Approaches to Access Control Under Uncertainty by Farzad Salim Bachelor of Computer Science, AUST United Arab Emirates 2001 Master of Computer Science, UOW Australia 2006 Thesis submitted in accordance with the regulations for the degree of Doctor of Philosophy Information Security Institute Science and Engineering Faculty Queensland University of Technology 2012 Keywords Information security, access control model, role based access control, usage control, insider threat, economics, game theory, agency theory, uncertainty, information asymmetry, incentives, audit, accountability, healthcare, data breach i ii Abstract The ultimate goal of an access control system is to allocate each user the precise level of access they need to complete their job - no more and no less This proves to be challenging in an organisational setting On one hand employees need enough access to the organisation’s resources in order to perform their jobs and on the other hand more access will bring about an increasing risk of misuse either intentionally, where an employee uses the access for personal benefit, or unintentionally, through carelessness or being socially engineered to give access to an adversary This thesis investigates issues of existing approaches to access control in allocating optimal level of access to users and proposes solutions in the form of new access control models These issues are most evident when uncertainty surrounding users’ access needs, incentive to misuse and accountability are considered, hence the title of the thesis We first analyse access control in environments where the administrator is unable to identify the users who may need access to resources To resolve this uncertainty an administrative model with delegation support is proposed Further, a detailed technical enforcement mechanism is introduced to ensure delegated resources cannot be misused Then we explicitly consider that users are self-interested and capable of misusing resources if they choose to We propose a novel game theoretic access control model to reason about and influence the factors that may affect users’ incentive to misuse Next we study access control in environments where neither users’ access needs can be predicted nor they can be held accountable for misuse It is shown that by allocating budget to users, a virtual currency through which they can pay for the resources they deem necessary, the need for a precise pre-allocation of permissions can be relaxed The budget also imposes an upper-bound on users’ iii ability to misuse A generalised budget allocation function is proposed and it is shown that given the context information the optimal level of budget for users can always be numerically determined Finally, Role Based Access Control (RBAC) model is analysed under the explicit assumption of administrators’ uncertainty about self-interested users’ access needs and their incentives to misuse A novel Budget-oriented Role Based Access Control (B-RBAC) model is proposed The new model introduces the notion of users’ behaviour into RBAC and provides means to influence users’ incentives It is shown how RBAC policy can be used to individualise the cost of access to resources and also to determine users’ budget The implementation overheads of B-RBAC is examined and several low-cost sub-models are proposed iv For my family vi Contents Front Matter Keywords Abstract List of Figures List of Tables List of Acronyms Declaration Previously Published Material Acknowledgements Introduction 1.1 Background & Motivation 1.1.1 Proposed Solutions to Over-entitlement 1.1.2 Proposed Solutions to Under-entitlement 1.1.3 Resource Allocation Under Uncertainty 1.2 Research Problem and Questions 1.3 Thesis Contributions 1.4 Thesis Overview Background 2.1 Access Control Concepts 2.2 Traditional Access Control Models 2.2.1 Mandatory Access Control 2.2.2 Discretionary Access Control 2.2.3 Role Based Access Control 2.3 Credential-based Access Control 2.3.1 Trust Management vii i i iii xi xiii xv xvii xix xxi 12 15 16 17 17 18 19 20 20 2.4 2.5 2.6 2.7 2.3.2 Digital Rights Management Usage Control Flexible Approaches to Access Control 2.5.1 