A Formal Methodology for Procedural Security Assessment