In this paper, the authors develop a prototyping technique for information systems security policies. Starting from the algebraic specification of a security policy, they derive an executable specification that represents a prototype of the actual policy. Executing the specification allows determining sequences of actions that lead to security policy violations. They propose a composition framework to build compound algebraic specifications. They show that the mechanism they provide to translate algebraic specifications to executable specifications preserves the composition rules, which is of utmost importance from the engineering perspective.