A calculus for the qualitative risk assessment of policy override authorization

Policy override is gaining traction in the research community to improve the efficiency and usability of authorization mechanisms. These mechanisms turn the conventional privileges into a soft boundary that may be overridden by users in exceptional situations. The challenge for the practical deployment of the policy override mechanisms often is whether policy override is adequate and, if so, to which extent. In this paper, we propose a calculus to support this decision-making process. The calculus is based on proven risk assessment practices and derives a qualitative result on the adequacy for specific roles and override extents. Moreover, we developed a tool to support the policy override risk assessment. The calculus and the tool are briefly evaluated in two distinct contexts.

[1]  Dawn M. Cappelli,et al.  The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures , 2008, Insider Attack and Cyber Security.

[2]  Ian A. Brown,et al.  A Security Risk Measurement for the RAdAC Model , 2007 .

[3]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[4]  Lee Badger Providing a flexible security override for trusted systems , 1990, [1990] Proceedings. The Computer Security Foundations Workshop III.

[5]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[6]  D. Kahneman,et al.  Heuristics and Biases: The Psychology of Intuitive Judgment , 2002 .

[7]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[8]  Samantha Thomas Cruz,et al.  Information Security Risk Assessment , 2007, Information Security Management Handbook, 6th ed..

[9]  Heejo Lee,et al.  Enforcing Access Control Using Risk Assessment , 2007, Fourth European Conference on Universal Multiservice Networks (ECUMN'07).

[10]  Jason Edwin Stamp,et al.  A classification scheme for risk assessment methods. , 2004 .

[11]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[12]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[13]  Xia Zhao,et al.  The Value of Escalation and Incentives in Managing Information Access , 2009, Managing Information Risk and the Economics of Security.

[14]  Arjen K. Lenstra,et al.  Information Security Risk Assessment, Aggregation, and Mitigation , 2004, ACISP.

[15]  Marek J. Sergot,et al.  Towards a Mechanism for Discretionary Overriding of Access Control , 2004, Security Protocols Workshop.

[16]  Mike A. Lockyer,et al.  A model of accountability, confidentiality and override for healthcare and other applications , 2000, RBAC '00.

[17]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[18]  F. Hayek Individualism and Economic Order , 1949 .

[19]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[20]  Dean Povey Optimistic security: a new access control paradigm , 1999, NSPW '99.

[21]  David M. Eyers,et al.  Using trust and risk in role-based access control policies , 2004, SACMAT '04.

[22]  Rahim Choudhary A policy based architecture for NSA RAdAC model , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[23]  Lillian Røstad,et al.  A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[24]  F. Hayek The economic nature of the firm: The use of knowledge in society , 1945 .

[25]  Chris Hurford,et al.  Opportunity makes a thief — A report on computer abuse from the audit commission , 1994 .

[26]  Carol Woody,et al.  Introduction to the OCTAVE ® Approach , 2003 .

[27]  Volker Wulf,et al.  A new dimension in access control: studying maintenance engineering across organizational boundaries , 2002, CSCW '02.

[28]  Randall F. Trzeciak,et al.  Common Sense Guide to Prevention and Detection of Insider Threats , 2006 .

[29]  Robert Willison,et al.  Understanding the perpetration of employee computer crime in the organisational context , 2006, Inf. Organ..

[30]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[31]  Steven Furnell,et al.  Insider Threat Prediction Tool: Evaluating the probability of IT misuse , 2002, Comput. Secur..

[32]  A. Stinchcombe Information and Organizations , 2019 .

[33]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[34]  I Denley,et al.  Privacy in clinical information systems in secondary care. , 1999, BMJ.

[35]  M. Eric Johnson,et al.  Managing Information Risk and the Economics of Security , 2008, Managing Information Risk and the Economics of Security.

[36]  James Backhouse,et al.  Opportunities for computer crime: considering systems risk from a criminological perspective , 2006, Eur. J. Inf. Syst..