A calculus for the qualitative risk assessment of policy override authorization

SIN'10 - Proceedings of the 3rd International Conference of Security of Information and Networks

Volumn , Issue , 2010, Pages 62-70

  Bartsch, Steffen ^a  

^a UNIVERSITY OF BREMEN   (Germany)

Author keywords

Authorization policy; Policy override; Risk assessment

Indexed keywords

ASSESSMENT PRACTICES; AUTHORIZATION POLICY; DECISION MAKING PROCESS; POLICY OVERRIDE; QUALITATIVE RISK ASSESSMENT; RESEARCH COMMUNITIES;

CALCULATIONS; FREQUENCY HOPPING; SECURITY OF DATA;

RISK ASSESSMENT;

EID: 77958052214     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1854099.1854115     Document Type: Conference Paper

References (43)

1. C. Alberts, A. Dorofee, J. Stevens, and C. Woody. Introduction to the OCTAVE Approach. CarnegieMellon, Pittsburgh, PA, USA, August 2003.
2. Association of Certified Fraud Examiners (ACFE). Report to the nation on occupational fraud & abuse, 2006.
3. Audit Commission. Opportunity Makes a Thief: an Analysis of Computer Abuse. Audit Commission Publication, London, UK, 1994.
4. L. Badger. Providing a exible security override for trusted systems. In CSFW, pages 115-121, 1990.
5. R. Baskerville. Information systems security design methods: implications for information systems development. ACM Comput. Surv., 25(4):375-414, 1993.
6. D. W. Britton and I. A. Brown. A security risk measurement for the RAdAC model. Master's thesis, Naval Postgraduate School Monterey, CA, March 2007.
7. Bundesamt füherheit in der Informationstechnik (BSI). BSI-Standard 100-2: IT-Grundschutz-Vorgehensweise. Version 2.0, 2008.
8. P. L. Campbell and J. E. Stamp. A classification scheme for risk assessment methods. Technical Report SAND2004-4233, Sandia National Laboratories, 2004.
9. D. Cappelli, A. Moore, R. F. Trzeciak, and T. J. Shimeall. Common sense guide to prevention and detection of insider threats 3rd edition - version 3.1. Technical report, CarnegieMellon, January 2009.
10. P.-C. Cheng, P. Rohatgi, C. Keser, P. A. Karger, G. M. Wagner, and A. S. Reninger. Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In SP '07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 222-230, Washington, DC, USA, 2007. IEEE Computer Society.
11. R. Choudhary. A policy based architecture for NSA RAdAC model. In Information Assurance Workshop (IAW 05), pages 294-301, June 2005.
12. I. Denley and S. W. Smith. Privacy in clinical information systems in secondary care. BMJ, 318(7194):1328-31, May 1999.
13. N. N. Diep, L. X. Hung, Y. Zhung, S. Lee, Y.-K. Lee, and H. Lee. Enforcing access control using risk assessment. In Universal Multiservice Networks, 2007. ECUMN '07. Fourth European Conference on, pages 419-424, feb. 2007.
14. N. Dimmock, A. Belokosztolszki, D. Eyers, J. Bacon, and K. Moody. Using trust and risk in role-based access control policies. In SACMAT '04: Proceedings of the ninth ACM symposium on Access control models and technologies, pages 156-162, New York, NY, USA, 2004. ACM.
15. T. Gilovich, D. W. Griffin, and D. Kahneman, editors. Heuristics and biases: the psychology of intuitive judgement. Cambridge University Press, 2002.
16. F. A. Hayek. The use of knowledge in society. American Economic Review, 35:519-530, September 1945. Reprinted in F.A. Hayek (ed.), Individualism and Economic Order. London: Routledge and Kegan Paul.
17. HIPAA. Break glass procedure: Granting emergency access to critical ePHI systems. Retrieved on Jan, 11 2009, 2009.
18. J. Jaisingh and J. Rees. Value at risk: A methodology for information security risk assessment. In In Proceedings of the INFORMS Conference on Information Systems and Technology, 2001.
19. B. Karabacak and I. Sogukpinar. Isram: information security risk analysis method. Computers & Security, 24(2):147-159, 2005.
20. A. K. Lenstra and T. Voss. Information security risk assessment, aggregation, and mitigation. In H. Wang, J. Pieprzyk, and V. Varadharajan, editors, ACISP, volume 3108 of Lecture Notes in Computer Science, pages 391-401. Springer, 2004.
