Abstract
We describe a framework for threat assessment specifically within the context of access control systems, where subjects request access to resources for which they may not be pre-authorized. The framework that we describe includes four different approaches for conducting threat assessment: an object sensitivity-based approach, a subject trustworthiness-based approach and two additional approaches which are based on the difference between object sensitivity and subject trustworthiness. We motivate each of the four approaches with a series of examples. We also identify and formally describe the properties that are to be satisfied within each approach. Each of these approaches results in different threat orderings, and can be chosen based on the context of applications or preference of organizations.
Chapter PDF
Similar content being viewed by others
References
Bartsch, S.: A calculus for the qualitative risk assessment of policy override authorization. In: Proceedings of the 3rd International Conference on Security of Information and Networks (SIN 2010), pp. 62–70 (2010)
Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Proceedings of IEEE Symposium on Security and Privacy (SP 2007), pp. 222–230 (2007)
Diep, N.N., Hung, L.X., Zhung, Y., Lee, S., Lee, Y.-K., Lee, H.: Enforcing access control using risk assessment. In: Proceedings of the 4th European Conference on Universal Multiservice Networks (ECUMN 2007), pp. 419–424 (2007)
Kandala, S., Sandhu, R., Bhamidipati, V.: An attribute based framework for risk-adaptive access control models. In: Proceedings the 6th International Conference on Availability, Reliability and Security (ARES 2011) (2011)
McGraw, R.: Risk adaptive access control (RAdAC). In: Proceedings of NIST & NSA Privilege Management Workshop (2009)
Ni, Q., Bertino, E., Lobo, J.: Risk-based access control systems built on fuzzy inferences. In: Proceedings of 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2010), pp. 250–260 (2010)
NIST. Risk management guide for information technology systems. National Institute of Standards and Technology, Special Publication (SP) 800-30 (2002)
NIST. Guide for mapping types of information and information systems to security categories. National Institute of Standards and Technology, Special Publication (SP) 800-60, volumes I & II (2008)
Wang, Q., Jin, H.: Quantified risk-adaptive access control for patient privacy protection in health information systems. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2011), pp. 406–410 (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Khambhammettu, H., Boulares, S., Adi, K., Logrippo, L. (2012). A Framework for Threat Assessment in Access Control Systems. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds) Information Security and Privacy Research. SEC 2012. IFIP Advances in Information and Communication Technology, vol 376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30436-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-30436-1_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30435-4
Online ISBN: 978-3-642-30436-1
eBook Packages: Computer ScienceComputer Science (R0)