Towards a logical formalization of responsibility 1 ... - CiteSeerX

Towards a logical formalization of responsibility Laurence Cholvy

Frederic Cuppens Claire Saurel ONERA-CERT 2 Av. E. Belin 31055, Toulouse Cedex France email: fcholvy,cuppens,[email protected]

Abstract In this paper, we are interested in formally modeling the concept of responsibility. It appears that this concept is essential in order to reason in many norm-governed organizations. However, obtaining a formal representation of responsibility is quite complex because of the very dierent meanings this concept can take. Therefore, our rst task will be to clarify and classify the various meanings. We then propose a logical framework and show how it enables us to model several aspects of responsibility. This framework combines a deontic logic with a logic of actions and it distinguishes between direct and indirect agencies. We nally present an example to illustrate how this framework enables us to analyze some subtleties of a speci c situation. Keywords: Representation of Legal Knowledge, Deontic Logic, Logic of Action.

1 Introduction The concept of responsibility is central to all legal systems and other norm-governed organizations. Analyzing this concept is therefore fundamental if we aim at improving the behavior of these systems or organizations { for instance if we want to achieve appropriate balance of load for their components, or guarantee security and safety requirements. However, when we attempt to analyze responsibility, the rst diculty we are faced with is that this concept has several facets, each one corresponding to very dierent meanings. If we compare the de nitions proposed by several French or English dictionaries, we can, rough0

ly speaking, consider that responsibility can be divided into three dierent ideas:

 De nition 1: Something bad happened and you caused it or could have prevented it.

This rst de nition aims at identifying the entity which has caused bad things to occur (inquiry phase). This de nition may apply to things or to persons. For instance, we may say that \lightning is responsible for the system's destruction" or \Smith is responsible for the document loss". However, in the remainder of this paper, we shall only consider situations in which responsibility applies to persons. Notice that you are responsible according to this rst de nition only if you have caused something bad (we shall call damage this state of aairs). It means that this de nition only makes sense within norm-governed organizations which have de ned what a damage is or is not. Notice also that you may be regarded responsible according to this de nition not only if you have directly caused damage but also if you could have prevented it (this corresponds to some kind of indirect responsibility). In the computer science eld, we are especially interested in formalizing this de nition to analyze some failure of security requirements. In this context, it is very important to have means which enable us to automatically detect system intrusion (which corresponds to a speci c type of damage) and to determine who caused this damage. However, it turns out that the notion of cause is quite a complex notion which has actually dierent aspects (like the notion of responsibility). One objective of this paper is also to provide formal de nitions for these dierent aspects of the notion of cause.

 De nition 2: obligation or moral duty to report or explain your actions or someone

else's action to a given authority (answerability).

If you are responsible according to de nition 2 for something bad that has happened, you will be blamed for it. Therefore, this de nition aims at de ning the person who has liability for a given damage and will have to make good for it (judgment phase). Notice that you may be responsible for a given damage in the sense of de nition 2 but not de nition 1, and vice versa. For instance: \Parents are responsible for the damage caused by their minor children". This means that, if a child is regarded as responsible according to de nition 1, then his parents are generally considered legally responsible in the sense of de nition 2. De nition 2 also implies that there exists some norm-governed organization which has not only de ned what damage is (likewise de nition 1) but also what sanction applies when such damage occurs. This corresponds to the de nition of sets of laws or norms which enable a given damage to be judged once the causes of this damage has been identi ed according to de nition 1. We have been interested in formalizing this second notion of responsibility to analyze regulations {especially security policies{ de ned to control interaction between users and some information systems. In this context, it is sometimes dicult to assume that a given security policy will never be violated. It is then important to analyze if the security policy has properly de ned what sanctions apply when some violation occurs. For this purpose, a formal representation of de nition 2 is relevant to precisely specify the part of the security policy which is related to sanctions.

 De nition 3: position, which enables you to make decisions in a given organization but implies that you must be prepared to justify your actions (accountability). This third de nition applies to any norm-governed organization where selected agents are assigned speci c positions (associated with roles which enable them to conduct a given part of the business of that organization). For instance, a security agent is responsible for the security of the organization. This notion of responsibility completely depends on the position in the organization. It implicitly implies that the agent has been appointed to this position and is now empowered [JS95] to act according to this position.