Optimistic Approach 2.5.2 Quantified Risk-based Approach Resource Allocation: Economics & Access Control 2.6.1 Agency Theory 2.6.2 Game Theory Game Components and Equilibrium 2.6.3 Applications of Game Theory to Security Conclusion An 3.1 3.2 3.3 Administrative Framework For UCON Preliminary Motivating Scenario The Administrative Model (M) 3.3.1 Peer Model (MP ): Subjects, Objects, Assertions Direct Assertions Delegation Assertions 3.3.2 Authoriser Model (MA ): System policy, Assertions Centralised Administration Distributed Administration 3.4 Discussion 3.5 Conclusion Delegation Enforcement and Usage Scenario 4.1 Coalitions 4.1.1 Securing Data Distribution in Coalitions 4.2 Multi-Layer Licencing Model 4.3 Implementation Using XrML 4.3.1 Data Encryption 4.3.2 Delegation Constructing a delegation licence Obtaining a distribution licence 4.3.3 Distribution Creating distribution licences viii 22 23 25 26 27 31 33 35 36 37 39 41 42 43 44 45 47 48 49 50 51 52 54 57 58 60 61 64 64 65 67 67 68 68 Bibliography [1] B Schneier, “Real-World Access Control.” Online, September 2009 Viewed March 2010, Link: http://www.schneier.com/blog/archives/2009/09/realworld_acce.html [2] P Samarati and S D C di Vimercati, “Access control: Policies, models, and mechanisms,” in FOSAD ’00: Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design, (London, UK), pp 137–196, Springer-Verlag, 2001 [3] D E Bell and L J L Padula, “Secure computer systems: Mathematical foundations,” tech rep., The MITRE Corporation, March 1973 [4] D F Ferraiolo and D Kuhn, “Role Based Access Control,” 15th National Computer Security Conference, pp 554–563, Oct 13-16 1992 [5] S Sinclair and S W Smith, “What’s wrong with access control in the real world?,” IEEE Security & Privacy, vol 8, no 4, pp 74–77, 2010 [6] MITRE, “Horizontal integration: Broader access models for realizing information dominance,” Tech Rep JSR-04-132, MITRE Corporation Jason Program Office, 2004 [7] S Sinclair, S W Smith, S Trudeau, M E Johnson, and A Portera, “Information risk in financial institutions: Field study and research roadmap,” in FinanceCom, Lecture Notes in Business Information Processing, pp 165– 180, 2007 163 164 BIBLIOGRAPHY [8] L Røstad and O Edsberg, “A study of access control requirements for healthcare systems based on audit trails from access logs,” in Computer Security Applications Conference, 2006 ACSAC ’06 22nd Annual, pp 175 –186, 2006 [9] W Baker, A Hutton, C D Hylender, J Pamula, C Porter, and M Spitler, “2011 data breach investigations report,” tech rep., Verizon, 2011 [10] X Zhao and M E Johnson, “Information governance: Flexibility and control through escalation and incentives,” (Hanover, NH (USA)), Workshop on the Economics of Information Security WEIS, June 2008 [11] M J Moyer and M Ahamad, “Generalized role-based access control,” in ICDCS ’01: Proceedings of the The 21st International Conference on Distributed Computing Systems, (Washington, DC, USA), p 391, IEEE Computer Society, 2001 [12] E Bertino, P A Bonatti, and E Ferrari, “Trbac: A temporal role-based access control model,” ACM Trans Inf Syst Secur., vol 4, no 3, pp 191– 233, 2001 [13] M J Covington, W Long, S Srinivasan, A K Dev, M Ahamad, and G D Abowd, “Securing context-aware applications using environment roles,” in Proceedings of the sixth ACM symposium on Access control models and technologies, SACMAT ’01, (New York, NY, USA), pp 10–20, ACM, 2001 [14] R K Thomas and R S Sandhu, “Task-Based Authorization Controls (TBAC): A family of models for active and Enterprise-Oriented Autorization Management,” in Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI, (London, UK, UK), pp 166–181, Chapman & Hall, Ltd., 1998 [15] J Park and R Sandhu, “Towards usage control models: beyond traditional access control,” in SACMAT ’02: Proceedings of the seventh ACM symposium on access control models and technologies, (New York, NY, USA), pp 57–64, ACM, 2002 BIBLIOGRAPHY 165 [16] D Povey, “Optimistic security: a new access control paradigm,” in NSPW ’99: Proceedings of the 1999 workshop on New security paradigms, (New York, NY, USA), pp 40–45, ACM, 2000 [17] S L TYC Woo, “Authorization in distributed