Risk-Aware Role-Based Access Control

  • Liang Chen
  • Jason Crampton
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7170)


The increasing need to share information in dynamic environments has created a requirement for risk-aware access control systems. The standard RBAC model is designed to operate in a relatively stable, closed environment and does not include any support for risk. In this paper, we explore a number of ways in which the RBAC model can be extended to incorporate notions of risk. In particular, we develop three simple risk-aware RBAC models that differ in the way in which risk is represented and accounted for in making access control decisions. We also propose a risk-aware RBAC model that combines all the features of three simple models and consider some issues related to its implementation. Compared with existing work, our models have clear authorization semantics and support richer types of access control decisions.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    American National Standards Institute: American National Standard for Information Technology – Role Based Access Control (2004), ANSI INCITS 359-2004Google Scholar
  2. 2.
    Aziz, B., Foley, S.N., Herbert, J., Swart, G.: Reconfiguring role based access control policies using risk semantics. Journal of High Speed Networks 15(3), 261–273 (2006)Google Scholar
  3. 3.
    Bacon, J., Moody, K., Yao, W.: A model of OASIS role-based access control and its support for active security. ACM Transactions on Information and System Security 5(4), 492–540 (2002)CrossRefGoogle Scholar
  4. 4.
    Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pp. 197–206 (2009)Google Scholar
  5. 5.
    Celikel, E., Kantarcioglu, M., Thuraisingham, B.M., Bertino, E.: A risk management approach to RBAC. Risk and Decision Analysis 1(1), 21–33 (2009)Google Scholar
  6. 6.
    Chen, L., Crampton, J.: On spatio-temporal constraints and inheritance in role-based access control. In: Proceedings of the 2008 ACM Symposium on Information Computer and Communications Security, pp. 356–369 (2008)Google Scholar
  7. 7.
    Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 222–230 (2007)Google Scholar
  8. 8.
    Clark, J.A., Tapiador, J.E., McDermid, J.A., Cheng, P.C., Agrawal, D., Ivanic, N., Slogget, D.: Risk based access control with uncertain and time-dependent sensitivity. In: Proceedings of the International Conference on Security and Cryptography, pp. 5–13 (2010)Google Scholar
  9. 9.
    Crampton, J., Huth, M.: Detecting and countering insider threats: Can policy-based access control help? In: Proceedings of the 5th International Workshop on Security and Trust Management (2009)Google Scholar
  10. 10.
    Crampton, J., Morisset, C.: An Auto-Delegation Mechanism for Access Control Systems. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 1–16. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Dimmock, N., Belokosztolszki, A., Eyers, D.M., Bacon, J., Moody, K.: Using trust and risk in role-based access control policies. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, pp. 156–162 (2004)Google Scholar
  12. 12.
    Ferraiolo, D.F., Kuhn, D.R.: Role-based access controls. In: Proceedings of the 15th National Computer Security Conference, pp. 554–563 (1992)Google Scholar
  13. 13.
    Irwin, K., Yu, T., Winsborough, W.H.: On the modeling and analysis of obligations. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 134–143 (2006)Google Scholar
  14. 14.
    JASON Program Office: Horizontal integration: Broader access models for realizing information dominance. Technical Report JSR-04-132, MITRE Corporation (2004)Google Scholar
  15. 15.
    Landoll, D.J.: The Security Risk Assessment Handbook: A Complete Guide for Peforming Security Risk Assessments. CRC Press (2005)Google Scholar
  16. 16.
    Molloy, I., Cheng, P.C., Rohatgi, P.: Trading in risk: Using markets to improve access control. In: Proceedings of the 2008 Workshop on New Security Paradigms, pp. 107–125 (2008)Google Scholar
  17. 17.
    National Institute of Standards and Technology: Risk Management Guide for Information Technology Systems (2002), NIST Special Publication 800-30Google Scholar
  18. 18.
    Ni, Q., Bertino, E., Lobo, J.: Risk-based access control systems built on fuzzy inferences. In: Proceedings of the 5th ACM Symposium on Information Computer and Communications Security, pp. 250–260 (2010)Google Scholar
  19. 19.
    Nissanke, N., Khayat, E.J.: Risk based security analysis of permissions in RBAC. In: Proceedings of the 2nd International Workshop on Security in Information Systems, pp. 332–341 (2004)Google Scholar
  20. 20.
    Moses, T. (ed.): OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0, OASIS Standard (February 1, 2005)Google Scholar
  21. 21.
    Park, J., Sandhu, R.S.: The UCONABC usage control model. ACM Transactions on Information and System Security 7(1), 128–174 (2004)CrossRefGoogle Scholar
  22. 22.
    Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proceeding of the IEEE 63(9), 1278–1308 (1975)CrossRefGoogle Scholar
  23. 23.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  24. 24.
    Srivatsa, M., Balfe, S., Paterson, K.G., Rohatgi, P.: Trust management for secure information flows. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 175–188 (2008)Google Scholar
  25. 25.
    Zhang, L., Brodsky, A., Jajodia, S.: Toward information sharing: Benefit and risk access control (BARAC). In: Proceedings of the 7th IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 45–53 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Liang Chen
    • 1
  • Jason Crampton
    • 1
  1. 1.Information Security Group and Department of Mathematics, Royal HollowayUniversity of LondonUK

Personalised recommendations