This responsibility is generally related to a task. In other words, a task is the object of responsibility. A task is a state of aairs to achieve; for instance, the state of aairs in which the security of the organization is enforced. One's responsibility is to ful ll the task properly. A given task may be ful lled directly or indirectly. For instance, the task of a security agent is indirect: this agent has to ensure that security is enforced (not directly by him, but more likely by guards who are under his authority). On the other hand, the task of the guards is generally direct: they cannot delegate their task. This distinction between direct and indirect ful llment is not new; it was already mentioned in [SC96] and we completely agree that it is a central concept we have to model rst in order to get a formal representation of de nition 3. This third type of responsibility also implies that there usually exists one or several agents to which one is responsible. This means that one must be prepared to report to them about what has been done, especially when the task is not properly ful lled. In this latter case, it is the role of de nition 1 to identify what are the real causes of this failure and then de nition 2 to conclude about who is to be blamed. This last concept of responsibility is very important to analyze the \consistency" of a given organization. It enables to identify agents who are overloaded with responsibilities. In this case, the problem would be to compare the real capabilities of an agent with his responsibilities. By contrast, it would be interesting to identify agents who are insuciently responsible, that is to analyze agents' autonomy in the organization. Having a formal representation of de nition 3 would also enable to analyze the \relevance" of the organization; in this case, the problem would be to check whether each task to be ful lled by the organization is assigned to an agent who is held responsible for it. Of course, we do not pretend that we solve all these problems in this paper but only suggest that a formal representation of de nition 3 is a rst step in this direction. The remainder of this paper is organized as follows. We rst propose a short example we shall use to illustrate our approach. We then present our logical framework to model the various de nitions of responsibility. For this purpose, we need to represent deontic notions of obligation, permission and prohibition. However, it falls outside the scope of this paper to discuss which kind of deontic operator suits our purposes; therefore,

even though we are aware about some of its paradoxes, we shall use Standard Deontic Logic which has the advantage to propose the simplest semantics. We also take our inspiration from the work of Kanger, Porn and Lindahl [Kan72, Por77, Lin77] and introduce a modal operator E where expressions of the form E p are to be read \the agent i brings it about that p". We then follow [SC96] in considering that E corresponds to a direct agency concept and that we need another operator to model indirect agency. For this purpose, we shall de ne (as [SC96]) a modal operator G where expressions of the form G p are to be read \agent i ensures that p". We shall nally include in our model a representation of the concept of damage. Section 4 then shows how to use this model to represent the dierent de nitions of responsibility, by including several sub-cases for each de nition. Section 5 is a comparison with several related works, especially [SC96], and section 6 concludes this paper. Before starting the bulk of this paper, we stress the following: the various meanings of the word \responsibility" can slightly dier from one country to another. So, the reader must be advised that most of the development proposed in this paper is based on the French interpretation of responsibility. However, we guess that most of the ideas of this paper should also apply to any other countries.

prevent its disclosure. Two days later, the document was missing. After a preliminary inquiry, it appears that a visitor, whose name is Lupin, stole it. Its track was given by Fred's oce colleague, Clara, who saw Lupin at the door of Fred's oce, but unfortunately did not prevent Lupin from stealing the document. During the inquiry, it also appears that Lupin actually worked for a foreign spy whose name is Mr. Vladimir. What about responsibility in this story?

2 A short example

 (M; w) j= Op i 8w ; wR w =) (M; w ) j= p We assume that R is serial that is 8w9w ; wR w .

i

i

i

i

i

Throughout the remainder of this paper we shall illustrate the various de nitions of responsibility by using the following example. Mr. Lawrence, an honest man, is the department head of a big company, which is managed by Mr. Boss. Mr Lawrence's department has to deal with \sensitive" documents, that is documents which contain some secret information. As head of this department, it is included in Mr. Lawrence's task to ensure that this sensitive information will not be disclosed out of his department. Mr Lawrence lent a sensitive working document (Doc) to one of his employees, Fred. The company's regulation says that Mr. Lawrence is authorized to lend documents to his employees. Mr. Lawrence has simply to ensure that Fred signs a registration book, which he did. By doing so, Fred recognized to be in possession of this document. As an employee of this department, and according to his contract, Fred must take necessary measures to protect sensitive documents he holds. Fred put the document in a drawer of his desk. Fred never locks his drawer, whereas the regulation says that the holder of sensitive documents has to use means to

