security managers face the challenge of formulating and implementing policies that deliver their desired system security postures --- for example, their preferred balance of confidentiality, integrity, and availability --- within budget (monetary and otherwise). In this paper, we describe a security modelling methodology, grounded in rigorous mathe...
Conference Paper
Full-text available
Managing information security in the cloud is a challenge. Traditional checklist approaches to standards compliance may well provide compliance, but do not guarantee to provide security assurance. The complexity of cloud relationships must be acknowledged and explicitly managed by recognising the implications of self-interest of each party involved...
Article
We consider a calculus of resources and processes as a basis for modelling decision-making in multi-agent systems. The calculus represents the regulation of agents' choices using utility functions that take account of context. Associated with the calculus is a (Hennessy Milner-style) context sensitive modal logic of state. As an application, we sho...
Conference Paper
Complex systems of interacting agents are ubiquitous in the highly interconnected, information-rich ecosystems upon which the world is more-or-less wholly dependent. Within these systems, it is often necessary for an agent, or a group of agents, such as a business, to establish within a given ecosystem a trusted group, or a region of trust. Buildin...
Article
Full-text available
Acknowledgments This paper draws on the work of and conversations with all of the security research team in HP Labs. Specifically, we thank Boris Balacheff and Chris Dalton for all areas relating to trusted infrastructure; Yolanta Beres and Jonathan Griffin for their work on process modeling of vulnerability management; Chew Yean Yam and Christos I...
Conference Paper
We develop a compositional framework for modelling security and business architectures based on rigorous underlying mathematical systems mod-elling technology. We explain the basic architectural model, which strictly sep-arates declarative specification from operational implementation, and show ar-chitectures can interact by composition, substituti...
Article
We develop and simulate a basic mathematical model of the costly deployment of software patches in the presence of trade-offs between confidentiality and availability. The model incorporates representations of the key aspects of the system architecture, the managers' preferences, and the stochastic nature of the threat environment. Using the model,...
Chapter
Cloud computing ecosystems of service providers and consumers will become a significant part of the way information services are provided, allowing more agile coalitions, cost savings and improved service delivery. Existing approaches to information security do not readily extend to this complex multi-party world. The authors argue for a mathematic...
Chapter
Cloud computing ecosystems of service providers and consumers will become a significant part of the way information services are provided, allowing more agile coalitions, cost savings and improved service delivery. Existing approaches to information security do not readily extend to this complex multi-party world. The authors argue for a mathematic...
Conference Paper
Full-text available
We discuss the concept of information stewardship in cloud-based business ecosystems. The constituent concepts of stewardship -- which we believe will be crucial to the successful development of cloud-based business of all kinds -- extend those of security to encompass concepts of objectives, ethics/values, sustainability, and resilience: all famil...
Article
Full-text available
HP Laboratories HPL-2011-36 security analytics, security management, economics, password We demonstrate the use of a systematic decision-making methodology to support an informed choice of a password policy. Our approach uses an executable system model, grounded with empirical data, to compare, using simulations, two options. The basis of the compa...
Article
This paper addresses the question of determining the optimal timing of interventions in information security management. Using utility theory, we derive the limiting condition under which, given a potential or realized risk, a decision to invest, delay, or abandon can be justified. Our primary focus is on the decision to defer costly deterministic...
Article
We develop an ontological account of information security architectures that is inspired by eco-nomic models of trade-offs between confidentiality, integrity, and availability. Our approach clarifies the nature of the trade-offs by making a clear distinction between declarative and operational concepts in security. We integrate this approach with a...
Conference Paper
Identity and Access Management (IAM) is a key enabler of enterprise businesses: it supports automation, security enforcement, and compliance. However, most enterprises struggle with their Identity and Access Management strategy. Discussions on IAM primarily focus at the IT operational level, rather than targeting strategic decision-makers' issues,...
Conference Paper
Information security managers with fixed budgets must invest in security measures to mitigate increasingly severe threats whilst maintaining the alignment of their systems with their organization's business objectives. The state of the art lacks a systematic methodology to support security investment decision-making. We describe a methodology that...
Article
The access control problem in computer security is fundamentally concerned with the ability of system entities to see, make use of, or alter various system resources. We provide a mathematical framework for modelling and reasoning about (distributed) systems with access control. This is based on a calculus of resources and processes together with a...
Article
Cloud computing ecosystems of service providers and consumers will become a significant part of the way information services are provided, allowing more agile coalitions, cost savings and improved service delivery. Existing approaches to information security do not readily extend to this complex multi-party world. The authors argue for a mathematic...
Article
Full-text available
Simulation modelling is an important tool for exploring and reason-ing about complex systems. Many supporting languages are avail-able. Commonly occurring features of these languages are con-structs capturing concepts such as process, resource, and location. We describe a mathematical framework that supports a modelling idiom based on these core co...
Article
Managing the information stewardship lifecycle is a chal-lenge. In the context of cloud computing, the stakeholders in cloud ecosystems must also take account of the demands of the information stewardship lifecycles of other participants in the ecosystem. We de-scribe a modelling framework — incorporating tools from mathematical systems modelling,...
Article
Identity and Access Management (IAM) is a key enabler of enterprise businesses: It supports automation, security enforcement and compliance. However, most enterprises struggle with their Identity and Access Management strategy. Discussions on IAM primarily focus at the IT operational level, rather than targeting strategic decision makers' issues, a...
Book
The Workshop on the Economics of Information Security was established in 2002 to bring together computer scientists and economists to understand and improve the poor state of information security practice. WEIS was borne out of a realization that security often fails for non-technical reasons. Rather, the incentives of both - fender and attacker mu...
Chapter
The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary research and scholarship on information security and privacy, combining ideas, techniques, and expertise from the fields of economics, social science, business, law, policy, and computer science.
Article
Full-text available
Organizations deploy systems technologies in order to support their operations and achieve their business objectives. In so doing, they encounter tensions between the confidentiality, integrity, and availability of infor-mation, and must make investments in information security measures to address these concerns. We discuss how a macroeconomics-ins...
Article
Full-text available
Experience of practical systems modelling suggests that the key conceptual components of a model of a system are processes, resources, locations and environment. In recent work, we have given a process-theoretic account of this view in which resources as well as processes are first-class citizens. This process calculus, SCRP, captures the structura...
Article
Mathematical modelling is one of the fundamental tools of science and engineering. Very often, models are required to be executable, as a simulation, on a computer. In this paper, we present some contributions to the process-theoretic and logical foundations of discrete-event modelling with resources and processes. We present a process calculus wit...
Conference Paper
We develop and simulate a dynamic model of investment in information security. The model is based on the recognition that both IT managers and users appreciate the trade-o,between two of the funda- mental characteristics of information security, namely condentiality and availability. The model’s parameters can be clustered in a manner,that allows u...
Article
Full-text available
We describe a polymorphic, typed lambda calculus with substructural features. This calculus extends the first-order substructural lambda calculus αλ associated with bunched logic. A particular novelty of our new calculus is the substructural treatment of second-order variables. This is accomplished through the use of bunches of type variables in ty...
Conference Paper
Organizations deploy systems technologies in order to support their operations and achieve their business objectives. In so doing, they encounter tensions between the confidentiality, integrity, and availability of information, and must make investments in information security measures to address these concerns. We discuss how a macroeconomics-insp...