Abstract
Many modern information systems use a policy-based approach to manage sensitive information and availability of services. Obligations are essential part of security policies, which specify what actions a user is obliged to perform in the future. One interesting feature of obligations is unenforceable, that is, the system cannot guarantee that each obligation will be fulfilled. Indeed, obligations go unfulfilled for a variety of reasons. For example, a user may have family emergency that leads her having little time to discharge assigned obligations. We argue that delegation of obligations can be regarded as a means of providing opportunity for obligations to be discharged. However, this opportunity will be wasted if users who received delegation do not fulfil the obligations eventually. In this paper we propose a mechanism that incentivises users to accept and fulfil obligations for others by rewarding users credits. The amount of credits can be earned depends on their trust score, which reflects precisely how diligent of individuals in fulfilling obligations in the past. Users are motivated to raise up their trust scores by fulfilling obligations for others, in order to earn more credits in the future. We run experiments in a simulated multi-agent systems to evaluate our approach, which turns out that delegation with incentives achieves the best outcome in terms of the number of obligations being fulfilled.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Baracaldo, N., Joshi, J.: Beyond accountability: using obligations to reduce risk exposure and deter insider attacks. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, pp. 213–224 (2013). https://doi.org/10.1145/2462410.2462411
Ben-Ghorbel-Talbi, M., Cuppens, F., Cuppens-Boulahia, N., Métayer, D.L., Piolle, G.: Delegation of obligations and responsibility. In: Proceedings of the 26th IFIP TC 11 International Information Security Conference, pp. 197–209 (2011). https://doi.org/10.1007/978-3-642-21424-0_16
Boella, G., van der Torre, L.W.N., Verhagen, H.: Introduction to normative multiagent systems. Comput. Math. Organiz. Theory 12(2–3), 71–79 (2006). https://doi.org/10.1007/s10588-006-9537-7
Burnett, C., Oren, N.: Sub-delegation and trust. In: Proceedings of the 11th International Conference on Autonomous Agents and Multiagent Systems, pp. 1359–1360 (2012)
Chen, L., Crampton, J., Kollingbaum, M.J., Norman, T.J.: Obligations in risk-aware access control. In: Proceedings of the 10th Annual International Conference on Privacy, Security and Trust, pp. 145–152 (2012). https://doi.org/10.1109/PST.2012.6297931
Chowdhury, O., Pontual, M., Winsborough, W.H., Yu, T., Irwin, K., Niu, J.: Ensuring authorization privileges for cascading user obligations. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, pp. 33–44 (2012). https://doi.org/10.1145/2295136.2295144
Dougherty, D.J., Fisler, K., Krishnamurthi, S.: Obligations and their interaction with programs. In: Proceedings of the 12th European Symposium On Research In Computer Security, pp. 375–389 (2007). https://doi.org/10.1007/978-3-540-74835-9_25
Holmstrom, B., Milgrom, P.: Multitask principal-agent analyses: incentive contracts, asset ownership, and job design. J. Law Econ. Organiz. 7, 24–52 (1991)
Irwin, K., Yu, T., Winsborough, W.H.: On the modeling and analysis of obligations. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 134–143 (2006). https://doi.org/10.1145/1180405.1180423
Keeping, E.S.: Introduction to statistical inference. Dover Publications, New York (1995)
Norman, T.J., Reed, C.: A logic of delegation. Artif. Intell. 174(1), 51–71 (2010). https://doi.org/10.1016/j.artint.2009.10.001
Pontual, M., Chowdhury, O., Winsborough, W.H., Yu, T., Irwin, K.: Toward practical authorization-dependent user obligation systems. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 180–191 (2010). https://doi.org/10.1145/1755688.1755711
Schaad, A., Moffett, J.D.: Delegation of obligations. In: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks, pp. 25–35 (2002). https://doi.org/10.1109/POLICY.2002.1011290
Twidle, K.P., Dulay, N., Lupu, E., Sloman, M.: Ponder2: a policy system for autonomous pervasive environments. In: Proceedings of the 5th International Conference on Autonomic and Autonomous Systems, pp. 330–335 (2009). https://doi.org/10.1109/ICAS.2009.42
Xu, C., Fong, P.W.L.: The specification and compilation of obligation policies for program monitoring. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, pp. 77–78 (2012). https://doi.org/10.1145/2414456.2414501
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Chen, L., Zeng, C., Vidalis, S. (2023). An Incentive Mechanism for Managing Obligation Delegation. In: Kallel, S., Jmaiel, M., Zulkernine, M., Hadj Kacem, A., Cuppens, F., Cuppens, N. (eds) Risks and Security of Internet and Systems. CRiSIS 2022. Lecture Notes in Computer Science, vol 13857. Springer, Cham. https://doi.org/10.1007/978-3-031-31108-6_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-31108-6_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-31107-9
Online ISBN: 978-3-031-31108-6
eBook Packages: Computer ScienceComputer Science (R0)