3 A Logical Framework 3.1 Obligation/Prohibition It should be clear that the responsibility concepts (especially the ones corresponding to de nitions 2 and 3 informally presented in the introduction) are closely related to the deontic notions of obligation and prohibition. Therefore, we need to have some representation of these deontic concepts in our logic. For this purpose, we consider three modal operators O, P and F where expressions of the form Op, Pp and Fp are respectively to be read \it is obligatory that p", \it is permitted that p" and \it is forbidden that p". The semantics of modality O is de ned by using an accessibility relation R and we de ne satisfaction for this modality at a world w of a structure M as follows: O

0

O

O

0

0

0

O

0

Hence, we precisely obtain the so-called Standard Deontic Logic having the following axioms : 1. Op ^ O(p ! q) ! Oq 2. :(Op ^ O:p)

with the following inference rule: 1. If ` p then ` Op Finally, permission is de ned as dual of obligation, i.e. Pp def = :O:p, and prohibition as the negation of permission, i.e. Fp def = :Pp.

3.2 Bring it about Following Kanger, Porn and Lindahl, we consider a modal operator E where expressions of the form E p are read \agent i brings it about that p". For instance, in the example of section 2, we can consider that Lupin brings it about that the document Doc is stolen. As i

i

suggested by [JS95], we shall actually employ this action modality E both for expressing that agent i creates/establishes states of aairs (for example, a document is stolen) and for expressing that i performs designated acts (for example, Lawrence lends a sensitive document to Fred). We rst recall the logical development of modal operator E due to Porn. His basic suggestion is to de ne it by combining two normal operators D and D to create a non-normal one. Porn gives the following intuitive interpretation for D p: \It is necessary for something the agent A does that p". And for D p: \But for A's action, it would have been the case that p". He also gives the following reading for the duals of these two operators:

 If ` p then ` :E p (an agent cannot bring it about i

that a tautology is the case).

i

i

0 i

i

i

0 i

 C p def = :D :p: \It is compatible with everything the agent i does that p". i

i

 C def = :D :p: \But for A's action, it might have been the case that p". 0 i

0 i

The semantics of modalities D and D is de ned by using standard models through two accessibility relations R (re exive and transitive) and R 0 (serial and irre exive). Then, we de ne satisfaction for the modalities D and D at a world w of a structure M as follows: 0 i

i

D i

D i

0 i

i

 (M; w) j= D p i 8w ; wR w =) (M; w ) j= p  (M; w) j= D p i 8w ; wR 0 w =) (M; w ) j= p i

0 i

0

D i

0

D i

0

0

0

0

Intuitively, a world w such that wR w is a world in which the agent i does as much as he does in w; a world w such that wR 0 w is a world in which A does not do any of the things he does in w. Using this apparatus, Porn proposes to de ne E by combining the modalities D and D as follows: 0

0

D i

D i

0

0

i

0 i

i

 E p def = D p ^ :D p i

i

0 i

that is, i brings it about that p if and only if (a) it is necessary for something the agent A does that p and (b) if A did not do any of the things he actually does, it might have not been the case that p. With this de nition for the bring it about operator, we get the following properties:

 E p ?! p (the action operator E is a success i

i

operator)  E p ^ E q ?! E (p ^ q) (but the converse is not true)  If ` p $ q then ` E p $ E q i

i

i

i

i

We will only give this brief indication of Porn logic of action. For a more detailed presentation, we refer to [Por77] and for an extended discussion to [Elg92].1

3.3 Indirect action Following the proposal of [SC96], we shall consider that the modal operator E corresponds to a \direct" action concept. Thus, to represent \indirect" action, we shall de ne a second modal operator G where expressions of the form G p are to be read \the agent i ensures that p". For instance, in the example of section 2, we cannot consider that Mr. Vladimir brings it about that the document Doc is stolen since he does not directly perform the action of stealing this document. However, since Lupin works for Mr. Vladimir, we shall consider that Mr. Vladimir indirectly steals the document, that is Mr. Vladimir ensures that the document is stolen. As we shall see in the following, the modal operator G is central to model several aspects of responsibility. The de nition we propose for this modal operator G is slightly dierent from the one proposed by Santos and Carmo in [SC96]. Let us consider an organization which is composed of a nite set of agents. i

i

i

De nition Let i be a member of the organization and let p be a formula, the modal operator G is recursively de ned as follows:

G p def = E p_ (9j1 :::9j ; E OG p ^ ::: ^ E i

i

k

i

j1

?1) OGjk p ^ Ejk p)

j(k

that is i ensures that p if and only if:

 Either i itself brings it about that p is the case.  Or there is an \in uence channel" between i and a nal agent j such that agent j brings it about that p is the case and each intermediate agents in k

k

the channel brings it about that the next agent in the channel is obliged to ensure that p is the case.

