The early detection of potential threats during the modeling phase of a Secure Information System is required because it favors the design of a robust access control policy and the prevention of malicious behaviors during the system execution. This paper deals with internal attacks which can be made by people inside the organization. Such attacks are difficult to find because insiders have authorized system access and also may be familiar with system policies and procedures. The authors are interested in finding attacks which conform to the access control policy, but lead to unwanted states. These attacks are favored by policies involving authorization constraints, which grant or deny access depending on the evolution of the functional Information System state.