Abstract
Users who request to access protected objects must obtain the authorization of access control systems. Among the elements of decision for such systems should be the risk of authorizing accesses under various assumptions, and one of the notions of risk is threat likelihood. Access control systems deals essentially with insider threats coming from people within the organization, such as employees, business associates or contractors, who could violate access control policies. We present in this paper a new approach for insider threat likelihood assessment for secrecy and integrity properties by considering reading and writing operations within the context of access control systems. Access operations, the trustworthiness of subjects, the sensitivity of objects, and the applied security countermeasures are all considered in the assessment of the likelihood of this category of insider threats. Both qualitative and quantitative assessments are provided. Hence our approach makes it possible to compare and calculate the likelihoods of these insider threats, leading to more flexible and more informed access control decisions in various situations.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bartsch, S.: A calculus for the qualitative risk assessment of policy override authorization. In: Proceedings of the International Conference on Security of Information and Networks, pp. 62–70 (2010)
Bishop, M., Gates, C.: Defining the insider threat. In: Proceedings of the 4th Annual Workshop on Cyber Security and Information Intelligence Research: Developing Strategies to Meet the Cyber Security and Information Intelligence Challenges Ahead, p. 15 (2008)
Boulares, S., Adi, K., Logrippo, L.: Insider threat likelihood assessment for access control systems: quantitative approach. In: International Symposium on Foundations and Practice of Security, pp. 135–142 (2016)
Caputo, D., Maloof, M., Stephens, G.: Detecting insider theft of trade secrets. IEEE Secur. Priv. 7(6), 14–21 (2009)
Cheng, P., Rohatgi, P., Keser, C., Karger, P., Wagner, G., Reninger, A.: Fuzzy multilevel security: an experiment on quantified risk-adaptive access control. In: Security and Privacy, pp. 222–230 (2007)
Clusif. MEHARI 2010 principes fondamentaux et spécification fonctionnelles (2009)
Diep, N., Hung, L., Zhung, Y., Lee, S., Lee, Y., Lee, H.: Enforcing access control using risk assessment. In: Fourth European Conference on Universal Multiservice Networks, pp. 419–424 (2007)
Fagade, T., Tryfonas, T.: Security by Compliance? A study of insider threat implications for Nigerian banks. In: International Conference on Human Aspects of Information Security, Privacy, and Trust, pp. 128–139 (2016)
International Organization for Standardization. ISO/IEC 27001: Information technology - Security techniques - Information security management systems - Requirements (2013)
IT Global Corporate. Security risks (2013)
INFOSEC Glossary. National information systems security (infosec) glossary (2000)
Greitzer, F., Hohimer, R.: Modeling human behavior to anticipate insider attacks. J. Strateg. Secur. 4(2), 25 (2011)
Hua, J., Bapna, S.: Who can we trust? The economic impact of insider threats. J. Global Inf. Technol. Manag. 16(4), 47–67 (2013)
Kandala, S., Sandhu, R., Bhamidipati, V.: An attribute based framework for risk-adaptive access control models. In: Availability, Reliability and Security, pp. 236–241 (2011)
Khambhammettu, H., Boulares, S., Adi, K., Logrippo, L.: A framework for threat assessment in access control systems. In: Information Security and Privacy Research, pp. 187–198 (2012)
Khambhammettu, H., Boulares, S., Adi, K., Logrippo, L.: A framework for risk assessment in access control systems. Comput. Secur. 39, 86–103 (2013)
McGraw, R.: Risk-adaptable access control (radac). In: Privilege (Access) Management Workshop. National Institute of Standards and Technology (2009)
Meucci, M., Muller, A.: The OWASP testing guide 4.0. Open Web Application Security Project, p. 30 (2014)
NIST. Risk management guide for information technology systems (2002)
Sandhu, R.: Lattice-based access control models. Computer 26(11), 9–19 (1993)
Shey, H., Mak, K., Balaouras, S., Luu, B.: Understand the state of data security and privacy: Forrester Research 10 (2013)
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems (2002)
Wang, Q., Jin, H.: Quantified risk-adaptive access control for patient privacy protection in health information systems. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security, pp. 406–410 (2011)
Weissman, C.: Security controls in the adept-50 time-sharing system. In: Proceedings of the Fall Joint Computer Conference, pp. 119–133 (1969)
Acknowledgements
This research was partially supported by the Natural Sciences and Engineering Research Council of Canada.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Boulares, S., Adi, K., Logrippo, L. (2017). Insider Threat Likelihood Assessment for Flexible Access Control. In: Aïmeur, E., Ruhi, U., Weiss, M. (eds) E-Technologies: Embracing the Internet of Things . MCETECH 2017. Lecture Notes in Business Information Processing, vol 289. Springer, Cham. https://doi.org/10.1007/978-3-319-59041-7_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-59041-7_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59040-0
Online ISBN: 978-3-319-59041-7
eBook Packages: Computer ScienceComputer Science (R0)