systems:a formal approach,” Security and Privacy, IEEE Symposium on, vol 0, p 33, 1992 [18] X Zhang, S Oh, and R Sandhu, “PBDM: a flexible delegation model in RBAC,” in Proceedings of the eighth ACM symposium on Access control models and technologies, SACMAT ’03, (New York, NY, USA), pp 149– 157, ACM, 2003 [19] A Ferreira, R J C Correia, L Antunes, P Farinha, E Oliveira-Palhares, D W Chadwick, and A da Costa Pereira, “How to break access control in a controlled manner,” in CBMS ’06: Proceedings of the 19th IEEE Symposium on Computer-Based Medical Systems, (Washington, DC, USA), pp 847–854, IEEE Computer Society, 2006 [20] P.-C Cheng, P Rohatgi, C Keser, P A Karger, G M Wagner, and A S Reninger, “Fuzzy multi-level security: An experiment on quantified riskadaptive access control,” in IEEE Symposium on Security and Privacy, pp 222–230, 2007 [21] E Rissanen, B S Firozabadi, and M J Sergot, “Towards a mechanism for discretionary overriding of access control,” in Security Protocols Workshop, pp 312–319, 2004 [22] L Røstad and Ø Nytrø, “Access control and integration of health care systems: An experience report and future challenges,” in ARES, pp 871– 878, 2007 [23] M E Johnson, “Data hemorrhages in the health-care sector,” in Financial Cryptography, pp 71–89, 2009 [24] A Appari and M E Johnson, “Information security and privacy in healthcare: current state of research,” International Journal of Internet and Enterprise Management, vol 6, no 4, pp 279–314, 2010 166 BIBLIOGRAPHY [25] Wired News, “Army intelligence analyst charged with leaking classified information.” Online, July 2010 Viewed January 2012, Link: http://www.wired.com/threatlevel/category/bradley-manning/ [26] BBC, “Octuplets’ hospital privacy fine.” Online, July 2009 Viewed January 2012, Link: http://news.bbc.co.uk/2/hi/health/8155369.stm [27] B Holmstrom, “Moral hazard and observability,” The Bell Journal of Economics, vol 10, no 1, pp 74–91, 1979 [28] J V Neumann and O Morgenstern, Theory of Games and Economic Behavior Princeton University Press, 1944 [29] D Fudenberg and J Tirole, Game Theory MIT Press, 1992 [30] M Becker, C Fournet, and A Gordon, “Design and semantics of a decentralized authorization language,” in Computer Security Foundations Symposium, 2007 CSF ’07 20th IEEE, pp 3–15, July 2007 [31] F Salim, J Reid, and E Dawson, “An administrative model for U CONABC ,” in Proceedings of the Eight Australasian Information Security Conference (AISC), vol 105 of Conferences in Research and Practice in Information Technology (CRISP), (Brisbane, Australia), pp 32–38, Australian Computer Society (ACS), January 2010 [32] F Salim, N P Sheppard, and R Safavi-Naini, “A rights management approach to securing data distribution in coalitions,” in Proceedings of the Fourth International Conference on Network and System Security, NSS’10, (Melbourne, Australia), pp 560 –567, IEEE Computer Society, September 2010 [33] F Salim, J Reid, U Dulleck, and E Dawson, “Towards a game theoretic approach to authorisation,” in Decision and Game Theory for Security (GameSec), vol 6442 of Lecture Notes in Computer Science, (Springer/Heidelberg), pp 208–219, 2010 BIBLIOGRAPHY 167 [34] M R Darby and E Karni, “Free competition and the optimal amount of fraud,” Journal of Law and Economics, vol 16, no 1, pp pp 67–88, 1973 [35] F Salim, U Dulleck, J Reid, and E Dawson, “Optimal budget allocation in budget-based access control,” in ARES, Sixth International Conference on Availability, Reliability and Security, (Vienna, Austria), IEEE Computer Society, 22-26 August 2011 [36] F Salim, J Reid, U Dulleck, and E Dawson, “An approach to access control under uncertainty,” in ARES’11: Sixth International Conference on Availability, Reliability and Security, IEEE Computer Society, 2011 [37] F Salim, J Reid, and E Dawson, “Towards authorisation models for secure information sharing: A survey and research agenda,” The ISC International Journal of Information Security (ISeCure), vol 2, pp 67–85, 2010 [38] K J Biba, “Integrity considerations for secure computer systems,” Tech Rep TR-3153, MITRE Co., technical report, Bedford MA, 1977 [39] B Lampson, “Protection,” in Proceedings