Formal methods for the informal world

Customers for secure systems install these systems as components within their operations in order to achieve security objectives for these operations. Formal methods provide the same kinds of benefits when applied to these kinds of "operational" objectives as they do when applied to properties of a system in isolation. We formalize the analysis of one such example objective in the Z language. The application of formal methods in this way requires that we apply them not only to systems, but also to the worlds within which these systems exist. A rich new set of issues and insights appear at the juncture of a system and its environment, and when a formal language meets the informal world.<<ETX>>