As noticed in [SC96], expressions of the form E OG p may be viewed as some form of in uence exercised by i upon j . Of course, one may argue that there are i

j

1 It particular, it is argued in [Elg92] that the counterfactual component :D p in Porn's de nition is too strong because it collapses two dierent notions of avoidability: \an agent cannot bring about that a tautology is the case" and \agent's activity is instrumental in the production of what he brought about". However, in spite of those criticisms, we consider that Porn's theory of action is sucient for the purpose of this paper. 0 i

other forms of exercising in uence, however, in this paper, we are precisely interested in the institutionalized forms of in uence which correspond within normgoverned organizations to the attribution of obligation. [SC96] also noticed the following problem: \it can happen that agent i had in uenced agent j to ensure A and agent j has ensured A but not because of i's in uence, instead because of a third agent k's in uence. Should we conclude in this situation that i ensured that A is the case?"2 . [SC96] proposed the following answer (that we shall accept in the following): \within norm-governed organizations, it is usually accepted that whenever agent i has in uenced agent j (using his of cial power of in uence) to ensure A and agent j has ensured A, then for the organization this counts as agent i's ensuring A"3 . We can easily check that the modality G has the following properties: i

 G p ! p (action operator G , likewise E , is a i

   

i

i

success operator) If ` p $ q then ` G p $ G q If ` p then ` :G p (an agent cannot ensure that a tautology is the case). E p ! G p (bringing it about implies ensuring) E OG p ^ G p ! G p (in uencing with success implies ensuring) i

i

i

i

i

i

j

j

i

On the other hand, we do not get the following axiom schemata for G: G p ^ G q ! G (p ^ q). This point will be further discussed in section 4. i

i

i

3.4 Damage We distinguish between the notion of prohibition and damage, which cannot be regarded as equivalent in practice. Damage is an injury which leads to some reparation which is proportional to the signi cance of the injury. This signi cance may be judged from a material point of view (for instance, by paying an amount of money for the damage) or a moral point of view (for instance, by serving a prison sentence) or a combination of both. In order to represent this notion of damage, we employ a modal operator D, where expressions of the form Dp are to be read \it is prejudicial that p is the case". This modal operator is de ned as follows: [SC96] mentions that this problem was rst pointed out by Andrew Jones. 3 See [JS95] and section 4 of this paper for further discussions on the notion of count as. 2

De nition Let p be a formula, then Dp is de ned as follows:

Dp def = 2(p ! ORep) where the modal operator 2 stands for necessity and Rep is a special proposition corresponding to a state of aair in which some reparation occurs. The semantics of modality 2 is de ned by using an accessibility relation R2 which is supposed to be re exive. The above de nition says that it is prejudicial that p is the case if and only if it is necessary that if p occurs then it is obligatory to repair for this damage.4

4 Formalization of de nitions for responsibility 4.1 First de nition The rst de nition of responsibility informally says: De nition 1: to be the cause of a damage. As was mentioned before, the concept of cause may have several dierent meanings. This is the reason why we cannot give a single representation of de nition 1, but instead we propose ve dierent formal representations for this kind of responsibility. Let a be an agent, and p a damage.

4.1.1 Direct responsibility Here, a is considered responsible because a directly caused a given damage.

De nition 1.1 R1 1p def =Ep : a

a

where Dp is assumed to be true.

that is: let p be a damage, then a is responsible for p i a brings about that p. 4 Notice some analogy between this de nition of damage and Anderson's suggestion [And66] to reduce obligation to alethic logic: Op def = 2(p ! V ) where V denotes a state in which a violation occurs. However, we guess that Anderson misses the point that a norm is clearly dierent from its enforcement. As Porn noticed [Por77], \not every norm that is in force in the sense explained, is enforced on every occasion of its violation, and conversely, that which is enforced is usually, but not always, a norm in force". By contrast, a damage is a practical state of aair whose occurrence is regarded as prejudicial. In this sense, it is inseparable from the obligation to repair.

Example It is assumed that stealing a sensitive doc-

ument is considered damaging for the company. Therefore, since Lupin stole a sensitive document, Lupin is responsible for the theft: R1 1 Steal(Doc) is true. : Lupin

4.1.2 Responsibility by \equivalence of causes" When a damage occurs, the theory by \equivalence of causes"5 considers responsible all agents who have performed actions such that without their occurrences, there would not be this damage. We can split this theory into two sub-cases. In the rst one, without the occurrences of these actions, it would necessarily be the case that this damage would not occur. In the second one, we can just say that the non occurrence of the damage might be possible.

De nition 1.2 R1 2p def = p ^ D :p : a

0 a

where Dp is assumed to be true.

That is: if a did not do the things he actually did, then p necessarily would not happen. Porn ([Por77], p.16) already noticed that this de nition may be regarded as a view to the ascription of responsibility.

Example Let us consider that there is not any other robber but Lupin in Mr. Lawrence's department. If Fred had kept his document in a locked drawer or in a safe, then Lupin could not steal Freds's document. So R1 2 Steal(Doc) is true. R1 2 Steal(Doc) is also true because since Lawrence keeps all his documents in a safe, if he had not lent the document to Fred, the document would not have been stolen. Of course, if Lupin had not stolen the document, it would still be in Fred's drawer: therefore R1 2 Steal(Doc) is also true. By contrast, R1 2 Steal(Doc) is false: she might indeed call Lupin, without necessarily preventing him from stealing the sensitive document. : F red

: Lawrence

: Lupin

: Clara

De nition 1.3 R1 3p def = p ^ :D p : a

0 a

where Dp is assumed to be true.

That is: if a did not do the things he actually did, then p might possibly not happen.

Example Of course, both R Steal(Doc) and R1 3 Steal(Doc) are still true. R1 3 Steal(Doc) is also true because if he had not lent his document to Fred but kept it in his own locked safe, the document 1:3

: F red

5

It is a French legal theory

Lupin : Lawrence

would not have disappeared. However, it may also be the case that, had Clara called Lupin when she saw him in front of Fred's oce, Lupin would not have been stolen the document: so, according to this de nition, R1 3 Steal(Doc) is true. This de nition is weaker than the previous one; it may consider responsible someone who has not any \direct" connection with the damage. This may be viewed as a very weak notion of responsibility but it seems to apply to some speci c situations, for example when you do not rescue your neighbour when he is in danger, whereas it appears that you could do. : Clara

4.1.3 Responsibility by \in uence" Here we try to capture another idea: perhaps a did not cause the damage itself, but brought it about that another agent b was obliged to cause it, that is, a ensures the occurrence of a damage.

De nition 1.4 R1 4p def = G p where Dp is assumed to be true. that is: a is responsible by \in uence" if and only a ensures that p is the case. : a

a

Example Fred is an honest employee and did not want the document to be stolen : R1 4 Steal(Doc) is false. Of course, R1 4 Steal(Doc) is true because he did steal the document. But what about Mr. Vladimir (the spy of our story)? his task was to get the sensitive document and he ful lled it by delegating Lupin the task to steal this document. So Mr. Vladimir ensured that the document was stolen and according to the foregoing de nition, he is responsible for the theft. : F red

: Lupin

4.1.4 Responsibility for \fault" The next de nition is quite dierent from the previous ones. Here, let us assume that a given agent is responsible in the sense of de nition 3. His task is to prevent some damage from occurring, and he is responsible to somebody (namely the agent who gave him his task) for the damage when he fails in his task.

De nition 1.5 R1 5p def = p ^ 9b; R3 :p where Dp is assumed to be true. That is: let us assume that p is a damage; then a is responsible for \fault" if and only if a is responsible to : a

b

:x a

R1 5 p : a

KAA 3:x A+Ra :p A




+R3 :p

:x a




R p

R1 3 p

1:4

: a

a

6

 ? ? ? ?

