Approaches to access control under uncertainty
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.25 MB, 201 trang )
Approaches to Access Control
Under Uncertainty
by
Farzad Salim
Bachelor of Computer Science, AUST United Arab Emirates 2001
Master of Computer Science, UOW Australia 2006
Thesis submitted in accordance with the regulations for
the degree of
Doctor of Philosophy
Information Security Institute
Science and Engineering Faculty
Queensland University of Technology
2012
Keywords
Information security, access control model, role based access control, usage control, insider threat, economics, game theory, agency theory, uncertainty, information asymmetry, incentives, audit, accountability, healthcare, data breach.
i
ii
Abstract
The ultimate goal of an access control system is to allocate each user the precise
level of access they need to complete their job - no more and no less. This proves
to be challenging in an organisational setting. On one hand employees need
enough access to the organisation’s resources in order to perform their jobs and
on the other hand more access will bring about an increasing risk of misuse either intentionally, where an employee uses the access for personal benefit, or
unintentionally, through carelessness or being socially engineered to give access
to an adversary.
This thesis investigates issues of existing approaches to access control in allocating optimal level of access to users and proposes solutions in the form of new
access control models. These issues are most evident when uncertainty surrounding users’ access needs, incentive to misuse and accountability are considered,
hence the title of the thesis.
We first analyse access control in environments where the administrator is
unable to identify the users who may need access to resources. To resolve this uncertainty an administrative model with delegation support is proposed. Further,
a detailed technical enforcement mechanism is introduced to ensure delegated
resources cannot be misused.
Then we explicitly consider that users are self-interested and capable of misusing resources if they choose to. We propose a novel game theoretic access
control model to reason about and influence the factors that may affect users’
incentive to misuse.
Next we study access control in environments where neither users’ access
needs can be predicted nor they can be held accountable for misuse. It is shown
that by allocating budget to users, a virtual currency through which they can
pay for the resources they deem necessary, the need for a precise pre-allocation of
permissions can be relaxed. The budget also imposes an upper-bound on users’
iii
ability to misuse. A generalised budget allocation function is proposed and it is
shown that given the context information the optimal level of budget for users
can always be numerically determined.
Finally, Role Based Access Control (RBAC) model is analysed under the
explicit assumption of administrators’ uncertainty about self-interested users’
access needs and their incentives to misuse. A novel Budget-oriented Role Based
Access Control (B-RBAC) model is proposed. The new model introduces the
notion of users’ behaviour into RBAC and provides means to influence users’
incentives. It is shown how RBAC policy can be used to individualise the cost
of access to resources and also to determine users’ budget. The implementation
overheads of B-RBAC is examined and several low-cost sub-models are proposed.
iv
For my family.
vi
Contents
Front Matter
Keywords . . . . . . . . . . .
Abstract . . . . . . . . . . . .
List of Figures . . . . . . . . .
List of Tables . . . . . . . . .
List of Acronyms . . . . . . .
Declaration . . . . . . . . . .
Previously Published Material
Acknowledgements . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1 Introduction
1.1 Background & Motivation . . . . . . . . . . . .
1.1.1 Proposed Solutions to Over-entitlement .
1.1.2 Proposed Solutions to Under-entitlement
1.1.3 Resource Allocation Under Uncertainty .
1.2 Research Problem and Questions . . . . . . . .
1.3 Thesis Contributions . . . . . . . . . . . . . . .
1.4 Thesis Overview . . . . . . . . . . . . . . . . . .
2 Background
2.1 Access Control Concepts . . . . . . .
2.2 Traditional Access Control Models .
2.2.1 Mandatory Access Control . .
2.2.2 Discretionary Access Control .
2.2.3 Role Based Access Control . .
2.3 Credential-based Access Control . . .
2.3.1 Trust Management . . . . . .
vii
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
i
i
iii
xi
xiii
xv
xvii
xix
xxi
.
.
.
.
.
.
.
1
2
4
5
7
8
9
12
.
.
.
.
.
.
.
15
16
17
17
18
19
20
20
2.4
2.5
2.6
2.7
2.3.2 Digital Rights Management . . . . . . . .
Usage Control . . . . . . . . . . . . . . . . . . . .
Flexible Approaches to Access Control . . . . . .
2.5.1 Optimistic Approach . . . . . . . . . . . .
2.5.2 Quantified Risk-based Approach . . . . . .
Resource Allocation: Economics & Access Control
2.6.1 Agency Theory . . . . . . . . . . . . . . .
2.6.2 Game Theory . . . . . . . . . . . . . . . .
Game Components and Equilibrium . . . .
2.6.3 Applications of Game Theory to Security .
Conclusion . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3 An
3.1
3.2
3.3
Administrative Framework For UCON
Preliminary . . . . . . . . . . . . . . . . . . . . . . . . . .
Motivating Scenario . . . . . . . . . . . . . . . . . . . . . .
