Abstract
In recent years, risk-based access control has been proposed as an alternative to traditional rigid access control models such as multi-level security and role-based access control. While these approaches make the risks associated with exceptional access accountable and encourage the users to take low-risk actions, they also create the disincentives for seeking necessary risky accesses. We introduce novel incentive mechanism based on Contract Theory. Another benefit of our approach is avoiding accurate estimate of the risk associated with each access. We demonstrate that Nash Equilibria can be achieved in which the user’s optimal strategy is performing the risk-mitigation efforts to minimize her organization’s risk, and conduct human-subject studies to empirically confirm the theoretical results.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Elliott Bell, D., LaPadula, L.J.: Secure computer systems: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, Mitre Corporation (March 1976)
MITRE Corporation. Horizontal integration: Broader access models for realizing information dominace. Technical Report JSR-04-132, JASON Defense Advisory Panel Reports (2004)
Molloy, I., Cheng, P., Rohatgi, P.: Trading in risk: Using markets to improve access control. In: New Security Paradigms Workshop, Olympic, California. Applied Computer Security Associates (September 2008)
Yemini, A., Dailianas, D., Florissi, Huberman, G.: Marketnet: Market-based protection of information systems. In: The 12th Int. Symp. on Dynamic Games and Applications (2006)
Liu, D., Wang, X., Camp, L.J.: Mitigating Inadvertent Insider Threats with Incentives. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 1–16. Springer, Heidelberg (2009)
Osborne, M.J., Rubenstein, A.: A Course in Game Theory. The MIT Press, Cambridge (1994)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Liu, D., Li, N., Wang, X., Camp, L.J. (2012). Beyond Risk-Based Access Control: Towards Incentive-Based Access Control. In: Danezis, G. (eds) Financial Cryptography and Data Security. FC 2011. Lecture Notes in Computer Science, vol 7035. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27576-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-27576-0_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27575-3
Online ISBN: 978-3-642-27576-0
eBook Packages: Computer ScienceComputer Science (R0)