Abstract
Risk analysis is one of major phases in information security. In a modern framework of qualitative risk analysis, it is common that each of information assets, threats and vulnerability is given a small number of grades on which risk assessment of the information is based.
In this paper, first, we propose that we use results of risk assessment in access control among servers. By reusing the results, we can collect the cost of risk assessment in access control. Secondly, we propose a hybrid of conventional risk assessment with detailed analysis in giving LoAs. Based on a conventional qualitative a-small-number-of-grade system, we adapt it in the way that we can get reward for a small investment by partially adopting detailed risk analysis. This adjustment is represented as epsilons.
We propose the system of epsilon, and show our case of OTP where this adjustment is effective in assessment of authentication mechanism. Our experience shows that we can implement the adjustment by making a local comparison with a reference model.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Alterman, P.: Interfederation Initiatives for Identity Authentication. In: Federal Demonstration Partnership, January meeting (2008)
Alterman, P., Keltner, J., Morgan, R.: InCommon Federation: Progress. Partnerships, Opportunities. In: Internet2 2007 Fall Meeting (2007)
American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants: Trust Services Principles, Criteria and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2006)
Burr, W., Dodson, W., Polk, W.: Electronic Authentication Guidelines. NIST SP800-63 (2006)
CA/Browser Forum: Guidelines for the Issuance and Management of Extended Validation Certificates (2007)
Chokbani, S., Ford, W., Sabett, R., Merrill, C., Wu, S.: Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework. RFC 3647 (2003)
Helkala, K., Snekkenes, E.: Formalizing the ranking of authentication products. Information Management and Computer Security 17(1), 30–43 (2009)
InCommon Federation: Identity Assurance Profiles Bronze and Silver (2008), http://www.incommonfederation.org/docs/assurance/InC_Bronze-Silver_IAP_1.0_Final.pdf
Nedanic, A., Zhang, N., Yao, L., Morrow, T.: Levels of Authentication Assurance: an Investigation. In: Proc. 3rd Int’l Symposium on Information Assurance and Security, pp. 155–158 (2007)
OASIS: Level of Assurance Authentication Context Profiles for SAML 2.0 (2009)
Office of Management and Budget (U.S.): E-Authentication Guidance for Federal Agencies. M-04-04 (2003)
O’Gorman: Comparing passwords, Tokens, and Biometric for User Authentication. Proceedings of IEEE 91(12), 2019–2040 (2003)
OpenID: OpenID Provider Authentication Policy Extension 1.0 (2008)
Sato, H.: A Service Framework based on Grades of IdPs and SPs. In: Proc. Securiy and Management 2009, pp. 379–385 (2009)
Stoneburner, G., Goguen, A., Feringa, A.: Risk Management Guide for Information Technology Systems, NIST 800-30 (2002)
Srivana, M., Balfe, S., Paterson, K., Rohatgi, P.: Trust Management for Secure Information Flows. In: Proc. 15th Computer and Communications Security, pp. 175–187 (2008)
SWITCH: Assurance Levels Definition of SWITCH pilot phase (2006), https://wiki.aai.switch.ch/bin/view/AAIHomeOrgs/AssuranceLevels
Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password Memorability and Security: Empirical Results. IEEE Security and Privacy, 25–31 (September/October 2004)
http://tools.ietf.org/draft/draft-behera-ldap-password-policy/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sato, H. (2009). N±ε: Reflecting Local Risk Assessment in LoA. In: Meersman, R., Dillon, T., Herrero, P. (eds) On the Move to Meaningful Internet Systems: OTM 2009. OTM 2009. Lecture Notes in Computer Science, vol 5871. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05151-7_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-05151-7_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-05150-0
Online ISBN: 978-3-642-05151-7
eBook Packages: Computer ScienceComputer Science (R0)