of the 5th Annual Princeton Conference on Information Sciences and Systems, (Princeton University), pp 437–443, 1971 [40] R S Sandhu, “Rationale for the RBAC96 family of access control models,” in ACM Workshop on Role-Based Access Control, 1995 [41] D F Ferraiolo, R Sandhu, S Gavrila, D R Kuhn, and R Chandramouli, “Proposed nist standard for role-based access control,” ACM Trans Inf Syst Secur., vol 4, no 3, pp 224–274, 2001 [42] R S Sandhu, E J Coyne, H L Feinstein, and C E Youman, “Role-based access control models,” IEEE Computer, vol 29, no 2, pp 38–47, 1996 [43] M Gasser and E McDermott, “An architecture for practical delegation in a distributed system,” in IEEE Symposium on Security and Privacy, pp 20–30, 1990 168 BIBLIOGRAPHY [44] R Krishnan, R S Sandhu, and K Ranganathan, “Pei models towards scalable, usable and high-assurance information sharing,” in SACMAT, pp 145–150, 2007 [45] M Blaze, J Feigenbaum, and J Lacy, “Decentralized trust management,” in IEEE Symposium on Security and Privacy, pp 164–173, 1996 [46] J Park and R S Sandhu, “The UCONABC usage control model,” ACM Trans Inf Syst Secur., vol 7, no 1, pp 128–174, 2004 [47] T Y C Woo and S S Lam, “A framework for distributed authorization,” in CCS ’93: Proceedings of the 1st ACM conference on Computer and communications security, (New York, NY, USA), pp 112–118, ACM, 1993 [48] M Blaze, J Feigenbaum, and A D Keromytis, “The role of trust management in distributed systems security,” in Secure Internet Programming, pp 185–210, 1999 [49] M Blaze, J Feigenbaum, and M Strauss, “Compliance checking in the Policymaker trust management system,” in Financial Cryptography, pp 254– 274, 1998 [50] M Blaze, J Feigenbaum, and A D Keromytis, “KeyNote: Trust management for public-key,” in Infrastructures (Position Paper) Lecture Notes in Computer Science 1550, pp 59–63, 1999 [51] A Keromytis, “The KeyNote trust-management system, version 2,” IETF RFC, vol 2704, pp 164–173, 1999 [52] Q Liu, R Safavi-Naini, and N P Sheppard, “Digital rights management for content distribution,” in ACSW Frontiers ’03: Proceedings of the Australasian information security workshop conference on ACSW frontiers 2003, (Darlinghurst, Australia, Australia), pp 49–58, Australian Computer Society, Inc., 2003 [53] O Sibert, D Bernstein, and D V Wie, “Digibox: a self-protecting container for information commerce,” in WOEC’95: Proceedings of the 1st BIBLIOGRAPHY 169 conference on USENIX Workshop on Electronic Commerce, (Berkeley, CA, USA), pp 15–15, USENIX Association, 1995 [54] P Schneck, “Persistent access control to prevent piracy of digital information,” in Proceedings of the IEEE, vol 87 of 7, (MRJ Technol Solutions, Fairfax, VA;), pp 1239–1250, IEEE, July 1999 [55] N P Sheppard and R Safavi-Naini, “Protecting privacy with the MPEG21 IPMP framework,” in Privacy Enhancing Technologies, pp 152–171, 2006 [56] N P Sheppard and R Safavi-Naini, “Protecting privacy with the mpeg-21 ipmp framework,” in Privacy Enhancing Technologies, pp 152–171, 2006 [57] F Salim, N P Sheppard, and R Safavi-Naini, “Enforcing P3P policies using a digital rights management system,” in Privacy Enhancing Technologies, pp 200–217, 2007 [58] X Wang, G Lao, T DeMartini, H Reddy, M Nguyen, and E Valenzuela, “Xrml – extensible rights markup language,” in XMLSEC ’02: Proceedings of the 2002 ACM workshop on XML security, (New York, NY, USA), pp 71–79, ACM, 2002 [59] R Sandhu and J Park, “Usage control: A vision for next generation access control,” in Computer Network Security, vol 2776/2003, pp 17–31, Second International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security, Springer Berlin / Heidelberg, 2003 [60] J Park, X Zhang, and R Sandhu, “Attribute mutability in usage control,” in In Proceedings of the Annual IFIP WG 11.3 Working Conference on Data and Applications Security, pp 25–28, July 2004 [61] X Zhang, J Park, F Parisi-Presicce, and R Sandhu, “A logical specification for usage control,” in SACMAT ’04: Proceedings of the ninth ACM symposium on Access control models and technologies, (New York, NY, USA), pp 1–10, ACM, 2004 170 BIBLIOGRAPHY [62] H H Hosmer, “Using fuzzy logic to represent security policies in the multipolicy paradigm,” SIGSAC Rev., vol 10, no 4, pp 12–21, 1992 [63] H H Hosmer, “Security is fuzzy!: applying the fuzzy logic paradigm to the multipolicy paradigm,” in NSPW ’92-93: Proceedings on the 1992-1993 workshop on New security paradigms, (New York, NY, USA), pp 175–184, ACM, 1993 [64] L A Zadeh, “Fuzzy sets,” Information Control, vol 8, pp 338–353, 1965 [65] D D Clark and D R Wilson, “A comparison of commercial and military security policies,” IEEE Symposium on Security and Privacy, pp 184–193, April 1987 [66] P.