Abstract
We present a formal model of security monitoring that distinguishes two different methods of recording information (logging) and to different methods of analyzing information (auditing). From this model we draw implications for the design and use of security monitoring mechanisms. We then apply the model to security mechanisms for statistical databases, monitoring mechanisms for computer systems, and backups, to demonstrate the model\'s usefulness.