R1 1 p

6

R1 2 p

: a

: a

Figure 1: Summary of de nition 1 some agent b in the sense of de nition 3 for preventing the damage p (denoted R3 :p)6 and p actually occurs. b

:x a

Example Due to the regulation which applies to

their department and company, R1 5 Steal(Doc) and R1 5 Steal(Doc) are both true. By contrast, R1 5 Steal(Doc) is false: Lupin is only a visitor in Lawrence's department and has no position in this department. However, if Lupin had failed in stealing the document, then R1 5 :Steal(Doc) would be true because Lupin got the task from Mr. Vladimir to steal this document. : F red

: Lawrence : Lupin

: Lupin

4.1.5 Summary We can easily show the following properties between the ve foregoing de nitions (see gure 1):

 Since E p ! p, R1 1p ! R1 3p.  Since R a0 is serial, we have D :p ! :D p; so: R1 2p ! R1 3p.  Since E p ! G p, R1 1p ! R1 4p.  R3 :p ^ R1 p ! R1 5p for any y 2 [1; 4] that is: if a is responsible for ensuring :p in the sense of de nition 3, and if we can show that a is responsible for p in the sense of de nitions 1.1 or, ..., or 1.4, then a is also responsible in the sense : a

a

: a

0 a

D

: a

: a

a

a

:x a

:y a

: a

0 a

: a

: a

of de nition 1.5, i.e. responsible for fault.

4.2 Second de nition The rst de nition dealt with the inquiry phase; a damage occurred and the question to be answered is: who We shall further re ne de nition 3 into two sub-cases denoted 3.1 and 3.2 so R3 denotes any of these two de nitions 6

b

:x a

caused the damage? The second one deals with the judgment phase; a damage occurred and the question to be answered is: who has to make good for this damage? Here, our formalism aims at two purposes: rst, to enable us to de ne rules for judging a given damage, second to enable us to reason with such rules, in order to be able to de ne the sanctions to apply to a given damage. We shall consider two cases: either the agent who has to make good for a damage is personally responsible for it (in the sense of de nition 1, or he is not (for instance, parents are answerable for any damage their children may have caused). Here, we need to introduce a second parameter in our formalism: the agent tp whom you are responsible for a given damage. For this purpose, we shall use the following expression R p to be read \a is responsible to b for the occurrence of damage p". We also use another notation, O with expression of the form O p to be read: the agent b obliges the agent a to perform p. This is de ned as follows: b

a

b

b

a

a

O p def = E OE p that is: b brings it about that a is obliged to perform p. b

a

b

a

4.2.1 Responsibility for personal agency This is the case when the agent who has to make good for a damage is responsible (in the sense of de nition 1 for it.

De nition 2.1 R2 1p def = R1 p 1 where 2(R p ! O Rep) is assumed to be true. Here, R1 p denotes any de nition in the sense of de nition 1, and 2(R1 p ! O Rep) represents the law, or the regulation which applies to judging the damage. Of course, this representation is oversimpli ed and ought to be re ned in order to represent some complex other concepts, such as premeditation. Our formalism does not enable us to express such a complex concept and this certainly represents further interesting work that remains to be done. : a

b

:x a

:x a

Example

b

:x a

:x a

a

b

a

R2 1 Steal(Doc) is true: for instance, according to his hiring contract, Fred's salary will not be augmented for 5 years since he did not prevent sensitive information from being disclosed. For the same reasons, R2 1 Steal(Doc) is also true. As a visitor of the company, R2 1 Steal(Doc) is not true, but as Boss

Boss

: Lawrence

Boss

: F red

: Lupin

a thief of sensitive information R2 1 Steal(Doc) will be true: Lupin will be judged and, for example, will have to serve a prison sentence. J udge

: Lupin

4.2.2 Responsibility for others' agency This kind of responsibility corresponds to the case where the agent who is to be blamed for a given damage, diers from the agent who is responsible for this damage in the sense of de nition 1, namely the agent who caused the damage.

De nition 2.2 R p=R p where 2(R1 p ! O Rep) is assumed to be true. 2:2 def

b

c

:x

a

b

1:x c

a

where a 6= c and R2 2p means that the agent a is responsible to b for a damage p caused by some other agent c. In other words, b

: a

 Suppose that according to a given law or regulation, if c is responsible for a damage p in the sense of de nition 1, then b obliges a to make good for it (for instance b may be a judge).  then a will be considered responsible to b (for others' agency) for p if and only some other agent c is responsible for p in sense of de nition 1.

