Towards an Access-Control Framework for Countering Insider Threats

  • Jason Crampton
  • Michael Huth
Part of the Advances in Information Security book series (ADIS, volume 49)


As insider threats pose very significant security risks to IT systems, we ask what policy-based approaches to access control can do for the detection, mitigation or countering of insider threats and insider attacks. Answering this question is difficult: little public data about insider-threat cases is available; there is not much consensus about what the insider problem actually is; and previous research in access control has by-and-large not dealt with this issue. We explore existing notions of insiderness in order to identify the relevant research issues. We then formulate a set of requirements for next-generation access-control systems, whose realization might form part of an overall strategy to address the insider problem.


Access Control Policy Language Reputation System User Account Access Request 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bishop, M., S. Engle, S. Peisert, S. Whalen, and C. Gates, Case Studies of an Insider Framework, Proc. of Hawaii International Conference on System Sciences, pp. 1–10, IEEE Computer Society Press, 2009.Google Scholar
  2. 2.
    Bishop, M., D. Gollmann, J. Hunker, and C. W. Probst, Countering Insider Threats, Dagstuhl Seminar 08302, Leibnitz Center for Informatics, 18 pp., Dagstuhl Seminar Proceedings, ISSN 1862–4405, July 2008.Google Scholar
  3. 3.
    Bishop, M., Panel: The Insider Problem Revisited, Proc. of NSPW 2005, ACM Press, 2006.Google Scholar
  4. 4.
    Brackney, R., and R. Anderson, Understanding the Insider Threat, Proc. of a March 2004 Workshop, RAND Corp., Santa Monica, California, March 2004.Google Scholar
  5. 5.
    Bruns, G., and M. Huth, Access-Control Policies via Belnap Logic: Effective and Efficient Composition and Analysis, Proc. of CSF 2008, pp. 163–178, IEEE Computer Society Press, 2008.Google Scholar
  6. 6.
    Bruns, G., D. S. Dantas, and M. Huth, A simple and expressive semantic framework for policy composition in access control, Proc. of FMSE 2007, pp. 12–21, ACM Press, 2007.Google Scholar
  7. 7.
    Chakraborty, S. and I. Ray, TrustBAC: integrating trust relationships into the RBAC model for access control in open systems, Proc. of SACMAT ’06, pp. 49–58, ACM Press, 2006.Google Scholar
  8. 8.
    Cheng, P.-C., P. Rohatgi, C. Keser, P. A. Karger, and G. M. Wagner, Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control, IBM Research Report, RC24190 (W0702–085), Computer Science, February 2007.Google Scholar
  9. 9.
    Cook, B., A. Podelski, and A. Rybalchenko, Terminator: Beyond safety, Proc. of CAV’06, LNCS 4144, pp. 415–418. Springer, (2006).Google Scholar
  10. 10.
    Cranor, L. F. and S. Garfinkel (editors), Security and Usability - Designing Secure Systems That People Can Use, O’Reilly, California, August 2005.Google Scholar
  11. 11.
    Department of Defense Trusted Computer System Evaluation Criteria, Technical Report DoD 5200.28-STD, US Department of Defense, 1985.Google Scholar
  12. 12.
    Hoffman, K., D. Zage, and C. Nita-Rotaru, A Survey of Attack and Defense Techniques for Reputation Systems, To appear in ACM Computing Surveys, Volume 41, Issue 4, December 2009.Google Scholar
  13. 13.
    Huth, M., A Simple Language for Policy Composition and Analysis, Talk given at [2]. 8.pdf
  14. 14.
    Jackson, D., Software Abstractions: Logic, Language, and Analysis, MIT Press, 2006.Google Scholar
  15. 15.
    Jones, S. P., J.-M. Eber, and J. Seward, Composing contracts: an adventure in financial engineering (functionalpearl), ACM SIGPLAN Notices 35(9): 280–292, ACM Press, 2000.CrossRefGoogle Scholar
  16. 16.
    Lee, A. and T. Yu, Towards a dynamic and composable model of trust, Proc. of SACMAT’09, pp. 217–226, ACM Press.Google Scholar
  17. 17.
    Locasto, M. E., K. Wang, A. D. Keromytis, and S. J. Stolfo, FLIPS: Hybrid Adaptive Intrusion Prevention, in: Recent Advances in Intrusion Detection, LNCS 3858, pp. 82–101, Springer, 2006.Google Scholar
  18. 18.
    Moore, A. P., D. M. Cappelli, and R. F. Trzeciak, The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures, Technical Report CMU/SEI-2008-TR-009, ESC- TR-2008-009, Carnegie Mellon University, May 2008.Google Scholar
  19. 19.
    The New York Times, French Bank Says Rogue Trader Lost $7 Billion , 25 January, 2008.Google Scholar
  20. 20.
    Patzakis, J., New Incident Response Best Practice: Patch and Proceed is No Longer Acceptable Incident Response Procedure, Guidance Software, Pasadena, California, September 2003.Google Scholar
  21. 21.
    Park, J., and R. S. Sandhu, The UCON ABC usage control model, ACM Trans. Inf. Syst. Secur. 7(1): 128–174, ACM Press, 2004.CrossRefGoogle Scholar
  22. 22.
    Park, J. S. and J. Giordano, Role-Based Profile Analysis for Scalable and Accurate Insider- Anomaly Detection, Proc. IPCCC’06, 2006.Google Scholar
  23. 23.
    Park, J. S. and J. Giordano, Access Control Requirements for Preventing Insider Threats, Proc. ISI’06 LNCS 3975, pp. 529–534, Springer, 2006.Google Scholar
  24. 24.
    Probst, Ch. W., R. R. Hansen, and F. Nielson, Where Can an Insider Attack?, Proc. of FAST’06, LNCS 4691, pp. 127–142, Springer, 2006.Google Scholar
  25. 25.
    Probst, Ch. W. and J. Hunker, The Risk of Risk Analysis-And its relation to the Economics of Insider Threats, Proc. of the Eighth Workshop on the Economics of Information Security (WEIS 2009), June 2009.Google Scholar
  26. 26.
    Sandhu, R. S., E. J. Coyne, H. L. Feinstein, and C. E. Youman, Role-Based Access Control Models, IEEE Computer 29(2): 38–47, 1996.Google Scholar
  27. 27.
    Viega, J. and G. McGraw, Building Secure Software, Addison-Wesley Professional Computing Series,2002.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Information Security Group, Royal HollowayUniversity of LondonEghamUnited Kingdom
  2. 2.Department of ComputingImperial College LondonLondonUnited Kingdom

Personalised recommendations