Faculty of Technology, Policy and Management

AgentSpring is a new agent-based modeling framework especially suited to model and simulate complex socio-technical systems, such as energy markets or transport infrastructures. Common problems encountered when modeling and analyzing such systems are how to represent the variety of facts that describe the system and how to allow agents to make decisions based on those loosely related pieces of information. AgentSpring proposes a solution to these problems by modeling the systems as graphs consisting of agents, artifacts and relations between them. A graph is one of the most flexible data structures, and is made of vertices and edges that connect them. Agents use sophisticated queries to reason over and traverse the graph data structure and make decisions based on the results they discover. They continuously update the graph to include the effects of the decisions they have made. AgentSpring represents the simulated system as a constantly evolving graph of interconnected facts that can transparently be observed and queried in real time by both agents in the model, and the modeler. In addition, AgentSpring allows for the composition of agent behavior modules, where sophisticated behavior can be produced by combining simpler decision making rules. The modeler can easily create a number of heterogeneous agents by combining these behavioral "lego" bricks. Finally, AgentSpring is open-source and is continuously developed based on the feature requests and contributions of the modeler community.

In order to support policy decisions, we have developed a modelling platform called AgentSpring, which facilitates the development of agent-based models in a modular and structured manner, using state-of-the-art IT development principles and tools. An attractive web-based interface allows for the interaction with policy makers. A model named d13n was developed on the topic of decarbonization of the power generation sector. For this model, relevant applications for policy makers-CO 2 reduction, cross-border effects of policies, security of supply-have been identified. Each of those questions can be tackled by developing specific scenarios within the same modelling platform and with the same model core.

We argue that this combination is especially useful for developing better understanding of our social and physical environment and its interaction with policy design and analysis. New technologies and methods in data management allow us to build better simulations by making use of real-world data. We create and use novel IT systems to bring together and mine relevant data. Patterns found in such observations are then used to create system abstractions -i.e. simplified and systematic perspectives or views on the system. The system abstractions are then incorporated into agent-based models that explore the dynamics in operation and long-term development. The socio-technical approach adds the social and institutional patterns to the technical view of the system examined. When trying to understand our infrastructures and industrial systems, human aspects cannot be ignored, nor be analyzed separately. The agent-based models allow us to explore the effects of policies on a highly interconnected system of systems. A hybrid approach results -data plus models. We use this approach to explore the new gas market balancing regime in the Netherlands. A second case study deals with a long-term development of the Dutch power market (extending the work of Chappin & Dijkema, 2010; Chappin et al., 2010). For both case studies models were developed using a new agent-based modeling platform AgentSpring 1 . The main feature of AgentSpring is its ability to handle large amounts of data. Models use a large number of data points as assumptions and input; models also produce a complex simulated world that consists out of hundreds of actors, thousands of things and millions of relations between them. AgentSpring incorporates new technologies that help mine the simulated world for patterns in the evolving system behavior. We conclude by arguing that the new combination adds expression to the modeling effort, allowing to encode the complexity inherent in the system. More importantly, we hope to make models more transparent, duplicable, communicable, and understandable to the decision maker. The more comprehensive understanding of the relationships and patterns in the system modeled is one of the ways to increase the maturity of policy analysis and design. Systems thinking and system dynamics ideas were first applied in military research, enabled by breakthroughs in computing and fueled by cold war concerns (MIT, 1953). Similarly, traditional SoSe research has its roots in defense related areas. Three out of six SoSe definitions have their origins in military research. While the systems dynamics deals with the relations between the objects within the system , SoSe goes further to understand and manage the relations between such systems. The primary goals of SoSe research have traditionally been overall SoS optimization, ensuring interoperability, reliability and minimizing human error in their functioning . Just as the pioneer of system dynamics Jay Forrester went on to apply his military systems research insights in economics , the SoS research is being transfered to and applied in social sciences. The SoSe practices and ideas are being extended into domains that deal with understanding and managing complex infrastructure: space exploration, transportation, energy and economics . While these

Open systems are characterized by heterogeneous participants which can enter or leave the system at will. Typical examples are e-commerce applications or information agent systems. Agents (e.g. personal assistants for buying things on the Internet) will only temporarily take up roles (e.g. a buyer in on-line auctions). This creates the need to define precisely what it means that an agent "takes up" a role and "enacts" it. In this paper we present ongoing research on the determination of the conditions under which an agent can enact a role and what it means for the agent to enact a role. We define possible relations between roles and agents and discuss architectural and functional changes that an agent must undergo when it enters an open agent system.

This paper provides a formal framework for the analysis of information hiding properties of anonymous communication protocols in terms of epistemic logic. The key ingredient is our notion of observational equivalence, which is based on the cryptographic structure of messages and relations between otherwise random looking messages. Two runs are considered observationally equivalent if a spy cannot discover any meaningful distinction between them. We illustrate our approach by proving sender anonymity and unlinkability for two anonymizing protocols, Onion Routing and Crowds. Moreover, we consider a version of Onion Routing in which we inject a subtle error and show how our framework is capable of capturing this flaw.

This paper presents a new approach for verifying confidentiality for programs, based on abstract interpretation. The framework is formally developed and proved correct in the theorem prover PVS. We use dynamic labeling functions to abstractly interpret a simple programming language via modification of security levels of variables. Our approach is sound and compositional and results in an algorithm for statically checking confidentiality.

