These formal policy models can be categorized into the core security principles of confidentiality, integrity, and availability.
[1] If a system is regarded as a finite-state automaton with a set of transitions (operations) that change the system's state, then a security policy can be seen as a statement that partitions these states into authorized and unauthorized ones.
To represent a concrete policy, especially for automated enforcement of it, a language representation is needed.
There exist a lot of application-specific languages that are closely coupled with the security mechanisms that enforce the policy in that application.
Compared with this abstract policy languages, e.g., the Domain Type Enforcement-Language, is independent of the concrete mechanism.