Example Let Bill be the security agent in Mr. Boss's

company. Since Bill's job is to ensure that every employee applies all security protection measures, then R2 2 Steal(Doc) is true. Boss

: Bill

4.3 Third de nition This de nition applies to people who have a job or a position which gives them decision powers to perform a given task, but also the obligation to explain their actions to their superior. However, they may also have to give explanations to a judge: if they fail in their task they may be regarded as responsible according to de nition 2 and blamed by a judge who could oblige them to make reparation. We distinguish two cases, according to the possibility of delegating some parts of their task associated with their job or position.

4.3.1 Responsibility without delegation De nition 3.1

b

where D:p is assumed to be true.

R3 1p def = Op : a

b

a

That is: let us assume that it is prejudicial that p do not occur; then a is responsible to b for p if and only if b brings it about that a is itself obliged to perform p.

Example :

R3 1 :Loose(Doc) is true; according to his contract, Fred must not loose any sensitive documents: if he loses some, a disclosure may occur and have bad consequences for the overall company. : F red

Lawrence

4.3.2 Responsibility with possibility of delegation De nition 3.2 R3 2p def = E OG p with D:p being true. b

: a

b

a

This de nition diers from de nition 3.1 because here, a is not obliged to perform p directly: it may delegate the performance of p to c but, in this case, c would get from b the obligation to ensure that p is performed. As noticed in [SD93], if a delegates p to c, a new responsibility relationship is created between a and c: c becomes responsible for p to a. Note that a responsibility cannot be delegated: a remains responsible for ensuring p to b.

Example

:Loose(Doc) is true: R3 2 Lawrence is responsible not to lose any sensitive documents; but he can delegate not-losing and protection obligations to his employees. Finally, notice that: since E OE p ! E OG p, R3 1p ! R3 2p; that is if b obliges a to directly perform p, then b obliges a to ensure p. Boss

: Lawrence

b

: a

a

b

a

: a

5 Comparison with related work Our work can be compared with two dierent related works. Santos and Carmo's general approach [SC96] is quite similar to ours. They propose formal logical de nitions for concepts such as agency and insurance. On the other hand, Dobson's work [SD93, DS94] is more informal. They both aim at characterizing responsibility in organizations, and only consider the aspect of responsibility which corresponds to our de nition 3. In [SC96], the authors start with a discussion of modality E and show that they need to introduce a new modal operator G for modeling indirect action. Their interpretation of expressions of the form G p is i

i

i

similar to ours; it means that \agent i ensures p". They also introduce another modality I where expressions of the form I p are to be read \i in uences j to ensure p". In our model, we consider a special case of in uence corresponding to the expression E OG p. In this sense, Santos and Carmo's model is more general but, as we noticed before, ours is sucient to represent the form of in uence by attribution of obligation (and responsibility). The semantics they propose for modalities G leads to axioms quite similar to ours. However, they also have the following schema: i

j

i j

i

j

i

 G p ^ G q ! G (p ^ q) i

i

i

We agree that it seems correct to accept this axiom. However, it also seems that a more general problem occurs. This problem, already mentioned in [SC96], is called task decomposition, that is the characterization of sub-tasks of a given task. For instance, let us consider a given task p which is \decomposed" into two sub-tasks p1 and p2 and consider the following state of aair.

E OG p1 ^ E OG p2 ^ G p1 ^ G p1 a

b

a

c

b

c

that is, a in uences b and c to ensure p1 and p2 respectively, and b and c actually ensures p1 and p2 respectively. Therefore, from this situation we can derive that G p1 and G p2. It also seems correct to conclude that a ensured the global task p since he has successfully distributed sub-tasks p1 and p2. However, we cannot obtain this derivation in the model proposed in section 3. So what additional principle is required to obtain this derivation? The answer (already proposed in [SC96]) is to use a relativized conditional operator ) similar to the one proposed in [JS95], where p ) q is to be read \for the organization o, p counts as q". Using this new operator, we could modify our initial de nition of modality G as follows: a

