Security policy reasoning with the automated transaction graph for financial crime

Fraudulent transactions fuel the criminal misuse of identity details and pose a serious threat to national security. This issue is heightened by the growing sophistication of business transactions using payment cards, causing its policing to be increasingly difficult. Both public and private sector organizations are required by law to comply with industry standards for information technology security and these standards normally mandate the creation of security policies and audit trails for these enterprises, especially from key systems holding sensitive information. Enterprise architects have traditionally defined security policy and relied upon technical controls to secure enterprise systems against cyber threats and misuse. However, within ever-more complex transactional information systems it is difficult to achieve compliance and analyze security policy rules without the ability to capture and model the complexity of security at a business level. Using a simple financial trading case study as an illustration, we propose a semantic approach to security policy reasoning using conceptual graphs. This approach provides ontology that enables enterprise architects to capture the semantics of fraudulent transactions through security policy rules.