21. J. J. Longstaff, M. A. Lockyer, and M. G. Thick. A model of accountability, confidentiality and override for healthcare and other applications. In RBAC '00: Proceedings of the fifth ACM workshop on Role-based access control, pages 71-76, New York, NY, USA, 2000. ACM.
22. G. Magklaras and S. Furnell. Insider threat prediction tool: Evaluating the probability of it misuse. Computers & Security, 21(1):62-73, 2002.
23. J. A. Miller, M. Fan, S. Wu, I. B. Arpinar, A. P. Sheth, and K. J. Kochut. Security for the METEORworkow management system. Technical report, UGA-CS-LDIS, University of Georgia, 1999.
24. A. Moore, D. Cappelli, and R. F. Trzeciak. The "big picture" of insider IT sabotage across U.S. critical infrastructures. Technical Report CMU/SEI-2008-TR-009, CarnegieMellon, May 2008.
25. NIST. Fips 65: Guidelines for automatic data processing risk analysis. Technical report, NIST, 1975.
26. NIST. Fips 191: Guideline for the analysis local area network security. Technical report, NIST, 1994.
27. T. R. Peltier. Information security risk analysis. CRC press, 2005.
28. D. Povey. Optimistic security: a new access control paradigm. In NSPW '99: Proceedings of the 1999 workshop on New security paradigms, pages 40-45, New York, NY, USA, 2000. ACM.
29. M. R. Randazzo, M. Keeney, E. Kowalski, D. Cappelli, and A. Moore. Insider threat study: Illicit cyber activity in the banking and finance sector. Technical Report CMU/SEI-2004-TR-021, CarnegieMellon, June 2005.
30. E. Rissanen, B. S. Firozabadi, and M. J. Sergot. Towards a mechanism for discretionary overriding of access control. In B. Christianson, B. Crispo, J. A. Malcolm, and M. Roe, editors, Security Protocols Workshop, volume 3957 of Lecture Notes in Computer Science, pages 312-319. Springer, 2004.
31. L. Røstad and O. Edsberg. A study of access control requirements for healthcare systems based on audit trails from access logs. In ACSAC, pages 175-186. IEEE Computer Society, 2006.
32. J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. In Proceedings of the IEEE 63-9, 1975.
33. R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38-47, 1996.
34. E. E. Schultz. A framework for understanding and predicting insider attacks. Computers & Security, 21(6):526-531, 2002.
35. W. Stallings and L. Brown. Computer security: principles and practice. Pearson Prentice Hall, 2008.
36. G. Stevens and V. Wulf. A new dimension in access control: studying maintenance engineering across organizational boundaries. In CSCW '02: Proceedings of the 2002 ACM conference on Computer supported cooperative work, pages 196-205, New York, NY, USA, 2002. ACM.
37. G. Stoneburner, A. Goguen, and A. Feringa. Risk management guide for information technology systems - NIST special publication 800-30. Technical report, National Institute of Standards and Technology, 2002.
38. The CRAMM Manager. Cramm user guide issue 5.1. Technical report, Insight Consulting, 2005.
39. R. Willison. Understanding the perpetration of employee computer crime in the organisational context. Information and Organization, 16(4):304-324, 2006.
40. R. Willison and J. Backhouse. Opportunities for computer crime: considering systems risk from a criminological perspective. European Journal, 15(4), 2006.
41. B. Wood. An insider threat model for adversary simulation. In R. H. Anderson, T. Bozek, T. Longstaff, W. Meitzler, M. Skroch, and K. Van Wyk, editors, Research on Mitigating the Insier Threat to Information Systems #2. RAND, 2000.
42. X. Zhao and M. E. Johnson. Access exibility with escalation and audit. In WISE 2008: Twentieth Workshop on Information Systems and Economics, 2008.
43. X. Zhao and M. E. Johnson. The value of escalation and incentives in managing information access. In Managing Information Risk and the Economics of Security. Springer-Verlag New York, Inc., 2009.