Social aspects of security of information systems are often discussed in terms of "actual security" and "perceived security". This may lead to the hypothesis that e-voting is controversial because in paper voting, actual and perceived security coincide, whereas they do not in electronic systems. In this paper, we argue that the distinction between actual and perceived security is problematic from a philosophical perspective, and we develop an alternative approach, based on the notion of trust. We investigate the different meanings of this notion in computer science, and link these to the philosophical work of Luhmann, who distinguishes between familiarity, confidence and trust. This analysis yields several useful distinctions for discussing trust relations with respect to information technology. We apply our framework to electronic voting, and propose some hypotheses that can possibly explain the smooth introduction of electronic voting machines in the Netherlands in the early nineties. Poll, Sanne van der Ven and Martijn Warnier for useful comments on drafts of this paper, and Gerard Alberts for inspiring brainstorm sessions on the topic.

According to the Jericho forum, security in information technology can no longer be achieved by building a digital fence around the organisation. We investigate the consequences of this "de-perimeterisation" for software engineering ethics. "Being in control" is no longer feasible for certain types of risk, and therefore software engineering ethics cannot only be based on foreseeable consequences. Instead, ethics could be based on the precautionary principle, which states that lack of certainty shall not be used to postpone costeffective measures. We translate this principle from the domain of safety to the domain of security, in which we are interested in precaution with respect to people's actions rather than natural disasters. Following the example of Napster as well as recent results in philosophy of technology, we present a guideline for ethical software development, focused on inviting desirable use.

The security goals of an organization are realized through security policies, which concern physical security, digital security and security awareness. An insider is aware of these security policies, and might be able to thwart the security goals by combining physical, digital and social means. A systematic analysis of such attacks requires the whole environment where the insider operates to be formally represented. This paper presents Portunes, a framework which integrates all three security domains in a single environment. Portunes consists of a high-level abstraction model focusing on the relations between the three security domains and a lower abstraction level language able to represent the model and describe attacks which span the three security domains. Using the Portunes framework, we are able to represent a whole new family of attacks where the insider is not assumed to use purely digital actions to achieve a malicious goal.

In this paper, we discuss the implications for social inclusion of the advent of Internet voting. Although the issue of social exclusion or social inclusion with regard to technological developments in the voting process is often approached as a matter of either security or turnout, we will take a broader view. Using the philosophical concept of technological mediation, as developed by Don Ihde and Peter -Paul Verbeek, we claim that Internet voting may change our experience of democracy, and transfor m the way we act as citizens in the democratic system. We argue that the mediating role of voting technology requires reconstruction of concepts used in discussing democracy. Our approach of reconstruction departs from the political philosophy of John Dewey. Based on his work, we can describe the political process in a democracy in terms of intellectual reconstr uction and institutional reconstruction. Combining the concept of technological mediation and Dewey's political philosophy, we use the mediating role of online voting technology as input to the intellectual reconstruction of the discussion on voting and democracy. Based on the development s in the Netherlands, we present some challenges that the mediating role of online voting technology offers to existing concepts in democracy, and evaluate the benefits for social inclusion of reconstructing these concepts with respect to the new possibilities. {1927}.

Formal methods have provided us with tools to check both anonymity of protocols and -more specifically -receipt-freeness of voting protocols. One of the frameworks used for proving anonymity is epistemic logic. However, to the best of our knowledge, epistemic logic has never been used to prove receipt-freeness of voting protocols. Still, the concept of indistinguishability used in formalizing anonymity seems to apply to receipt-freeness as well: a vote for one party should be indistinguishable from a vote for another party, even if the voter supplies additional information outside the scope of the protocol. In this paper, we formalize this aspect of anonymity relations, in order to provide an alternative formalization of receipt-freeness in voting protocols, based on epistemic logic.

A qualitative case study of the e-voting discourses in the UK and the Netherlands was performed based on the theory of strategic niche management . In both countries, eight e-voting experts were interviewed on their expectations, risk estimations, cooperation and learning experiences. The results show that differences in these variables can partly explain the variations in the embedding of e-voting in the two countries, from a qualitative point of view.

In this paper, we analyse the concept of vote buying based on examples that try to stretch the meaning of the concept. Which examples can still be called vote buying, and which cannot? We propose several dimensions that are relevant to qualifying an action as vote buying or not. As a means of protection against vote buying and coercion, the concept of receipt-freeness has been proposed. We argue that, in order to protect against a larger set of vote buying activities, the concept of receipt-freeness should be interpreted probabilistically. We propose a general definition of probabilistic receipt-freeness by adapting existing definitions of probabilistic anonymity to voting.

This paper discusses how electronic voting was implemented in practice in the Netherlands, which choices were made and how electronic voting was finally abolished. This history is presented in the context of the requirements of the election process, as well as the technical options that are available to increase the reliability and security of electronic voting.

Location-based access control (LBAC) has been suggested as a means to improve IT security. By 'grounding' users and systems to a particular location, attackers supposedly have more difficulty in compromising a system. However, the motivation behind LBAC and its potential benefits have not been investigated thoroughly. To this end, we perform a structured literature review, and examine the goals that LBAC can potentially fulfill, the specific LBAC systems that realize these goals and the context on which LBAC depends. Our paper has four main contributions: first we propose a theoretical framework for LBAC evaluation, based on goals, systems and context. Second, we formulate and apply criteria for evaluating the usefulness of an LBAC system. Third, we identify four usage scenarios for LBAC: open areas and systems, hospitals, enterprises, and finally data centers and military facilities. Fourth, we propose directions for future research: (i) assessing the tradeoffs between location-based, physical and logical access control, (ii) improving the transparency of LBAC decision making, and (iii) formulating design criteria for facilities and working environments for optimal LBAC usage.