Obligations in Risk-Aware Access Control

Liang Chen, Jason Crampton, Martin J Kollingbaum, Timothy J Norman

Research output: Chapter in Book/Report/Conference proceedingConference contribution

22 Citations (Scopus)

Abstract

The increasing need to share information in dynamic environments has created a requirement for risk-aware access control systems. In this paper, we present a metamodel for risk-aware authorization that captures the key aspects of a system in relation to risk mitigation. In particular, we develop various risk-aware models as instances of the metamodel that broadly differ in the form of risk mitigation that is used (system obligations and user obligations respectively), and study how those obligations are applied to reduce and account for the risk incurred by granting access. Unlike system obligations, an access control system cannot guarantee that user obligations are fulfilled. We propose two approaches to defining risk-aware authorization semantics that takes unfulfilled obligations into account: one is to restrict users' future access because of prior failure to fulfill obligations, and the other is to “reward” users who have been diligent in fulfilling their obligations by permitting risky access requests.
Original languageEnglish
Title of host publication2012 Tenth Annual International Conference on Privacy, Security and Trust
Subtitle of host publicationInstitut Mines-Telecom, Paris, France, July 16-18, 2012
Place of PublicationWashington DC, USA
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Pages145-152
Number of pages8
ISBN (Electronic)9781467323253
ISBN (Print)9781467323239
DOIs
Publication statusPublished - 2012
EventProceedings of the Tenth Annual Conference on Privacy, Security and Trust - Paris, France
Duration: 16 Jul 201218 Jul 2012

Conference

ConferenceProceedings of the Tenth Annual Conference on Privacy, Security and Trust
CountryFrance
CityParis
Period16/07/1218/07/12

Fingerprint

Access control
Control systems
Semantics

Keywords

  • authorization
  • semantics
  • context

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications

Cite this

Chen, L., Crampton, J., Kollingbaum, M. J., & Norman, T. J. (2012). Obligations in Risk-Aware Access Control. In 2012 Tenth Annual International Conference on Privacy, Security and Trust: Institut Mines-Telecom, Paris, France, July 16-18, 2012 (pp. 145-152). Washington DC, USA: Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.1109/PST.2012.6297931

Obligations in Risk-Aware Access Control. / Chen, Liang; Crampton, Jason; Kollingbaum, Martin J; Norman, Timothy J.

2012 Tenth Annual International Conference on Privacy, Security and Trust: Institut Mines-Telecom, Paris, France, July 16-18, 2012. Washington DC, USA : Institute of Electrical and Electronics Engineers (IEEE), 2012. p. 145-152.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Chen, L, Crampton, J, Kollingbaum, MJ & Norman, TJ 2012, Obligations in Risk-Aware Access Control. in 2012 Tenth Annual International Conference on Privacy, Security and Trust: Institut Mines-Telecom, Paris, France, July 16-18, 2012. Institute of Electrical and Electronics Engineers (IEEE), Washington DC, USA, pp. 145-152, Proceedings of the Tenth Annual Conference on Privacy, Security and Trust, Paris, France, 16/07/12. https://doi.org/10.1109/PST.2012.6297931
Chen L, Crampton J, Kollingbaum MJ, Norman TJ. Obligations in Risk-Aware Access Control. In 2012 Tenth Annual International Conference on Privacy, Security and Trust: Institut Mines-Telecom, Paris, France, July 16-18, 2012. Washington DC, USA: Institute of Electrical and Electronics Engineers (IEEE). 2012. p. 145-152 https://doi.org/10.1109/PST.2012.6297931
Chen, Liang ; Crampton, Jason ; Kollingbaum, Martin J ; Norman, Timothy J. / Obligations in Risk-Aware Access Control. 2012 Tenth Annual International Conference on Privacy, Security and Trust: Institut Mines-Telecom, Paris, France, July 16-18, 2012. Washington DC, USA : Institute of Electrical and Electronics Engineers (IEEE), 2012. pp. 145-152
@inproceedings{fab33cd333d04cf88f305d85ee619583,
title = "Obligations in Risk-Aware Access Control",
abstract = "The increasing need to share information in dynamic environments has created a requirement for risk-aware access control systems. In this paper, we present a metamodel for risk-aware authorization that captures the key aspects of a system in relation to risk mitigation. In particular, we develop various risk-aware models as instances of the metamodel that broadly differ in the form of risk mitigation that is used (system obligations and user obligations respectively), and study how those obligations are applied to reduce and account for the risk incurred by granting access. Unlike system obligations, an access control system cannot guarantee that user obligations are fulfilled. We propose two approaches to defining risk-aware authorization semantics that takes unfulfilled obligations into account: one is to restrict users' future access because of prior failure to fulfill obligations, and the other is to “reward” users who have been diligent in fulfilling their obligations by permitting risky access requests.",
keywords = "authorization, semantics, context",
author = "Liang Chen and Jason Crampton and Kollingbaum, {Martin J} and Norman, {Timothy J}",
year = "2012",
doi = "10.1109/PST.2012.6297931",
language = "English",
isbn = "9781467323239",
pages = "145--152",
booktitle = "2012 Tenth Annual International Conference on Privacy, Security and Trust",
publisher = "Institute of Electrical and Electronics Engineers (IEEE)",

}

TY - GEN

T1 - Obligations in Risk-Aware Access Control

AU - Chen, Liang

AU - Crampton, Jason

AU - Kollingbaum, Martin J

AU - Norman, Timothy J

PY - 2012

Y1 - 2012

N2 - The increasing need to share information in dynamic environments has created a requirement for risk-aware access control systems. In this paper, we present a metamodel for risk-aware authorization that captures the key aspects of a system in relation to risk mitigation. In particular, we develop various risk-aware models as instances of the metamodel that broadly differ in the form of risk mitigation that is used (system obligations and user obligations respectively), and study how those obligations are applied to reduce and account for the risk incurred by granting access. Unlike system obligations, an access control system cannot guarantee that user obligations are fulfilled. We propose two approaches to defining risk-aware authorization semantics that takes unfulfilled obligations into account: one is to restrict users' future access because of prior failure to fulfill obligations, and the other is to “reward” users who have been diligent in fulfilling their obligations by permitting risky access requests.

AB - The increasing need to share information in dynamic environments has created a requirement for risk-aware access control systems. In this paper, we present a metamodel for risk-aware authorization that captures the key aspects of a system in relation to risk mitigation. In particular, we develop various risk-aware models as instances of the metamodel that broadly differ in the form of risk mitigation that is used (system obligations and user obligations respectively), and study how those obligations are applied to reduce and account for the risk incurred by granting access. Unlike system obligations, an access control system cannot guarantee that user obligations are fulfilled. We propose two approaches to defining risk-aware authorization semantics that takes unfulfilled obligations into account: one is to restrict users' future access because of prior failure to fulfill obligations, and the other is to “reward” users who have been diligent in fulfilling their obligations by permitting risky access requests.

KW - authorization

KW - semantics

KW - context

U2 - 10.1109/PST.2012.6297931

DO - 10.1109/PST.2012.6297931

M3 - Conference contribution

SN - 9781467323239

SP - 145

EP - 152

BT - 2012 Tenth Annual International Conference on Privacy, Security and Trust

PB - Institute of Electrical and Electronics Engineers (IEEE)

CY - Washington DC, USA

ER -