Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Security and Trust Management

STM 2014: Security and Trust Management pp 113–128Cite as

A Formal Model for Soft Enforcement: Influencing the Decision-Maker

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8743))

Abstract

We propose in this paper a formal model for soft enforcement, where a decision-maker is influenced towards a decision, rather than forced to select that decision. This novel type of enforcement is particularly useful when the policy enforcer cannot fully control the environment of the decision-maker, as we illustrate in the context of attribute-based access control, by limiting the control over attributes. We also show that soft enforcement can improve the security of the system when the influencer is uncertain about the environment, and when neither forcing the decision-maker nor leaving them make their own selection is optimal. We define the general notion of optimal influencing policy, that takes into account both the control of the influencer and the uncertainty in the system.

This work was partially supported by the EPSRC/GCHQ funded project ChAISe (EP/K006568/1) and the project “Data-Driven Model-Based Decision-Making”, part of the NSA funded Centre on Science of Security at University of Illinois at Urbana-Champaign.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: Managing security behaviour in organisations. In: Proceedings of the 2008 Workshop on New Security Paradigms, NSPW 2008, pp. 47–58. ACM, New York (2008)

    Chapter  Google Scholar 

  2. Boella, G., van der Torre, L.W.N.: A game-theoretic approach to normative multi-agent systems. In: Normative Multi-agent Systems. Dagstuhl Seminar Proceedings, vol. 07122 (2007)

    Google Scholar 

  3. Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Security and Privacy 2007, pp. 222–230. IEEE (2007)

    Google Scholar 

  4. Coventry, L.M., Briggs, P., Jeske, D., van Moorsel, A.P.A.: Scene: A structured means for creating and evaluating behavioral nudges in a cyber security environment. In: Marcus, A. (ed.) DUXU 2014, Part I. LNCS, vol. 8517, pp. 229–239. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  5. Dolan, P., Hallsworth, M., Halpern, D., King, D., Metcalfe, I.V.R.: Influencing behaviour: The mindspace way. Journal of Economic Psychology 33(2), 264–277 (2012)

    Article  Google Scholar 

  6. Ferreira, A., Huynen, J.-L., Koenig, V., Lenzini, G.: A conceptual framework to study socio-technical security. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 318–329. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  7. Ferreira, A., Huynen, J.-L., Koenig, V., Lenzini, G., Rivas, S.: Socio-technical study on the effect of trust and context when choosing wiFi names. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 131–143. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  8. Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Game theory meets information security management. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 15–29. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  9. Griesmayer, A., Morisset, C.: Automated certification of authorisation policy resistance. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 574–591. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  10. Kahneman, D.: Thinking, fast and slow. Farrar, Straus and Giroux (2011)

    Google Scholar 

  11. Kahneman, D., Tversky, A.: Prospect theory: An analysis of decision under risk. Econometrica 47(2), 263–291 (1979)

    Article  MATH  Google Scholar 

  12. Liu, D., Li, N., Wang, X., Camp, L.J.: Beyond risk-based access control: Towards incentive-based access control. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 102–112. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  13. MacKinnon, D.P., Lockwood, C.M., Hoffman, J.M., West, S.G., Sheets, V.: A comparison of methods to test mediation and other intervening variable effects. Psychological Methods 7(1), 83 (2002)

    Article  Google Scholar 

  14. Manshaei, M.H., Zhu, Q., Alpcan, T., Bacşar, T., Hubaux, J.-P.: Game theory meets network security and privacy. ACM Computing Surveys 45(3), 25 (2013)

    Article  Google Scholar 

  15. Martinez-Moyano, I.J., Conrad, S.H., Andersen, D.F.: Modeling behavioral considerations related to information security. Computers & Security 30(6-7), 397–409 (2011)

    Article  Google Scholar 

  16. Molloy, I., Cheng, P.-C., Rohatgi, P.: Trading in risk: using markets to improve access control. In: NSPW, pp. 107–125 (2008)

    Google Scholar 

  17. Morisset, C., Groß, T., van Moorsel, A., Yevseyeva, I.: Formalization of influencing in information security. Technical Report CS-TR-1423, Newcastle University (May 2014)

    Google Scholar 

  18. Morisset, C., Groß, T., van Moorsel, A., Yevseyeva, I.: Nudging for quantitative access control systems. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 340–351. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  19. OASIS. eXtensible Access Control Markup Language (XACML) Version 3.0, Committee Specification 01 (2010)

    Google Scholar 

  20. Pfleeger, S.L., Caputo, D.D.: Leveraging behavioral science to mitigate cyber security risk. Computers & Security 31(4), 597–611 (2012)

    Article  Google Scholar 

  21. Ramli, C.D.P.K., Nielson, H.R., Nielson, F.: The logic of XACML. Science of Computer Programming 83(0), 80–105 (2014)

    Article  Google Scholar 

  22. Sternberg, S.: Discovering mental processing stages: The method of additive factors. In: Methods, Models, and Conceptual Issues: An Invitation to Cognitive Science, pp. 703–863. The MIT Press (1998)

    Google Scholar 

  23. Thaler, R.H., Sunstein, C.R.: Nudge: Improving Decisions About Health, Wealth, and Happiness. Yale University Press, New Haven (2008)

    Google Scholar 

  24. Vaniea, K., Bauer, L., Cranor, L.F., Reiter, M.K.: Out of sight, out of mind: Effects of displaying access-control information near the item it controls. In: PST, pp. 128–136 (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Centre for Cybercrime and Computer Security, School of Computing Science, Newcastle University, Newcastle upon Tyne, NE1 7RU, UK

    Charles Morisset, Iryna Yevseyeva, Thomas Groß & Aad van Moorsel

Authors
  1. Charles Morisset
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Iryna Yevseyeva
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas Groß
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Aad van Moorsel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Luxembourg, FSTC, 6, rue Richard Coudenhove-Kalergi, 1359, Luxembourg, Luxembourg

    Sjouke Mauw

  2. Department of Informatics and Mathematical Modelling, Technical University of Denmark, Richard Petersens Plads, 2800, Lyngby, Denmark

    Christian Damsgaard Jensen

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Morisset, C., Yevseyeva, I., Groß, T., van Moorsel, A. (2014). A Formal Model for Soft Enforcement: Influencing the Decision-Maker. In: Mauw, S., Jensen, C.D. (eds) Security and Trust Management. STM 2014. Lecture Notes in Computer Science, vol 8743. Springer, Cham. https://doi.org/10.1007/978-3-319-11851-2_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11851-2_8

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11850-5

  • Online ISBN: 978-3-319-11851-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation