Abstract: A security system (10) for users (50) to employ applications (12) as either publishing applications (24) or subscribing applications (26), for communicating messages (16) on computer networks. Each application (12) includes a client (28) which obtains from the user (50) a user ID (52) and a password (54), for authentication to a broker (30). The messages (16) are each assigned a subject (18) having a security policy (20), which includes an access control list (70) and a quality of protection (72). The access control list (70) may specify who may publish, who may subscribe, and who may ask for guaranteed delivery of messages (16) on the associated subject (18). Similarly, the quality of protection (72) may specify whether such messages (16) are privacy, integrity, or nonrepudiation protected, and whether they are to be audited. The broker (30) then employs the security policy (20) to control publishing and subscribing of the messages (16) and to provide the requested security protections.