Protecting physical data, networks, and systems has become difficult, increasingly costly, and tougher to manage as technology and environments become more complex and dynamic. This paper presents a theoretical foundation for physical information technology (IT) security by developing a logical description based on a flow-based model. Within this model, a security machine is defined as a sequence of stages in which flow is identified and blocked in a multilevel blockage machine. The main focusses of the paper are the importance of having appropriate physical security in place, discussed with so-called onion/garlic models, and the notion of physical containment. The proposed representation is applied to an actual security plan for an IT department of a government ministry. The results suggest a viable approach to designing physical security strategies.
Conceptual model, diagrammatic representation, physical access control, physical security, systems modeling language.
 Ferraiolo, K., The systems security engineering capability maturity model (SSECMM). Proceedings of the International Systems Security Engineering Association, 2000. http://csrc.nist.gov/nissc/2000/proceedings/papers/916slide.pdf (accessed 15 February 2017).
 Shirey, R., Internet Security Glossary, Version 2. Internet Engineering Task Force (IETF), RFC 4949, 2007. Figure 20: Attack graph of the second stage of analysis in the example (partial and modified, redrawn from Pieters . 154 S. Al-Fedaghi & O. Alsumait, Int. J. of Safety and Security Eng., Vol. 9, No. 2 (2019)
 Krutz, R.L. & Vines, R.D., The CISM Prep Guide: Mastering the Five Domains of Information Security Management, John Wiley & Sons, 2003.
 Gregg, M., Hack the Stack: Layer 1: The Physical Layer, Hack the Stack: Using Snort and Ethereal to Master the 8 Layers of an Insecure Network, Syngress Publishing. 2006.
 National Computer Security Center (NCSC). US glossary of computer security terms,NCSC-TG-004, version 1. NIST computer security resource center. http://csrc.nist.gov/publications/secpubs/rainbow/tg004.txt (accessed 14 September 2017).
 Niles, S., Physical Security In Mission Critical Facilities, Schneider Electric White Paper 82, Revision 2, American Power Conversion, 2004. http://apcmedia.com/salestools/SADE-5TNRPL/SADE-5TNRPL_R2_EN.pdf
 St Sauver, J., Physical Security of Advanced Network and Systems Infrastructure, Presented at Spring 2011 Internet 2 Members Meeting, Arlington, Virginia, April 19, 2011.
 St Sauver, J., Physical Security: A Crucial (But Often Neglected) Part of Cybersecurity,SlidePlayer.com, 2017 (accessed 11 April 2017).
 Hutter, D., Physical Security and Why It Is Important, SANS Institute. https://www.sans.org/reading-room/whitepapers/physical/physical-security-important-37120(accessed 5 March 2017).
 Harris, S., Physical and environmental security, CISSP Exam Guide, 6th ed., USA McGraw-Hill, pp. 427–502. 2013.
 Oriyano, S., Physical security. CEHV8: Certified Ethical Hacker Version 8 Study Guide. Wiley: Indianapolis, pp. 393–409, 2014.
 Scott, M., Coca-cola data breach highlights: importance of laptop security. ACFE Website, 2014, December 1. http://acfe.com/fraud-examiner.aspx?id=4294986501 (accessed 8 April 2017).
 Hunker, J. & Probst, C.W., Insiders and insider threats: an overview of definitions and mitigation techniques. Journal of Wireless Mobile Networks, Ubiquitous Computing,and Dependable Applications (JoWUA), 2(1), pp. 4–27, March 2011.
 Homeland Security Research Corporation., China, UAE, Kuwait and Saudi Arabia are fastest growing homeland security markets. Homeland Security Research Corporation Website, January 30, 2014. http://homelandsecurityresearch.com/blog/category/cctv/(accessed 21 March 2017).
 Federal Information Security Management Act (FISMA), PE1-PE19, Appendix F, NIST Special Publication pp. 800–53 Rev 3, n.d.
 Huang, J., Brief Tour about Android Security, December 7, 2012 [slides].
 Schiavone, S., Garg, L. & Summers, K., Ontology of information security in enterprises. Electronic Journal of Information Systems Evaluation, 17(1), pp. 71–87, 2014.
 Senstar Cyber. Threats in physical security: understanding and mitigating the risk. senstarcyber. com (accessed 11 February 2017).
 Dictionarycom. http://dictionary.com/browse/process?s=t (accessed 11 February, 2017).
 franklin-witter, If security is a process, why don’t we manage it like one? Thought Leadership Website. https://symantec.com/connect/blogs/if-security-process-whydont-we-manage-it-one (accessed 10 March 2017).
