Abstract
On the one hand, an access control mechanism must make a conclusive decision for a given access request. On the other hand, such a mechanism usually relies on one or several decision making processes, which can return partial decisions, inconclusive ones, or conflicting ones. In some cases, this information might not be sufficient to automatically make a conclusive decision, and the access control mechanism might have to involve a human expert to make the final decision. In this paper, we formalise these decision making processes as quantitative access control systems, which associate each decision with a measure, indicating for instance the level of confidence of the system in the decision. We then propose to explore how nudging, i.e., how modifying the context of the decision making process for that human expert, can be used in this context. We thus formalise when such a delegation is required, when nudging is applicable, and illustrate some examples from the MINDSPACE framework in the context of access control.
Chapter PDF
Similar content being viewed by others
References
Bellman, R.: A markovian decision process. In. Univ. Math. J. 6, 679–684 (1957)
Bruns, G., Huth, M.: Access-control policies via belnap logic: Effective and efficient composition and analysis. In: Proc. of CSF 2008, pp. 163–176 (2008)
Bundy, A., Grov, G., Jones, C.: Learning from experts to aid the automation of proof search. In: AVoCS 2009, vol. CSR-2-2009, pp. 229–232 (September 2009)
Cheng, P.-C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Proceedings of S&P 2007, pp. 222–230. IEEE (2007)
Coventry, L., Briggs, P., Jeske, D., van Moorsel, A.: SCENE: A structured means for creating and evaluating behavioral nudges in a cyber security environment. In: Marcus, A. (ed.) DUXU 2014, Part I. LNCS, vol. 8517, pp. 229–239. Springer, Heidelberg (2014)
Crampton, J., Huth, M., Kuo, J., Morisset, C.: Policy-based access control from numerical evidence. Technical Report 2013/6, Imperial College London, Department of Computing (October 2013)
Crampton, J., Morisset, C.: PTaCL: A language for attribute-based access control in open systems. In: Degano, P., Guttman, J.D. (eds.) Principles of Security and Trust. LNCS, vol. 7215, pp. 390–409. Springer, Heidelberg (2012)
Dolan, P., Hallsworth, M., Halpern, D., King, D., Metcalfe, R., Vlaev, I.: Influencing behaviour: The mindspace way. Journal of Economic Psychology 33(1), 264–277 (2012)
Ferraiolo, D.F., Kuhn, D.R.: Role-based access control. In: Proceedings of the 15th National Computer Security Conference, pp. 554–563 (1992)
Freitas, L., Whiteside, I.: Proof Patterns for Formal Methods. In: Jones, C., Pihlajasaari, P., Sun, J. (eds.) FM 2014. LNCS, vol. 8442, pp. 279–295. Springer, Heidelberg (2014)
Huth, M., Kuo, J.: PEALT: A reasoning tool for numerical aggregation of trust evidence. Technical Report 2013/7, Imperial College London, Department of Computing (October 2013) ISSN 1469-4166 (Print), ISSN 1469-4174 (Online)
Jøsang, A., Hayward, R., Pope, S.: Trust network analysis with subjective logic. In: Proceedings of ACSC 2006, Darlinghurst, Australia, pp. 85–94 (2006)
Jøsang, A., Bondi, V.: Legal reasoning with subjective logic. Artificial Intelligence and Law 8(4), 289–315 (2000)
Lampson, B.: Protection. In: Proceedings of the 5th Annual Princeton Conference on Information Sciences and Systems, pp. 437–443. Princeton University (1971)
Martinelli, F., Morisset, C.: Quantitative access control with partially-observable markov decision processes. In: CODASPY 2012, pp. 169–180. ACM (2012)
Molloy, I., Cheng, P.-C., Rohatgi, P.: Trading in risk: Using markets to improve access control. In: NSPW (2008)
Molloy, I., Dickens, L., Morisset, C., Cheng, P.-C., Lobo, J., Russo, A.: Risk-based security decisions under uncertainty. In: Proceedings of CODASPY 2012, pp. 157–168. ACM, New York (2012)
Moses, T.: eXtensible Access Control Markup Language TC v2.0, XACML (2005)
Moxey, A., O’Connell, D., McGettigan, P., Henry, D.: Describing treatment effects to patients. Journal of General Internal Medicine 18(11), 948–959 (2003)
Ni, Q., Bertino, E., Lobo, J.: D-algebra for composing access control policy decisions. In: Li, W., Susilo, W., Tupakula, U.K., Safavi-Naini, R., Varadharajan, V. (eds.) ASIACCS, pp. 298–309. ACM (2009)
Ni, Q., Lobo, J., Calo, S., Rohatgi, P., Bertino, E.: Automating role-based provisioning by learning from examples. In: Proceedings of SACMAT 2009, pp. 75–84. ACM, New York (2009)
OASIS. eXtensible Access Control Markup Language (XACML) Version 3.0, Committee Specification 01 (2010)
Rao, P., Lin, D., Bertino, E., Li, N., Lobo, J.: An algebra for fine-grained integration of xacml policies. In: Proceedings of SACMAT 2009, pp. 63–72 (2009)
Thaler, R., Sunstein, C.: Nudge: Improving Decisions about Health, Wealth, and Happiness. Yale University Press (2008)
Tversky, A., Kahneman, D.: The framing of decisions and the psychology of choice. Science 211(4481), 453–458 (1981)
Voronkov, A.: Easychair. In: Kovacs, L., Kutsia, T. (eds.) WWV 2010. EPiC Series, vol. 18, p. 2. EasyChair (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Morisset, C., Groß, T., van Moorsel, A., Yevseyeva, I. (2014). Nudging for Quantitative Access Control Systems. In: Tryfonas, T., Askoxylakis, I. (eds) Human Aspects of Information Security, Privacy, and Trust. HAS 2014. Lecture Notes in Computer Science, vol 8533. Springer, Cham. https://doi.org/10.1007/978-3-319-07620-1_30
Download citation
DOI: https://doi.org/10.1007/978-3-319-07620-1_30
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07619-5
Online ISBN: 978-3-319-07620-1
eBook Packages: Computer ScienceComputer Science (R0)