Abstract
Authorised users (insiders) are behind the majority of security incidents with high financial impacts. Because authorisation is the process of controlling users’ access to resources, improving authorisation techniques may mitigate the insider threat. Current approaches to authorisation suffer from the assumption that users will (can) not depart from the expected behaviour implicit in the authorisation policy. In reality however, users can and do depart from the canonical behaviour. This paper argues that the conflict of interest between insiders and authorisation mechanisms is analogous to the subset of problems formally studied in the field of game theory. It proposes a game theoretic authorisation model that can ensure users’ potential misuse of a resource is explicitly considered while making an authorisation decision. The resulting authorisation model is dynamic in the sense that its access decisions vary according to the changes in explicit factors that influence the cost of misuse for both the authorisation mechanism and the insider.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aghion, P., Tirole, J.: Philippe Aghion and Jean Tirole. Formal and real authority in organizations. Journal of Political Economy 105(1), 1 (1997)
Alpcan, T., Basar, T.: A game theoretic approach to decision and analysis in network intrusion detection. In: Proceeding of the 42nd IEEE Conference on Decision and Control (CDC) (December 2003)
Bishop, M., Frincke, C.G.D., Greitzer, F.L.: AZALIA: an A to Z Assessment of the Likelihood of Insider Attack (2010)
Cheng, P.-C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: IEEE Symposium on Security and Privacy, pp. 222–230 (2007)
Funderberg, D., Tirole, J.: Game Theory. MIT Press, Cambridge (1992)
Gordon, L.A., Loep, M.P., Lucyshyn, W., Richardson, R.: CSI/FBI computer crime and security survey. Technical report, CMP Media, Manhasset, NY (2004)
Holmstrom, B.: Moral hazard and observability. The Bell Journal of Economics 10(1), 74–91 (1979)
Liu, D., Wang, X., Camp, J.L.: Mitigating inadvertent insider threats with incentives, pp. 1–16 (2009)
Liu, D., XiaoFeng, W., Camp, J.L.: Game theoretic modeling and analysis of insider threats. International Journal of Critical Infrastructure Protection 1, 75–80 (2008)
Liu, P., Zang, W.: Incentive-based modeling and inference of attacker intent, objectives, and strategies. In: CCS 2003: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 179–189. ACM, New York (2003)
Liu, Y., Comaniciu, C., Man, H.: A bayesian game approach for intrusion detection in wireless ad hoc networks. In: GameNets 2006: Proceeding from the 2006 Workshop on Game Theory for Communications and Networks, p. 4. ACM, New York (2006)
MITRE Corporation Jason Program Office. Horizontal integration: Broader access models for realizing information dominance. Technical Report JSR-04-132, MITRE Corporation (2004)
Pfleeger, S.L., Predd, J.B., Hunker, J., Bulford, C.: Insiders behaving badly: Addressing bad actors and their actions. IEEE Transactions on Information Forensics and Security 5(1), 169–179 (2010)
Salim, F., Reid, J., Dawson, E.: Towards authorisation models for secure information sharing: A survey and research agenda. The ISC International Journal of Information Security, ISeCure (2010)
Eugene Schultz, E.: A framework for understanding and predicting insider attacks. Computers & Security 21(6), 526–531 (2002)
Lye, K.w., Wing, J.M.: Game strategies in network security. Int. J. Inf. Sec. 4(1-2), 71–86 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Salim, F., Reid, J., Dulleck, U., Dawson, E. (2010). Towards a Game Theoretic Authorisation Model. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds) Decision and Game Theory for Security. GameSec 2010. Lecture Notes in Computer Science, vol 6442. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17197-0_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-17197-0_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17196-3
Online ISBN: 978-3-642-17197-0
eBook Packages: Computer ScienceComputer Science (R0)