Towards A Conceptual Foundation for Physical Security: Case Study of An It Department

Towards A Conceptual Foundation for Physical Security: Case Study of An It Department

S. Al-Fedaghi O. Alsumait

Department of Computer Engineering, Kuwait university, Kuwait.

Information Technology Department, ministry of Defense, Kuwait.

Available online: 
| Citation



Protecting physical data, networks, and systems has become difficult, increasingly costly, and tougher to manage as technology and environments become more complex and dynamic. This paper presents a theoretical foundation for physical information technology (IT) security by developing a logical description based on a flow-based model. Within this model, a security machine is defined as a sequence of stages in which flow is identified and blocked in a multilevel blockage machine. The main focusses of the paper are the importance of having appropriate physical security in place, discussed with so-called onion/garlic models, and the notion of physical containment. The proposed representation is applied to an actual security plan for an IT department of a government ministry. The results suggest a viable approach to designing physical security strategies.


Conceptual model, diagrammatic representation, physical access control, physical security, systems modeling language.


[1] Ferraiolo, K., The systems security engineering capability maturity model (SSECMM). Proceedings of the International Systems Security Engineering Association, 2000. (accessed 15 February 2017).

[2] Shirey, R., Internet Security Glossary, Version 2. Internet Engineering Task Force (IETF), RFC 4949, 2007. Figure 20: Attack graph of the second stage of analysis in the example (partial and modified, redrawn from Pieters [30]. 154 S. Al-Fedaghi & O. Alsumait, Int. J. of Safety and Security Eng., Vol. 9, No. 2 (2019)

[3] Krutz, R.L. & Vines, R.D., The CISM Prep Guide: Mastering the Five Domains of Information Security Management, John Wiley & Sons, 2003.

[4] Gregg, M., Hack the Stack: Layer 1: The Physical Layer, Hack the Stack: Using Snort and Ethereal to Master the 8 Layers of an Insecure Network, Syngress Publishing. 2006.

[5] National Computer Security Center (NCSC). US glossary of computer security terms,NCSC-TG-004, version 1. NIST computer security resource center. (accessed 14 September 2017).

[6] Niles, S., Physical Security In Mission Critical Facilities, Schneider Electric White Paper 82, Revision 2, American Power Conversion, 2004.

[7] St Sauver, J., Physical Security of Advanced Network and Systems Infrastructure, Presented at Spring 2011 Internet 2 Members Meeting, Arlington, Virginia, April 19, 2011.

[8] St Sauver, J., Physical Security: A Crucial (But Often Neglected) Part of Cybersecurity,, 2017 (accessed 11 April 2017).

[9] Hutter, D., Physical Security and Why It Is Important, SANS Institute. 5 March 2017).

[10] Harris, S., Physical and environmental security, CISSP Exam Guide, 6th ed., USA McGraw-Hill, pp. 427–502. 2013.

[11] Oriyano, S., Physical security. CEHV8: Certified Ethical Hacker Version 8 Study Guide. Wiley: Indianapolis, pp. 393–409, 2014.

[12] Scott, M., Coca-cola data breach highlights: importance of laptop security. ACFE Website, 2014, December 1. (accessed 8 April 2017).

[13] Hunker, J. & Probst, C.W., Insiders and insider threats: an overview of definitions and mitigation techniques. Journal of Wireless Mobile Networks, Ubiquitous Computing,and Dependable Applications (JoWUA), 2(1), pp. 4–27, March 2011.

[14] Homeland Security Research Corporation., China, UAE, Kuwait and Saudi Arabia are fastest growing homeland security markets. Homeland Security Research Corporation Website, January 30, 2014. 21 March 2017).

[15] Federal Information Security Management Act (FISMA), PE1-PE19, Appendix F, NIST Special Publication pp. 800–53 Rev 3, n.d.

[16] Huang, J., Brief Tour about Android Security, December 7, 2012 [slides].

[17] Schiavone, S., Garg, L. & Summers, K., Ontology of information security in enterprises. Electronic Journal of Information Systems Evaluation, 17(1), pp. 71–87, 2014.

[18] Senstar Cyber. Threats in physical security: understanding and mitigating the risk. senstarcyber. com (accessed 11 February 2017).

