Abstract
Organizations need to use flexible access control mechanisms where the access decisions to critical information assets are taken dynamically. In this paper, we present a framework for insider threat likelihood assessment within the context of access control systems. Our approach takes into account information flows, the trustworthiness of subjects, the sensitivity of objects and the security countermeasures. We identify and formally describe a set of properties to be satisfied within this approach. These properties are, then used for quantitatively assessing the insider threat likelihood.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bartsch, S.: A calculus for the qualitative risk assessment of policy override authorization. In: Proceedings of the 3rd International Conference on Security of Information and Networks, pp. 62–70. ACM (2010)
Bell, D.E., La Padula, L.J.: Secure computer system: unified exposition and multics interpretation. Technical report, DTIC Document (1976)
Bishop, M., Gates, C.: Defining the insider threat. In: Proceedings of the 4th Annual Workshop on Cyber Security and Information Intelligence Research, p. 15. ACM (2008)
Cheng, P.-C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: 2007 IEEE Symposium on Security and Privacy (SP 2007), pp. 222–230. IEEE (2007)
Clusif. MEHARI 2010 principes fondamentaux et spécifications fonctionnelles. Club de la sécurité de l’information français (2009)
IT Global Corporate. Security risks (2013)
Khambhammettu, H., Boulares, S., Adi, K., Logrippo, L.: A framework for threat assessment in access control systems. In: IFIP International Information Security Conference, pp. 187–198. Springer (2012)
Khambhammettu, H., Boulares, S., Adi, K., Logrippo, L.: A framework for risk assessment in access control systems. Comput. Secur. 39, 86–103 (2013)
Meucci, M., Muller, A.: The owasp testing guide 4.0 (2014)
International organization for Standardization: ISO/IEC 27001: Information Technology, Security Techniques, Information Security Management Systems, Requirements. ISO/IEC (2005)
Shey, H., Mak, K., Balaouras, S., Luu, B.: Understand the state of data security, privacy: 2013 to 2014. Forrester Research Inc., 1 October 2013
Acknowledgements
This research was partially supported by the Natural Sciences and Engineering Research Council of Canada.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Boulares, S., Adi, K., Logrippo, L. (2017). Insider Threat Likelihood Assessment for Access Control Systems: Quantitative Approach. In: Cuppens, F., Wang, L., Cuppens-Boulahia, N., Tawbi, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2016. Lecture Notes in Computer Science(), vol 10128. Springer, Cham. https://doi.org/10.1007/978-3-319-51966-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-51966-1_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-51965-4
Online ISBN: 978-3-319-51966-1
eBook Packages: Computer ScienceComputer Science (R0)