a b s t r a c t This article introduces what we call procedural security analysis, an approach that allows for a systematic security assessment of (business) processes. The approach is based on explicit reasoning on asset flows and is implemented by building formal models to describe the nominal procedures under analysis, by injecting possible threat-actions of such models, and by assuming that any combination of threats can be possible in all steps into such models. We use the NuSMV input language to encode the asset flows, which are amenable for formal analysis. This allows us to understand how the switch to a new technological solution changes the requirements of an organization, with the ultimate goal of defining the new processes that ensure a sufficient level of security. We have applied the technique to a real-world electronic voting system named ProVotE to analyze the procedures used during and after elections. Such analyses are essential to identify the limits of the current procedures (i.e., conditions under which attacks are undetectable) and to identify the hypotheses that can guarantee reasonably secure electronic elections. Additionally, the results of the analyses can be a step forward to devise a set of requirements, to be applied both at the organizational level and on the (software) systems to make them more secure.

Any practitioner working on electronic voting (e-voting) seems to have different opinions on the main issues that seem to affect the area. On the one hand– given the criticality and the risk e-voting systems potentially pose to the democratic process–e-voting systems are permanently under a magnifying glass that amplifies any glitch, be it significant or not. On the other hand, given the interest e-voting raises within the general public, there seems to be a tendency to generalize and oversimplify. This tendency leads to attributing specific problems to all systems, regardless of context, situation, and actual systems used. Additionally, scarce know-how about the electoral context often contributes to make matters even more confused. This is not to say all e-voting systems show the security and reliability characteristics that are necessary for a system of such a criticality. On the contrary, a lot of work still has to be done. Starting from previous experiences and from a large-scale experiment we conducted in Italy, this paper provides some direction, issues, and trends in e-voting. Getting a clearer view of the research activities in the area, highlighting both positive and negative results, and emphasizing some trends could help, in our opinion, to draw a neater line between opinion and facts, and contribute to the construction of a next generation of e-voting machines to be safely and more confidently employed for elections.