 Al-Fedaghi, S. & Moein, S., Modeling attacks. International Journal of Safety and Security Engineering, 4(2), 2014.
 Al-Fedaghi S., New conceptual representation of collision attack in wireless sensor networks. International Journal of Safety and Security Engineering, 3(4),2013
 Al-Fedaghi S. & AlMeshari, H., Social networks in which users are not small circles. Informing Science, 18, pp. 205–24, 2015.
 Al-Fedaghi, S., Conceptualization of various and conflicting notions of information. Informing Science, 17, pp. 295–308, 2014.
 Al-Fedaghi, S. Alsaqa, A., & Fadel, Z., Conceptual model for communication. International Journal of Computer Science and Information Security, 6(2), 2009.
 Al-Fedaghi, S., Software requirements as narratives. Third International Conference on Information, Process, and Knowledge Management, Gosier, Guadeloupe, February 2011.
 Al-Fedaghi S. & Mahdi, F., Events classification in log audit. International Journal of Network Security & Its Applications, 2(2), 2010.
 Al-Fedaghi, S., Flow-based description of conceptual and design levels. IEEE International Conference on Computer Engineering and Technology 2009, Singapore, January 2009.
 Simon, H. A., The Sciences of the Artificial, MIT Press: Cambridge, 1996.
 Pieters, W., Representing humans in system security models: an actor-network approach. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA), 2(1), pp. 75–92, 2011.
 Bishop, M., Coles-Kemp, L., Gollmann, D., Hunker, J. & Probst, C., 10341 report –insider threats: strategies for prevention, mitigation, and response. Insider Threats: Strategies for Prevention, Mitigation, and Response, Dagstuhl Seminar Proceedings, no. 10341, 2010.
 Mobbs, P., Introducing information security. A series of briefings on information security and on-line safety for civil society organisations, http://fraw.org.uk/mei/archive/handouts/apc-pws/pws-01.html, 2002 (accessed 10 March 2017).
 Forcht, K.A. & Kruck, S.E., Physical security models, philosophies, and context. Journal of Information Management, 10(2), article 9, 2001.
 Robbins, P., CISSP & physical and environmental security & information security. Presentation at ISA 400 Management, Information Security & Assurance Program University of Hawai’i West Oahu, 2015, January 17.
 Philpott, D. & Einstein, S., The Integrated Physical Security Handbook. The Counter Terrorist Magazine web site, http://thecounterterroristmag.com/pdf/IntegratedPhysicalSecurityHandbook. pdf (accessed 2 April 2017).
 Woodbury, C., Security blueprint [Online]. IBMSystems website, http:// ibmsystemsmag.com/aix/administrator/security/Security-Blueprint/ (accessed 1 April 2017).
 Edraw M., Warehouse Security and Access Plan Template [software], 2004–2017.
 Lincke, S.J., Physical & Personnel Security, CISA Review Manual 2009, PhD thesis, Univ. of Wisconsin, USA.
 Marrone, S., Rodríguez, R.J., Nardone, R., Flammini, F. & Vittorini, V., On synergies of cyber and physical security modelling in vulnerability assessment of railway systems. Computers and Electrical Engineering 47, pp. 275–285, October 2015, August. https://doi.org/10.1016/j.compeleceng.2015.07.011
 Vuorinen, J. & Tetri, P., Security as a machine: struggling between order and chaos. Pacific Asia Conference on Information Systems (PACIS) 2009 Proceedings, paper 113, 2009. http://aisel.aisnet.org/pacis2009/113
 Vuorinen, J. & Tetri, P., The order machine: the ontology of information security, Journal of the Association for Information Systems, 13(9), pp. 695–713, 2012.
 Deleuze, G. & Guattari, F., Anti-Oedipus, Capitalism and Schizophrenia vol. 1, Continuum: London, 2004.
 Imbusch, O., Langhammer, F. & von Walter G., Ercatons: thing-oriented programming. Presented at 5th Annual International Conference on Object-Oriented and Internet-Based Technologies, Concepts, and Applications for a Networked World, Net. ObjectDays 2004, Erfurt, Germany, pp. 27–30, September 2004. DOI:10.1007/978-3-540-30196-7_16
 Osgood, R., Hard Drive Rootkit Is Frighteningly Persistent. Hackaday Blog web site. http://hackaday.com/2015/06/08/hard-drive-rootkit-is-frighteningly-persistent/(accessed 14 March 2017).