Sengupta et al. present a formal approach to detecting what they call “managerial” vulnerabilities. The term refers to vulnerabilities in the top level of the hierarchical layers of a system architecture (that is, application vulnerabilities).

The proposed model may have some theoretical value, but it has no practical value. The authors make no attempt to relate their abstract model to the components of a real system. Their definition of objects is ad hoc; it does not correspond to object-oriented models or to any other type of application object. The authors’ model is decidable in linear time in the case of a single object or a single application requirement, but these are not realistic assumptions.

This paper is difficult to follow and provides no examples to illustrate the concepts. It could provide bounds for real systems; however, the paper does not consider this. Of possible interest to security theoreticians, little is offered to working professionals and practice-oriented researchers.