A web-based cooperative tool for risk management with adaptive security

Risk management can benefit from Web-based tools fostering actions for treating risks in an environment, while having several individuals collaborating to face the endeavors related to risks. During the intervention, the security rules in place to preserve resources from unauthorized access, might need to be modified on the fly, e.g., increasing the privileges of risk managers or letting rescue teams view the exact position of the victims. Modifications should respect the overall security policies and avoid security conflicts. This paper presents a dynamic access control model for environmental risks involving physical resources. Data structures included in our Web application to represent both risk and security are given. To keep the dynamic security rules compliant with overall organization security objectives, we consider rules grouped in Access Control Domains so that changes do not create security conflicts during collaboration in risk management. Considering work environments as an example, risk and access control models are introduced. Security is built on the ABAC (Attribute Based Access Control) paradigm. A Risk Management System (RMS) is illustrated: it captures events, signals potential risks, and outputs strategies to prevent the risk. Dynamic authorization is included in the RMS to vary subjects' privileges on physical resources based on risk level, people position and so on. These concepts are implemented in a prototype Web application appearing as a Web Dashboard for risk management. We present a web-based cooperative tool for risk management with adaptive security.Based on a motivating scenario the risk and security elements are introduced.Security is built on the ABAC (Attribute Based Access Control) paradigm.A Risk Management System is illustrated that facilitates the cooperation in risk management.Using Event-Condition-Action meta-rules, dynamic authorization based on risk is controlled.

[1]  Ciprian Dobre,et al.  Intelligent services for Big Data science , 2014, Future Gener. Comput. Syst..

[2]  Maria Grazia Fugini,et al.  Adaptive Security for Risk Management Using Spatial Data , 2014, DEXA.

[3]  Sandeep K. S. Gupta,et al.  CAAC -- An Adaptive and Proactive Access Control Approach for Emergencies in Smart Infrastructures , 2014, ACM Trans. Auton. Adapt. Syst..

[4]  Patrice Clemente,et al.  An extended attribute based access control model with trust and privacy: Application to a collaborative crisis management system , 2014, Future Gener. Comput. Syst..

[5]  Grant Purdy,et al.  ISO 31000:2009—Setting a New Standard for Risk Management , 2010, Risk analysis : an official publication of the Society for Risk Analysis.

[6]  Claudia Raibulet,et al.  Risk assessment in work environments: modeling and simulation , 2012, Concurr. Comput. Pract. Exp..

[7]  Jörg Keller,et al.  In Guards We Trust: Security and Privacy in Operating Systems Revisited , 2013, 2013 International Conference on Social Computing.

[8]  Paolo Giorgini,et al.  Security Requirements Engineering for Secure Business Processes , 2011, BIR Workshops.

[9]  Mauno Rönkkö,et al.  Automated preprocessing of environmental data , 2015, Future Gener. Comput. Syst..

[10]  Bradley R. Schmerl,et al.  Software Architecture-Based Self-Adaptation , 2009, Autonomic Computing and Networking.

[11]  Liang Chen,et al.  Risk-Aware Role-Based Access Control , 2011, STM.

[12]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[13]  Micki Krause,et al.  Information Security Management Handbook, Fourth Edition, Volume 2 , 2000 .

[14]  Ravi S. Sandhu,et al.  A framework for risk-aware role based access control , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[15]  Ravi S. Sandhu,et al.  The authorization leap from rights to attributes: maturation or chaos? , 2012, SACMAT '12.

[16]  Edward P. Borodzicz,et al.  Risk, Crisis and Security Management , 2005 .

[17]  Haider Abbas,et al.  Addressing Dynamic Issues in Information Security Management , 2011, Inf. Manag. Comput. Secur..

[18]  Jani Suomalainen,et al.  Architecture and Knowledge-Driven Self-Adaptive Security in Smart Space , 2013, Comput..

[19]  Helmut Petritsch A Generic Break-Glass Model , 2014 .

[20]  Chi-Sheng Shih,et al.  Cyberphysical Elements of Disaster-Prepared Smart Environments , 2013, Computer.

[21]  Hamideh Afsarmanesh,et al.  Collaborative Systems for Smart Environments: Trends and Challenges , 2014, PRO-VE.

[22]  George Danezis Trust as a methodological tool in security engineering , 2012 .

[23]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[24]  Paolo Bonato,et al.  Wearable Sensors and Systems , 2010, IEEE Engineering in Medicine and Biology Magazine.

[25]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[26]  Keith Smith Environmental Hazards: Assessing Risk and Reducing Disaster , 1991 .

[27]  Claudia Raibulet,et al.  Risk characterization and prototyping , 2010, 2010 10th Annual International Conference on New Technologies of Distributed Systems (NOTERE).

[28]  Dan Hua Huang,et al.  Role-Based Risk Adaptive Access Control Model , 2013 .

[29]  Maria Grazia Fugini,et al.  Architectural and Security Aspects in Innovative Decisional Supports , 2013 .

[30]  Les Carr,et al.  Where the Semantic Web and Web 2.0 Meet Format Risk Management: P2 Registry , 2011, Int. J. Digit. Curation.

[31]  Ravi S. Sandhu,et al.  An Attribute Based Framework for Risk-Adaptive Access Control Models , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[32]  R.S.H. Piggin Governance, risk and compliance: impediments and opportunities for managing operational technology risk in industrial cyber security and safety , 2014 .

[33]  Harold F. Tipton,et al.  Information security management handbook, Sixth Edition , 2003 .

[34]  Nan Feng,et al.  A Cooperative Model for IS Security Risk Management in Distributed Environment , 2014, TheScientificWorldJournal.

[35]  Tim Berners-Lee,et al.  Creating a Policy-Aware Web: Discretionary, Rule-Based Access for the World Wide Web , 2008 .