Towards an Economic Approach to Identity and Access Management Systems Using Decision Theory

Nowadays, providing employees with failure-free access to various systems, applications and services is a crucial factor for organizations’ success as disturbances potentially inhibit smooth workflows and thereby harm productivity. However, it is a challenging task to assign access rights to employees’ accounts within a satisfying time frame. In addition, the management of multiple accounts and identities can be very onerous and time consuming for the responsible administrator and therefore expensive for the organization. In order to meet these challenges, firms decide to invest in introducing an Identity and Access Management System (IAMS) that supports the organization by using policies to assign permissions to accounts, groups, and roles. In practice, since various versions of IAMSs exist, it is a challenging task to decide upon introduction of an IAMS. The following study proposes a first attempt of a decision support model for practitioners which considers four alternatives: Introduction of an IAMS with Role-based Access Control RBAC) or without and no introduction of IAMS again with or without RBAC. To underpin the practical applicability of the proposed model, we parametrize and operationalize it based on a real world use case using input from an expert interview.

[1]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[2]  Ken M. Shaurette Sarbanes-Oxley Act of 2002 (SOX) , 2010, Encyclopedia of Information Assurance.

[3]  Denis Royer,et al.  Enterprise Identity Management - What's in it for Organisations? , 2007, FIDIS.

[4]  M. Gallaher,et al.  The Economic Impact of Role-Based Access Control , 2002 .

[5]  Huseyin Cavusoglu,et al.  Decision-Theoretic and Game-Theoretic Approaches to IT Security Investment , 2008, J. Manag. Inf. Syst..

[6]  B D Slenning,et al.  Decision analysis: dealing with uncertainty in diagnostic testing. , 2000, Preventive veterinary medicine.

[7]  Mary S. Schaeffer,et al.  Sarbanes-Oxley Act of 2002 , 2012 .

[8]  Denis Royer,et al.  Assessing the Value of Enterprise Identity Management (EIdM) – Towards a Generic Evaluation Approach , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[9]  Alan C. O'Connor,et al.  2010 economic analysis of role-based access control. Final report , 2010 .

[10]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..

[11]  Georgia Perakis,et al.  Regret in the Newsvendor Model with Partial Information , 2008, Oper. Res..

[12]  Denis Royer,et al.  Enterprise Identity Management – Towards a Decision Support Framework Based on the Balanced Scorecard Approach , 2009, Bus. Inf. Syst. Eng..

[13]  Günther Pernul,et al.  Role Model Optimization for Secure Role-Based Identity Management , 2014, ECIS.

[14]  Lynn A. Karoly,et al.  Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification , 2010, Practice Management Consultant.