a

o

o

G p def =E p _ 9j; (E OG p ^ G p) _ G p1 ^ G p2 ^ ((p1 ^ p2) ) p) that is i ensures that p if and only if:  Either i itself brings it about that p is the case.  Or there is another agent j who brings it about that p is the case, and i brings it about that j is obliged to ensure that p is the case.  Or i ensures p1 and p2 and, in the organization o, p1 and p2 count as p. i

i

i

i

j

i

j

o

In particular, if we consider that ensuring p and ensuring q count as ensuring the more global action \p ^ q", then we should get the schema G p ^ G q ! G (p ^ q) from the foregoing de nition. We now turn to the approach proposed in [SD93, DS94]. It concerns the problem of de ning requirements for a social-technical organization; in such organization the computer system is regarded as a component among others. Dobson and Strens assume that when you specify a system, you have to take into consideration the whole context in which the system will be used, especially users and their organizational structure: hierarchical dependences, responsibilities, obligations, and so on. So modeling the concept of responsibility turns out to be quite useful, in order to get correct speci cations for a system which forms an integral part of the organization. The main points are that responsibility relationships come from delegation of actions, and obligations are transferred between agents. Since responsibility is a relationship between two agents (a is responsible for an action A to the agent b), this responsibility cannot be delegated. However, an agent can transfer some of the obligations this agent has in order to ful ll its responsibility: if a transfers some of its obligations to b, then b becomes responsible to a for these obligations. i

i

i

6 Conclusion Our work contributes to the investigation of the concept of responsibility. It aims at providing models for organizations, and may also have several applications: for instance, in the computer science domain, to analyze system regulations according to a given organizational context, or security requirements. We rst gave three rough and informal de nitions for responsibility; then starting from few existing related works, we proposed formal representations, based on modal logic, for each of them. The de nitions we nally produced capture subtleties you can nd in French jurisprudence. There are several possible issues to this work. Some of them consist in increasing the expressiveness of our language. First, we have to take into account temporal representation of actions (especially, our language ought to allow us to express dierently occurrences of actions, and resulting state of actions). Second, including in our formalism a count as operator (such as the one proposed in [JS95]) represents further work that remains to be done. The Hohfeldian framework suggested in [All96] also provides good basis of investigation to enrich the expressive power of our language. We are also investigating how to validate the de n-

itions we propose in this paper. We can use them to model security policies or regulations, in order to verify their properties [CS96]. We can also integrate them in tools which aim at helping a database security administrator, especially for analyzing accountability, audit, or intrusion detection functions.

References [All96] L. Allen. From the Fundamental Legal Conceptions of Hohfeld to Legal Relations: Re ning the Enrichment of Solely Deontic Legal Relations. In M. Brown and J. Carmo, editors, Deontic Logic, Agency and Normative Systems, Workshops in Computing. Springer, 1996. [And66] A. Anderson. The formal analysis of normative systems. In N. Rescher, editor, The Logic of Decision and Actions, Pittsburgh, 1966. [CS96] F. Cuppens and C. Saurel. Specifying a Security Policy: A Case Study. In Proc. of the computer security foundations workshop, Kenmare, Co. Kerry, Ireland, 1996. [DS94] J. Dobson and R. Strens. Organisational Requirements De nition for Information Technology Systems. In ICRE, 1994. [Elg92] D. Elgesem. Action Theory and Modal Logic. PhD thesis, University of Oslo, Norway, 1992. [JS95] A.J.I. Jones and M. Sergot. Institutionalized power: a formal characterisation. To be pub-

lished in MEDLAR II special issue of Journal of IGPL, 1995. [Kan72] S. Kanger. Law and Logic. Theoria, 38, 1972. [Lin77] L. Lindahl. Position and Change - A Study in Law and Logic, volume 112 of Synthese Library. D. Reidel, Dordrecht, 1977. [Por77] I. Porn. Action Theory and Social Science; Some Formal Models, volume 120 of Synthese Library. D. Reidel, Dordrecht, 1977.

[SC96] F. Santos and J. Carmo. Indirect Action, In uence and Responsability. In M. Brown and J. Carmo, editors, Deontic Logic, Agency and Normative Systems, Workshops in Computing. Springer, 1996. [SD93] R. Strens and J. Dobson. How Responsibility Modelling Leads to Security Requirements. In New Security Paradigms Workshop, Little Compton, RI, 1993.