Nudging for Quantitative Access Control Systems

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8533)


On the one hand, an access control mechanism must make a conclusive decision for a given access request. On the other hand, such a mechanism usually relies on one or several decision making processes, which can return partial decisions, inconclusive ones, or conflicting ones. In some cases, this information might not be sufficient to automatically make a conclusive decision, and the access control mechanism might have to involve a human expert to make the final decision. In this paper, we formalise these decision making processes as quantitative access control systems, which associate each decision with a measure, indicating for instance the level of confidence of the system in the decision. We then propose to explore how nudging, i.e., how modifying the context of the decision making process for that human expert, can be used in this context. We thus formalise when such a delegation is required, when nudging is applicable, and illustrate some examples from the MINDSPACE framework in the context of access control.


  1. 1.
    Bellman, R.: A markovian decision process. In. Univ. Math. J. 6, 679–684 (1957)CrossRefzbMATHGoogle Scholar
  2. 2.
    Bruns, G., Huth, M.: Access-control policies via belnap logic: Effective and efficient composition and analysis. In: Proc. of CSF 2008, pp. 163–176 (2008)Google Scholar
  3. 3.
    Bundy, A., Grov, G., Jones, C.: Learning from experts to aid the automation of proof search. In: AVoCS 2009, vol. CSR-2-2009, pp. 229–232 (September 2009)Google Scholar
  4. 4.
    Cheng, P.-C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Proceedings of S&P 2007, pp. 222–230. IEEE (2007)Google Scholar
  5. 5.
    Coventry, L., Briggs, P., Jeske, D., van Moorsel, A.: SCENE: A structured means for creating and evaluating behavioral nudges in a cyber security environment. In: Marcus, A. (ed.) DUXU 2014, Part I. LNCS, vol. 8517, pp. 229–239. Springer, Heidelberg (2014)Google Scholar
  6. 6.
    Crampton, J., Huth, M., Kuo, J., Morisset, C.: Policy-based access control from numerical evidence. Technical Report 2013/6, Imperial College London, Department of Computing (October 2013)Google Scholar
  7. 7.
    Crampton, J., Morisset, C.: PTaCL: A language for attribute-based access control in open systems. In: Degano, P., Guttman, J.D. (eds.) Principles of Security and Trust. LNCS, vol. 7215, pp. 390–409. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. 8.
    Dolan, P., Hallsworth, M., Halpern, D., King, D., Metcalfe, R., Vlaev, I.: Influencing behaviour: The mindspace way. Journal of Economic Psychology 33(1), 264–277 (2012)CrossRefGoogle Scholar
  9. 9.
    Ferraiolo, D.F., Kuhn, D.R.: Role-based access control. In: Proceedings of the 15th National Computer Security Conference, pp. 554–563 (1992)Google Scholar
  10. 10.
    Freitas, L., Whiteside, I.: Proof Patterns for Formal Methods. In: Jones, C., Pihlajasaari, P., Sun, J. (eds.) FM 2014. LNCS, vol. 8442, pp. 279–295. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  11. 11.
    Huth, M., Kuo, J.: PEALT: A reasoning tool for numerical aggregation of trust evidence. Technical Report 2013/7, Imperial College London, Department of Computing (October 2013) ISSN 1469-4166 (Print), ISSN 1469-4174 (Online) Google Scholar
  12. 12.
    Jøsang, A., Hayward, R., Pope, S.: Trust network analysis with subjective logic. In: Proceedings of ACSC 2006, Darlinghurst, Australia, pp. 85–94 (2006)Google Scholar
  13. 13.
    Jøsang, A., Bondi, V.: Legal reasoning with subjective logic. Artificial Intelligence and Law 8(4), 289–315 (2000)CrossRefGoogle Scholar
  14. 14.
    Lampson, B.: Protection. In: Proceedings of the 5th Annual Princeton Conference on Information Sciences and Systems, pp. 437–443. Princeton University (1971)Google Scholar
  15. 15.
    Martinelli, F., Morisset, C.: Quantitative access control with partially-observable markov decision processes. In: CODASPY 2012, pp. 169–180. ACM (2012)Google Scholar
  16. 16.
    Molloy, I., Cheng, P.-C., Rohatgi, P.: Trading in risk: Using markets to improve access control. In: NSPW (2008)Google Scholar
  17. 17.
    Molloy, I., Dickens, L., Morisset, C., Cheng, P.-C., Lobo, J., Russo, A.: Risk-based security decisions under uncertainty. In: Proceedings of CODASPY 2012, pp. 157–168. ACM, New York (2012)Google Scholar
  18. 18.
    Moses, T.: eXtensible Access Control Markup Language TC v2.0, XACML (2005)Google Scholar
  19. 19.
    Moxey, A., O’Connell, D., McGettigan, P., Henry, D.: Describing treatment effects to patients. Journal of General Internal Medicine 18(11), 948–959 (2003)CrossRefGoogle Scholar
  20. 20.
    Ni, Q., Bertino, E., Lobo, J.: D-algebra for composing access control policy decisions. In: Li, W., Susilo, W., Tupakula, U.K., Safavi-Naini, R., Varadharajan, V. (eds.) ASIACCS, pp. 298–309. ACM (2009)Google Scholar
  21. 21.
    Ni, Q., Lobo, J., Calo, S., Rohatgi, P., Bertino, E.: Automating role-based provisioning by learning from examples. In: Proceedings of SACMAT 2009, pp. 75–84. ACM, New York (2009)Google Scholar
  22. 22.
    OASIS. eXtensible Access Control Markup Language (XACML) Version 3.0, Committee Specification 01 (2010)Google Scholar
  23. 23.
    Rao, P., Lin, D., Bertino, E., Li, N., Lobo, J.: An algebra for fine-grained integration of xacml policies. In: Proceedings of SACMAT 2009, pp. 63–72 (2009)Google Scholar
  24. 24.
    Thaler, R., Sunstein, C.: Nudge: Improving Decisions about Health, Wealth, and Happiness. Yale University Press (2008)Google Scholar
  25. 25.
    Tversky, A., Kahneman, D.: The framing of decisions and the psychology of choice. Science 211(4481), 453–458 (1981)CrossRefzbMATHMathSciNetGoogle Scholar
  26. 26.
    Voronkov, A.: Easychair. In: Kovacs, L., Kutsia, T. (eds.) WWV 2010. EPiC Series, vol. 18, p. 2. EasyChair (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Centre for Cybercrime and Computer SecurityNewcastle UniversityU.K

Personalised recommendations