Abstract
We propose in this paper a formal model for soft enforcement, where a decision-maker is influenced towards a decision, rather than forced to select that decision. This novel type of enforcement is particularly useful when the policy enforcer cannot fully control the environment of the decision-maker, as we illustrate in the context of attribute-based access control, by limiting the control over attributes. We also show that soft enforcement can improve the security of the system when the influencer is uncertain about the environment, and when neither forcing the decision-maker nor leaving them make their own selection is optimal. We define the general notion of optimal influencing policy, that takes into account both the control of the influencer and the uncertainty in the system.
This work was partially supported by the EPSRC/GCHQ funded project ChAISe (EP/K006568/1) and the project “Data-Driven Model-Based Decision-Making”, part of the NSA funded Centre on Science of Security at University of Illinois at Urbana-Champaign.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: Managing security behaviour in organisations. In: Proceedings of the 2008 Workshop on New Security Paradigms, NSPW 2008, pp. 47–58. ACM, New York (2008)
Boella, G., van der Torre, L.W.N.: A game-theoretic approach to normative multi-agent systems. In: Normative Multi-agent Systems. Dagstuhl Seminar Proceedings, vol. 07122 (2007)
Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Security and Privacy 2007, pp. 222–230. IEEE (2007)
Coventry, L.M., Briggs, P., Jeske, D., van Moorsel, A.P.A.: Scene: A structured means for creating and evaluating behavioral nudges in a cyber security environment. In: Marcus, A. (ed.) DUXU 2014, Part I. LNCS, vol. 8517, pp. 229–239. Springer, Heidelberg (2014)
Dolan, P., Hallsworth, M., Halpern, D., King, D., Metcalfe, I.V.R.: Influencing behaviour: The mindspace way. Journal of Economic Psychology 33(2), 264–277 (2012)
Ferreira, A., Huynen, J.-L., Koenig, V., Lenzini, G.: A conceptual framework to study socio-technical security. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 318–329. Springer, Heidelberg (2014)
Ferreira, A., Huynen, J.-L., Koenig, V., Lenzini, G., Rivas, S.: Socio-technical study on the effect of trust and context when choosing wiFi names. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 131–143. Springer, Heidelberg (2013)
Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Game theory meets information security management. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 15–29. Springer, Heidelberg (2014)
Griesmayer, A., Morisset, C.: Automated certification of authorisation policy resistance. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 574–591. Springer, Heidelberg (2013)
Kahneman, D.: Thinking, fast and slow. Farrar, Straus and Giroux (2011)
Kahneman, D., Tversky, A.: Prospect theory: An analysis of decision under risk. Econometrica 47(2), 263–291 (1979)
Liu, D., Li, N., Wang, X., Camp, L.J.: Beyond risk-based access control: Towards incentive-based access control. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 102–112. Springer, Heidelberg (2012)
MacKinnon, D.P., Lockwood, C.M., Hoffman, J.M., West, S.G., Sheets, V.: A comparison of methods to test mediation and other intervening variable effects. Psychological Methods 7(1), 83 (2002)
Manshaei, M.H., Zhu, Q., Alpcan, T., Bacşar, T., Hubaux, J.-P.: Game theory meets network security and privacy. ACM Computing Surveys 45(3), 25 (2013)
Martinez-Moyano, I.J., Conrad, S.H., Andersen, D.F.: Modeling behavioral considerations related to information security. Computers & Security 30(6-7), 397–409 (2011)
Molloy, I., Cheng, P.-C., Rohatgi, P.: Trading in risk: using markets to improve access control. In: NSPW, pp. 107–125 (2008)
Morisset, C., Groß, T., van Moorsel, A., Yevseyeva, I.: Formalization of influencing in information security. Technical Report CS-TR-1423, Newcastle University (May 2014)
Morisset, C., Groß, T., van Moorsel, A., Yevseyeva, I.: Nudging for quantitative access control systems. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 340–351. Springer, Heidelberg (2014)
OASIS. eXtensible Access Control Markup Language (XACML) Version 3.0, Committee Specification 01 (2010)
Pfleeger, S.L., Caputo, D.D.: Leveraging behavioral science to mitigate cyber security risk. Computers & Security 31(4), 597–611 (2012)
Ramli, C.D.P.K., Nielson, H.R., Nielson, F.: The logic of XACML. Science of Computer Programming 83(0), 80–105 (2014)
Sternberg, S.: Discovering mental processing stages: The method of additive factors. In: Methods, Models, and Conceptual Issues: An Invitation to Cognitive Science, pp. 703–863. The MIT Press (1998)
Thaler, R.H., Sunstein, C.R.: Nudge: Improving Decisions About Health, Wealth, and Happiness. Yale University Press, New Haven (2008)
Vaniea, K., Bauer, L., Cranor, L.F., Reiter, M.K.: Out of sight, out of mind: Effects of displaying access-control information near the item it controls. In: PST, pp. 128–136 (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Morisset, C., Yevseyeva, I., Groß, T., van Moorsel, A. (2014). A Formal Model for Soft Enforcement: Influencing the Decision-Maker. In: Mauw, S., Jensen, C.D. (eds) Security and Trust Management. STM 2014. Lecture Notes in Computer Science, vol 8743. Springer, Cham. https://doi.org/10.1007/978-3-319-11851-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-11851-2_8
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11850-5
Online ISBN: 978-3-319-11851-2
eBook Packages: Computer ScienceComputer Science (R0)