-C Cheng and P A Karger, “Risk modulating factors in risk-based access control for information in a MANET,” Tech Rep RC24494, IBM Research Division, Thomas J Watson Research Center, February 2008 [67] L Zhang, A Brodsky, and S Jajodia, “Toward information sharing: Benefit and risk access control (BARAC),” in POLICY, pp 45–53, 2006 [68] I Molloy, P.-C Cheng, and P Rohatgi, “Trading in risk: Using markets to improve access control,” in New Security Paradigms Workshop (NSPW), (California, USA), 2008 [69] R Anderson, “Why information security is hard - an economic perspective,” in Computer Security Applications Conference, 2001 ACSAC 2001 Proceedings 17th Annual, pp 358 – 365, dec 2001 [70] R Anderson and T Moore, “Information security: where computer science, economics and psychology meet,” Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, vol 367, no 1898, pp 2717–2727, 2009 [71] H Varian, “Managing online security risks,” Economic Science Column, The New York Times, June 2000 BIBLIOGRAPHY 171 [72] M Bishop, D Gollmann, J Hunker, and C W Probst, “Countering insider threats,” in Countering Insider Threats, no 08302 in Dagstuhl Seminar Proceedings, (Dagstuhl, Germany), Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, Germany, 2008 [73] T Herath and H Rao, “Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness,” Decision Support Systems, vol 47, no 2, pp 154 – 165, 2009 [74] M Bishop, S Engle, S Peisert, S Whalen, and C Gates, “Case studies of an insider framework,” in HICSS, pp 1–10, 2009 [75] M Bishop, C G D Frincke, and F L Greitzer, “AZALIA: an A to Z Assessment of the Likelihood of Insider Attack.” 2010 [76] P Aghion and J Tirole, “Formal and real authority in organizations,” Journal of Political Economy, vol 105, no 1, p 1, 1997 [77] K M Eisenhardt, “Agency theory: An assessment and review,” The Academy of Management Review, vol 14, no 1, pp pp 57–74, 1989 [78] S P Shapiro, “Agency theory,” Annual Review of Sociology, vol 31, pp pp 263–284, 2005 [79] S L Pfleeger, J B Predd, J Hunker, and C Bulford, “Insiders behaving badly: Addressing bad actors and their actions,” Information Forensics and Security, IEEE Transactions on, vol 5, pp 169 –179, march 2010 [80] G B Magklaras and S M Furnell, “Insider threat prediction tool: Evaluating the probability of it misuse,” Computers & Security, vol 21, no 1, pp 62 – 73, 2001 [81] J von Neumann and O Morgenstern, Theory of games and economic behavior USA: Princeton University Press, 1944 [82] J Nash, “Non-cooperative games,” The Annals of Mathematics, vol 54, no 2, pp pp 286–295, 1951 172 BIBLIOGRAPHY [83] T Alpcan and T Basar, Network Security: A Decision and Game Theoretic Approach Cambridge University Press, 2011 [84] H Cavusoglu, S Raghunathan, and W Yue, “Decision-theoretic and gametheoretic approaches to it security investment,” Journal of Management Information Systems, vol 25, pp 281–304, September 2008 [85] H Cavusoglu and S Raghunathan, “Configuration of detection software: A comparison of decision and game theory approaches,” Decision Analysis, vol 1, no 3, pp 131 – 148, 2004 [86] T Alpcan and T Basar, “A game theoretic approach to decision and analysis in network intrusion detection,” in In Proceeding of the 42nd IEEE Conference on Decision and Control (CDC), December 2003 [87] K W Lye and J M Wing, “Game strategies in network security,” International Journal of Information Security, vol 4, no 1-2, pp 71–86, 2005 [88] K Hausken, “Income, interdependence, and substitution effects affecting incentives for security investment,” Journal of Accounting and Public Policy, vol 25, no 6, pp 