Definition and Analysis of Election Processes Mohammad S. Raunak, Bin Chen, Amr Elssamadisy, Lori A. Clarke, Leon J. Osterweil Department of Computer Science University of Massachusetts Amherst, MA 01003, USA {raunak, chenbin, samadisy, clarke, ljo}@cs.umass.edu Abstract. This paper shows that process definition and analysis technologies can be used to reason about the vulnerability of election processes with respect to incorrect or fraudulent behaviors by election officials. The Little-JIL lan- guage is used to model example election processes, and various election worker fraudulent behaviors. The FLAVERS finite-state verification system is then used to determine whether different combinations of election worker behaviors cause the process to produce incorrect election results or whether protective ac- tions can be used to thwart these threats. 1 Introduction In previous work, we have demonstrated that it is possible to define complex proc- esses with precision that is sufficient to support definitive demonstrations that the processes either do, or do not, have worrisome defects. Our preliminary work with healthcare processes [3], for example, shows that it is possible to identify potentially life-threatening defects, even in large complex medical processes. Our work with the US National Mediation Board has suggested that automating carefully defined proc- esses that have been clearly understood by all stakeholders, can lead to increased trust and confidence in the workings of government. This paper extends our previous process definition and analysis work to election processes. A novel aspect of this work is its approach to assessing the potential im- pact of fraudulent behavior. In our earlier work (e.g. with healthcare processes [3]) we assumed that participating agents (e.g. doctors and nurses) always try to perform assigned tasks correctly. We dealt with incorrect or inadequate performance through the use of pre- and post-condition checks and exception processing. But, in analysis of elections, we now attempt to deal with the consequences of the performance of tasks by agents whose actions may be intentionally incorrect or malicious. An inter- esting challenge of this work is how to represent such behaviors and assess how well processes defend against their negative effects. Early positive results of this work suggest the possibility of a discipline of election process engineering, in which costs and benefits of specific safeguards can be measured against specific election fraud risks.