[19] Dictionarycom. (accessed 11 February, 2017).

[20] franklin-witter, If security is a process, why don’t we manage it like one? Thought Leadership Website. (accessed 10 March 2017).

[21] Al-Fedaghi, S. & Moein, S., Modeling attacks. International Journal of Safety and Security Engineering, 4(2), 2014.

[22] Al-Fedaghi S., New conceptual representation of collision attack in wireless sensor networks. International Journal of Safety and Security Engineering, 3(4),2013

[23] Al-Fedaghi S. & AlMeshari, H., Social networks in which users are not small circles. Informing Science, 18, pp. 205–24, 2015.

[24] Al-Fedaghi, S., Conceptualization of various and conflicting notions of information. Informing Science, 17, pp. 295–308, 2014.

[25] Al-Fedaghi, S. Alsaqa, A., & Fadel, Z., Conceptual model for communication. International Journal of Computer Science and Information Security, 6(2), 2009.

[26] Al-Fedaghi, S., Software requirements as narratives. Third International Conference on Information, Process, and Knowledge Management, Gosier, Guadeloupe, February 2011.

[27] Al-Fedaghi S. & Mahdi, F., Events classification in log audit. International Journal of Network Security & Its Applications, 2(2), 2010.

[28] Al-Fedaghi, S., Flow-based description of conceptual and design levels. IEEE International Conference on Computer Engineering and Technology 2009, Singapore, January 2009.

[29] Simon, H. A., The Sciences of the Artificial, MIT Press: Cambridge, 1996.

[30] Pieters, W., Representing humans in system security models: an actor-network approach. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA), 2(1), pp. 75–92, 2011.

[31] Bishop, M., Coles-Kemp, L., Gollmann, D., Hunker, J. & Probst, C., 10341 report –insider threats: strategies for prevention, mitigation, and response. Insider Threats: Strategies for Prevention, Mitigation, and Response, Dagstuhl Seminar Proceedings, no. 10341, 2010.

[32] Mobbs, P., Introducing information security. A series of briefings on information security and on-line safety for civil society organisations,, 2002 (accessed 10 March 2017).

[33] Forcht, K.A. & Kruck, S.E., Physical security models, philosophies, and context. Journal of Information Management, 10(2), article 9, 2001.

[34] Robbins, P., CISSP & physical and environmental security & information security. Presentation at ISA 400 Management, Information Security & Assurance Program University of Hawai’i West Oahu, 2015, January 17.

[35] Philpott, D. & Einstein, S., The Integrated Physical Security Handbook. The Counter Terrorist Magazine web site, pdf (accessed 2 April 2017).

[36] Woodbury, C., Security blueprint [Online]. IBMSystems website, http:// (accessed 1 April 2017).

[37] Edraw M., Warehouse Security and Access Plan Template [software], 2004–2017.

[38] Lincke, S.J., Physical & Personnel Security, CISA Review Manual 2009, PhD thesis, Univ. of Wisconsin, USA.

[39] Marrone, S., Rodríguez, R.J., Nardone, R., Flammini, F. & Vittorini, V., On synergies of cyber and physical security modelling in vulnerability assessment of railway systems. Computers and Electrical Engineering 47, pp. 275–285, October 2015, August.

[40] Vuorinen, J. & Tetri, P., Security as a machine: struggling between order and chaos. Pacific Asia Conference on Information Systems (PACIS) 2009 Proceedings, paper 113, 2009.

[41] Vuorinen, J. & Tetri, P., The order machine: the ontology of information security, Journal of the Association for Information Systems, 13(9), pp. 695–713, 2012.

[42] Deleuze, G. & Guattari, F., Anti-Oedipus, Capitalism and Schizophrenia vol. 1, Continuum: London, 2004.

[43] Imbusch, O., Langhammer, F. & von Walter G., Ercatons: thing-oriented programming. Presented at 5th Annual International Conference on Object-Oriented and Internet-Based Technologies, Concepts, and Applications for a Networked World, Net. ObjectDays 2004, Erfurt, Germany, pp. 27–30, September 2004. DOI:10.1007/978-3-540-30196-7_16

[44] Osgood, R., Hard Drive Rootkit Is Frighteningly Persistent. Hackaday Blog web site. 14 March 2017).