629 – 665, 2006 [89] K Hausken, “Strategic defense and attack for series and parallel reliability systems,” European Journal of Operational Research, vol 186, no 2, pp 856 – 881, 2008 [90] H Kunreuther and G Heal, “Interdependent security,” Journal of Risk and Uncertainty, vol 26, pp 231–249, 2003 [91] H Varian, “System reliability and free riding,” in Economics of Information Security, vol 12 of Advances in Information Security, pp 1–15, Springer US, 2004 [92] M Ceremonini and D Nizovstev, “Understanding and influencing attackers’ decisions: Implications for security investment strategies,” Washburn University, Working Paper Series, April 2006 BIBLIOGRAPHY 173 [93] L A Gordon, M P Loeb, and W Lucyshyn, “Sharing information on computer systems security: An economic analysis,” Journal of Accounting and Public Policy, vol 22, no 6, pp 461 – 485, 2003 [94] J Park and R Sandhu, “Originator control in usage control,” Policies for Distributed Systems and Networks, 2002 Proceedings Third International Workshop on, pp 60–66, 2002 [95] X Luo, Y Yang, and Z Hu, “Controllable delegation model based on usage and trustworthiness,” Knowledge Acquisition and Modeling, International Symposium on, pp 745–749, 2008 [96] N Li, W H Winsborough, and J C Mitchell, “Distributed credential chain discovery in trust management,” J Comput Secur., vol 11, no 1, pp 35–86, 2003 [97] F Wang and F Wang, “The research and application of resource dissemination based on credibility and UCON,” in CIS ’07: Proceedings of the 2007 International Conference on Computational Intelligence and Security, (Washington, DC, USA), pp 584–588, IEEE Computer Society, 2007 [98] Z Zhang, L Yang, Q Pei, and J Ma, “Research on usage control model with delegation characteristics based on OM-AM methodology,” in NPC ’07: Proceedings of the 2007 IFIP International Conference on Network and Parallel Computing Workshops, (Washington, DC, USA), pp 238–243, IEEE Computer Society, 2007 [99] ContentGuard, “Extensible rights markup language,” tech rep., 2004 http://www.xrml.org, 2004 [100] W3 Consortium, “XML security working group.” http://www.w3.org/ 2008/xmlsec, 2008 [101] T C Group, “TCG speciÞcation architecture overview,” tech rep., 2004 [102] N P Sheppard and R Safavi-Naini, “Sharing digital rights with domain licensing,” in Proceedings of the 4th ACM international workshop on Con- 174 BIBLIOGRAPHY tents protection and security, MCPS ’06, (New York, NY, USA), pp 3–12, ACM, 2006 [103] P Liu and W Zang, “Incentive-based modeling and inference of attacker intent, objectives, and strategies,” in CCS ’03: Proceedings of the 10th ACM conference on Computer and communications security, (New York, NY, USA), pp 179–189, ACM, 2003 [104] E E Schultz, “A framework for understanding and predicting insider attacks,” Computers & Security, vol 21, no 6, pp 526 – 531, 2002 [105] D Liu, W XiaoFeng, and J L Camp, “Game theoretic modeling and analysis of insider threats,” International Journal of Critical Infrastructure Protection, vol 1, pp 75–80, 12 2008 [106] D Liu, X Wang, and J L Camp, “Mitigating inadvertent insider threats with incentives,” in Financial Cryptography and Data Security: 13th International Conference, FC 2009, Accra Beach, Barbados, February 23-26, 2009 Revised Selected Papers, (Berlin, Heidelberg), pp 1–16, SpringerVerlag, 2009 [107] D Liu, L J Camp, X Wang, and L Wang, “Using budget-based access control to manage operational risks cuased by insiders,” Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, vol 1, no 1, pp 29–45, 2010 [108] W Emons, “Credence goods and fraudulent experts,” The RAND Journal of Economics, vol 28, no 1, pp pp 107–119, 1997 [109] Winand and Emons, “Credence goods monopolists,” International Journal of Industrial Organization, vol 19, no 3â14, pp 375 – 389, 2001 [110] U Dulleck and R Kerschbamer, “On doctors, mechanics, and computer specialists: The economics of credence goods,” Journal of Economic Literature, vol 44, no 1, pp pp 5–42, 2006 BIBLIOGRAPHY 175 [111] Y Masuda and S Whang, “Dynamic pricing for network service: Equilibrium and stability,” Management Science, vol 45, no 6, pp pp 857–869, 1999 [112] S Bartsch, “A