A Formal Model for Soft Enforcement: Influencing the Decision-Maker

  • Charles Morisset
  • Iryna Yevseyeva
  • Thomas Groß
  • Aad van Moorsel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8743)


We propose in this paper a formal model for soft enforcement, where a decision-maker is influenced towards a decision, rather than forced to select that decision. This novel type of enforcement is particularly useful when the policy enforcer cannot fully control the environment of the decision-maker, as we illustrate in the context of attribute-based access control, by limiting the control over attributes. We also show that soft enforcement can improve the security of the system when the influencer is uncertain about the environment, and when neither forcing the decision-maker nor leaving them make their own selection is optimal. We define the general notion of optimal influencing policy, that takes into account both the control of the influencer and the uncertainty in the system.


Access Control Optimal Policy Security Policy Access Control Policy Policy Decision Point 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: Managing security behaviour in organisations. In: Proceedings of the 2008 Workshop on New Security Paradigms, NSPW 2008, pp. 47–58. ACM, New York (2008)CrossRefGoogle Scholar
  2. 2.
    Boella, G., van der Torre, L.W.N.: A game-theoretic approach to normative multi-agent systems. In: Normative Multi-agent Systems. Dagstuhl Seminar Proceedings, vol. 07122 (2007)Google Scholar
  3. 3.
    Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Security and Privacy 2007, pp. 222–230. IEEE (2007)Google Scholar
  4. 4.
    Coventry, L.M., Briggs, P., Jeske, D., van Moorsel, A.P.A.: Scene: A structured means for creating and evaluating behavioral nudges in a cyber security environment. In: Marcus, A. (ed.) DUXU 2014, Part I. LNCS, vol. 8517, pp. 229–239. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  5. 5.
    Dolan, P., Hallsworth, M., Halpern, D., King, D., Metcalfe, I.V.R.: Influencing behaviour: The mindspace way. Journal of Economic Psychology 33(2), 264–277 (2012)CrossRefGoogle Scholar
  6. 6.
    Ferreira, A., Huynen, J.-L., Koenig, V., Lenzini, G.: A conceptual framework to study socio-technical security. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 318–329. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  7. 7.
    Ferreira, A., Huynen, J.-L., Koenig, V., Lenzini, G., Rivas, S.: Socio-technical study on the effect of trust and context when choosing wiFi names. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 131–143. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  8. 8.
    Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Game theory meets information security management. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 15–29. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  9. 9.
    Griesmayer, A., Morisset, C.: Automated certification of authorisation policy resistance. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 574–591. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  10. 10.
    Kahneman, D.: Thinking, fast and slow. Farrar, Straus and Giroux (2011)Google Scholar
  11. 11.
    Kahneman, D., Tversky, A.: Prospect theory: An analysis of decision under risk. Econometrica 47(2), 263–291 (1979)CrossRefMATHGoogle Scholar
  12. 12.
    Liu, D., Li, N., Wang, X., Camp, L.J.: Beyond risk-based access control: Towards incentive-based access control. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 102–112. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  13. 13.
    MacKinnon, D.P., Lockwood, C.M., Hoffman, J.M., West, S.G., Sheets, V.: A comparison of methods to test mediation and other intervening variable effects. Psychological Methods 7(1), 83 (2002)CrossRefGoogle Scholar
  14. 14.
    Manshaei, M.H., Zhu, Q., Alpcan, T., Bacşar, T., Hubaux, J.-P.: Game theory meets network security and privacy. ACM Computing Surveys 45(3), 25 (2013)CrossRefGoogle Scholar
  15. 15.
    Martinez-Moyano, I.J., Conrad, S.H., Andersen, D.F.: Modeling behavioral considerations related to information security. Computers & Security 30(6-7), 397–409 (2011)CrossRefGoogle Scholar
  16. 16.
    Molloy, I., Cheng, P.-C., Rohatgi, P.: Trading in risk: using markets to improve access control. In: NSPW, pp. 107–125 (2008)Google Scholar
  17. 17.
    Morisset, C., Groß, T., van Moorsel, A., Yevseyeva, I.: Formalization of influencing in information security. Technical Report CS-TR-1423, Newcastle University (May 2014)Google Scholar
  18. 18.
    Morisset, C., Groß, T., van Moorsel, A., Yevseyeva, I.: Nudging for quantitative access control systems. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 340–351. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  19. 19.
    OASIS. eXtensible Access Control Markup Language (XACML) Version 3.0, Committee Specification 01 (2010)Google Scholar
  20. 20.
    Pfleeger, S.L., Caputo, D.D.: Leveraging behavioral science to mitigate cyber security risk. Computers & Security 31(4), 597–611 (2012)CrossRefGoogle Scholar
  21. 21.
    Ramli, C.D.P.K., Nielson, H.R., Nielson, F.: The logic of XACML. Science of Computer Programming 83(0), 80–105 (2014)CrossRefGoogle Scholar
  22. 22.
    Sternberg, S.: Discovering mental processing stages: The method of additive factors. In: Methods, Models, and Conceptual Issues: An Invitation to Cognitive Science, pp. 703–863. The MIT Press (1998)Google Scholar
  23. 23.
    Thaler, R.H., Sunstein, C.R.: Nudge: Improving Decisions About Health, Wealth, and Happiness. Yale University Press, New Haven (2008)Google Scholar
  24. 24.
    Vaniea, K., Bauer, L., Cranor, L.F., Reiter, M.K.: Out of sight, out of mind: Effects of displaying access-control information near the item it controls. In: PST, pp. 128–136 (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Charles Morisset
    • 1
  • Iryna Yevseyeva
    • 1
  • Thomas Groß
    • 1
  • Aad van Moorsel
    • 1
  1. 1.Centre for Cybercrime and Computer Security, School of Computing ScienceNewcastle UniversityNewcastle upon TyneUK

Personalised recommendations