Analysis of the impact of ethical issues on the management of the access rights

Nowadays, the evolution of the information system (IS) is very fast and companies have to manage a very huge amount of sensitive and critical information. Therefore, the information system managers are urged to accurately design their IS and to provide the accurate access rights to this information. In that regards, although the advantage of this strict definition of the IS, we observe that this evolution also tends to reduce and to limit the employees' personal initiatives to act and to behave for the well-being of the company, especially in the case of professional ethical reasons. In this context, this paper takes up the challenge to show to the information security specialists the importance of addressing ethical issues along the management of the access rights and proposes a model-based technical approach to face this problem.

[1]  Michael Jackson,et al.  Four dark corners of requirements engineering , 1997, TSEM.

[2]  David W. Chadwick,et al.  How to Securely Break into RBAC: The BTG-RBAC Model , 2009, 2009 Annual Computer Security Applications Conference.

[3]  Kevin D. Ashley,et al.  Introducing PETE: computer support for teaching ethics , 2001, ICAIL '01.

[4]  Nicole A. Vincent A Structured Taxonomy of Responsibility Concepts , 2010 .

[5]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[6]  Barry W. Boehm Value-based software engineering: reinventing , 2003, SOEN.

[7]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[8]  Enid Mumford,et al.  Effective systems design and requirements analysis : the ETHICS approach , 1995 .

[9]  Jussipekka Leiwo,et al.  An analysis of ethics as foundation of information security in distributed systems , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[10]  R. Klein,et al.  Accountabilities: Five Public Services , 1987 .

[11]  Jeroen van den Hoven,et al.  Moral responsibility : beyond free will and determinism , 2011 .

[12]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[13]  Computer Ethics,et al.  Computer ethics and professional responsibility , 2014 .

[14]  Eric Dubois,et al.  Alignment of ReMMo with RBAC to manage access rights in the frame of enterprise architecture , 2015, 2015 IEEE 9th International Conference on Research Challenges in Information Science (RCIS).

[15]  Enid Mumford,et al.  Effective Systems Design and Requirements Analysis , 1995 .

[16]  Grant Purdy,et al.  ISO 31000:2009—Setting a New Standard for Risk Management , 2010, Risk analysis : an official publication of the Society for Risk Analysis.

[17]  Jan H. P. Eloff,et al.  Special Features: A Framework for the Implementation of Socio-ethical Controls in Information Security , 2001 .

[18]  Nicola Zannone,et al.  Towards the development of privacy-aware systems , 2009, Inf. Softw. Technol..

[19]  Eric Dubois,et al.  Enhancing the ArchiMate® standard with a responsibility modeling language for access rights management , 2012, SIN '12.

[20]  Axel van Lamsweerde,et al.  Reasoning about partial goal satisfaction for requirements and design engineering , 2004, SIGSOFT '04/FSE-12.

[21]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[22]  Michael A. Jackson,et al.  Problem Frames - Analysing and Structuring Software Development Problems , 2000 .

[23]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[24]  Gregory J. Walters,et al.  Privacy and security: an ethical analysis , 2001, CSOC.

[25]  Simon Rogerson,et al.  Computer Ethics and Professional Responsibility: Introductory Text and Readings , 2003 .

[26]  Christophe Feltus Aligning access rights to governance needs with the responsibility metamodel (ReMMo) in the frame of enterprise architecture , 2014 .

[27]  Philippe Massonet,et al.  Early verification and validation of mission critical systems , 2005, Formal Methods Syst. Des..

[28]  C. Dianne Martin,et al.  From awareness to action: integrating ethics and social responsibility into the computer science curriculum , 1999, CSOC.

[29]  Richard Tynan,et al.  Towards evolutionary ambient assisted living systems , 2010, J. Ambient Intell. Humaniz. Comput..

[30]  Simon Rogerson,et al.  An ethical review of information systems development - The Australian Computer Society's code of ethics and SSADM , 2000, Inf. Technol. People.

[31]  Fabio Massacci,et al.  Privacy Is Linking Permission to Purpose , 2004, Security Protocols Workshop.

[32]  André Rifaut Compliance management with measurement frameworks , 2011, 2011 Fourth International Workshop on Requirements Engineering and Law.

[33]  James H. Moor,et al.  The Nature, Importance, and Difficulty of Machine Ethics , 2006, IEEE Intelligent Systems.

[34]  C. Allen,et al.  Moral Machines: Teaching Robots Right from Wrong , 2008 .

[35]  David Wright,et al.  A framework for the ethical impact assessment of information technology , 2011, Ethics and Information Technology.

[36]  Helen M. Edwards,et al.  Problem frames: analyzing and structuring software development problems , 2002, Softw. Test. Verification Reliab..

[37]  Paul M. Schwartz,et al.  Privacy, Information, and Technology , 2006 .

[38]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[39]  D Gotterbarn,et al.  Informatics and professional responsibility , 2001, Science and engineering ethics.

[40]  D. Banta The development of health technology assessment. , 2003, Health policy.

[41]  Bashar Nuseibeh,et al.  Introducing abuse frames for analysing security requirements , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[42]  Ravi S. Sandhu,et al.  An Attribute Based Framework for Risk-Adaptive Access Control Models , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[43]  Ronald E. Anderson Social Impacts of Computing: Codes of Professional Ethics , 1992 .