Voting systems function to capture voter intent and anonymously convert that intent into tallied votes. Accuracy and secret ballots are fundamental to democracy. However, ensuring the accuracy of a tally and the anonymity of a voter is extremely difficult in electronic voting systems because the processes occur through a complex interaction of software, hardware, networks, people, policies and legislation (Jones, 2005; Khono, Stubblefield, Rubin, & Wallach, 2004; Weldemariam, 2009; Yasinsac & Bishop, 2008).
The voting system literature is replete with examples of attacks to electronic voting systems (Calindrino et al., 2007; Dill, Mercuri, Neumann, & Wallach, 2008; Epstein, 2007; Feldman, Halderman, & Felten, 2006; Fischer, 2003; Frisina, Herron, Honaker, & Lewis, 2008; Gardner et al., 2007; Hasen, 2000; Hursti, 2006; Kohno, Stubblefield, Rubin, & Wallach, 2004; NIST, 2005; Norden, 2008; Ohio Secretary of State, 2003; Yasinsac et al., 2007).
A pivotal aspect of ensuring integrity of elections conducted on DREs is that, because there is no physical record of each voter’s selections, security is dependent on the DRE software. Software is inherently complex. Theory shows that it is impossible to prove non-trivial properties about arbitrary programs (Rice, 1953) and that at best, testing “… can be a very effective way to show the presence of bugs, but is hopelessly inadequate for showing their absence” (Ditkrtra, 1972).
Was that not bad enough, it is also very difficult even to determine if a computer is executing the intended software (Thompson, 1984). Thus, even if a DRE is properly built, configured, and operated, anyone with private access to the device may be able to install malicious software (i.e., malware) that can alter or control election results.
There are many approaches to securing electronic voting systems: due diligence, compliance, and business enablement (Parker, 2006). Another means of securing voting systems is to conduct a risk assessment. Risk assessment involves assigning a quantitative or qualitative value to the risk of a threat in a specific situation. Assigning a value to the risk of a threat allows the analyst to judiciously allocate relatively scarce resources, conduct sensitivity analysis, perform cost-benefit analyses, and compute residual risk. One approach to conducting risk assessment involves threat trees (Schneier, 1999; Pardue, Landry, & Yasinsac, 2009; Yasinsac & Pardue, 2010).