calculus for the qualitative risk assessment of policy override authorization,” in Proceedings of the 3rd international conference on Security of information and networks, SIN ’10, (New York, NY, USA), pp 62–70, ACM, 2010 [113] X Zhao and M E Johnson, “The value of escalation and incentives in managing information access,” in Managing Information Risk and the Economics of Security, pp 165–177, Springer US, 2009 [114] X Ma, R Li, and Z Lu, “Role mining based on weights,” in Proceeding of the 15th ACM symposium on Access control models and technologies, SACMAT ’10, (New York, NY, USA), pp 65–74, ACM, 2010 [115] A C Squicciarini, I Paloscia, and E Bertino, “Protecting databases from query flood attacks,” in ICDE, pp 1358–1360, 2008 [116] E Celikel, M Kantarcioglu, B M Thuraisingham, and E Bertino, “A risk management approach to RBAC,” in Risk and Decision Analysis, vol 1, pp 21–33, IOS Press, 2009 [117] Y Yemini, A Dailianas, D Florissi, and G Huberman, “Marketnet: protecting access to information systems through financial market controls,” Decision Support Systems, vol 28, no 1-2, pp 205–216, 2000 [118] Y Yemini, A Dailianas, D Florissi, and G Huberman, “Marketnet: market-based protection of information systems,” in Proceedings of the first international conference on Information and computation economies, ICE ’98, (New York, NY, USA), pp 181–190, ACM, 1998 [119] N Dimmock, A Belokosztolszki, D Eyers, J Bacon, and K Moody, “Using trust and risk in role-based access control policies,” in SACMAT ’04: Proceedings of the ninth ACM symposium on Access control models and technologies, (New York, NY, USA), pp 156–162, ACM, 2004 176 BIBLIOGRAPHY [120] N Nissanke and E J Khayat, “Risk based security analysis of permissions in RBAC,” in 2nd International Workshop on Security In Information Systems (WOSIS), pp 332–341, April 2004 [121] C Ramaswamy and R Sandhu, “Role-based access control features in commercial database management systems.,” In Proceedings of the 21st NISTNCSC National Conference on Information Systems Security, pp 503–511, Oct 1998 Arlington, VA [122] M Casassa Mont, “Dealing with privacy obligations: Important aspects and technical approaches,” in Trust and Privacy in Digital Business (S Katsikas, J Lopez, and G Pernul, eds.), vol 3184 of Lecture Notes in Computer Science, pp 120–131, Springer Berlin / Heidelberg, 2004 [123] Q Ni, A Trombetta, E Bertino, and J Lobo, “Privacy-aware role based access control,” in Proceedings of the 12th ACM symposium on Access control models and technologies, SACMAT ’07, (New York, NY, USA), pp 41–50, ACM, 2007 [124] P Gama and P Ferreira, “Obligation policies: an enforcement platform,” in Policies for Distributed Systems and Networks, 2005 Sixth IEEE International Workshop on, pp 203 – 212, june 2005 [125] M Kuhlmann, D Shohat, and G Schimpf, “Role mining - revealing business roles for security administration using data mining technology,” in Proceedings of the eighth ACM symposium on Access control models and technologies, SACMAT ’03, (New York, NY, USA), pp 179–186, ACM, 2003 [126] I Molloy, H Chen, T Li, Q Wang, N Li, E Bertino, S Calo, and J Lobo, “Mining roles with semantic meanings,” in Proceedings of the 13th ACM symposium on Access control models and technologies, SACMAT ’08, (New York, NY, USA), pp 21–30, ACM, 2008 [127] D Zhang, K Ramamohanarao, and T Ebringer, “Role engineering using graph optimisation,” in Proceedings of the 12th ACM symposium on Access BIBLIOGRAPHY 177 control models and technologies, SACMAT ’07, (New York, NY, USA), pp 139–144, ACM, 2007 ... Background 2.1 Access Control Concepts 2.2 Traditional Access Control Models 2.2.1 Mandatory Access Control 2.2.2 Discretionary Access Control 2.2.3 Role Based Access Control 2.3... Detection System Mandatory Access Control Multi-Level Security Originator Controled Model Quantified Risk-Adaptive Access Control Risk Adaptive Access Control Role Based Access Control SecPal Language... if they choose to We propose a novel game theoretic access control model to reason about and influence the factors that may affect users’ incentive to misuse Next we study access control in environments