The Administrative Model (M) . . . . . . . . . . . . . . .
3.3.1 Peer Model (MP ): Subjects, Objects, Assertions .
Direct Assertions . . . . . . . . . . . . . . . . . . .
Delegation Assertions . . . . . . . . . . . . . . . . .
3.3.2 Authoriser Model (MA ): System policy, Assertions
Centralised Administration . . . . . . . . . . . . . .
Distributed Administration . . . . . . . . . . . . .
3.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 Delegation Enforcement and Usage Scenario
4.1 Coalitions . . . . . . . . . . . . . . . . . . . . .
4.1.1 Securing Data Distribution in Coalitions
4.2 Multi-Layer Licencing Model . . . . . . . . . . .
4.3 Implementation Using XrML . . . . . . . . . . .
4.3.1 Data Encryption . . . . . . . . . . . . .
4.3.2 Delegation . . . . . . . . . . . . . . . . .
Constructing a delegation licence . . . .
Obtaining a distribution licence . . . . .
4.3.3 Distribution . . . . . . . . . . . . . . . .
Creating distribution licences . . . . . .
viii
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
22
23
25
26
27
31
33
35
36
37
39
.
.
.
.
.
.
.
.
.
.
.
41
42
43
44
45
47
48
49
50
51
52
54
.
.
.
.
.
.
.
.
.
.
57
58
60
61
64
64
65
67
67
68
68
4.4
4.5
4.6
Issuing usage licences
4.3.4 Usage . . . . . . . .
Application Scenario . . . .
Discussion . . . . . . . . . .
Conclusion . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5 Game Theoretic Analysis of Access Control
5.1 The Problem . . . . . . . . . . . . . . . . . .
5.2 User’s Type Classification . . . . . . . . . . .
5.3 Game Theoretic Model . . . . . . . . . . . . .
5.3.1 Nash Equilibrium and its Implications
5.4 Case-based Analysis . . . . . . . . . . . . . .
5.4.1 Case 1: Inexpensive Resource . . . . .
5.4.2 Case 2: Expensive Resource . . . . . .
Mixed Strategy Equilibrium . . . . . .
Influencing Payoff Factors . . . . . . .
5.5 Discussion . . . . . . . . . . . . . . . . . . . .
5.6 Conclusion . . . . . . . . . . . . . . . . . . . .
6 Optimal Escalation Budget
6.1 The Problem . . . . . . . . . . .
6.2 Static Handling of Escalations . .
6.3 Optimal Escalation Budget . . . .
6.4 Generalisation . . . . . . . . . . .
6.4.1 Optimal Escalation budget
6.5 Discussion . . . . . . . . . . . . .
6.6 Conclusion . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
7 Budget-oriented Role Based Access Control
7.1 The Problem . . . . . . . . . . . . . . . . .
7.2 The Model . . . . . . . . . . . . . . . . . . .
7.2.1 Task Consequences . . . . . . . . . .
7.2.2 Role Weight . . . . . . . . . . . . . .
7.2.3 Price of Permission . . . . . . . . . .
7.3 Escalation Capability . . . . . . . . . . . . .
7.3.1 Price Discrimination Mechanism . . .
ix
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
(B-RBAC)
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
70
71
72
74
76
.
.
.
.
.
.
.
.
.
.
.
79
81
82
84
87
89
89
90
91
92
93
96
.
.
.
.
.
.
.
.
.
.
.
.
.
.
99
103
105
106
108
109
110
113
.
.
.
.
.
.
.
115
. 117
. 119
. 119
. 122
. 124
. 126
. 127
.
.
.
.
.
.
.
.
.
.
.
7.4
7.5
7.6
7.7
7.3.2 Budget Allocation Function . . . . . . . .
Security Implications . . . . . . . . . . . . . . . .
7.4.1 Risk Communication . . . . . . . . . . . .
7.4.2 Risk Transfer . . . . . . . . . . . . . . . .
7.4.3 Risk Control . . . . . . . . . . . . . . . . .
7.4.4 Escalation Handling . . . . . . . . . . . .
7.4.5 Effective Monitoring . . . . . . . . . . . .
Erroneous Budget Allocation . . . . . . .
Permission Misuse . . . . . . . . . . . . .
7.4.6 Effective Misuse Detection and Prevention
Impersonation Attack . . . . . . . . . . .
Denial of Service Attack . . . . . . . . . .
Enforcement Considerations . . . . . . . . . . . .
7.5.1 Enforcement Sub-Models . . . . . . . . . .
7.5.2 Usage Control Framework . . . . . . . . .
Discussion . . . . . . . . . . . . . . . . . . . . . .
Conclusion . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
8 Conclusion
8.1 Summary of Contributions . . . . . . . . . . . . . . . . . . . .
8.2 Summary of Main themes and Conclusions . . . . . . . . . . .
8.2.1 Access Control: Resource Allocation Under Uncertainty
8.2.2 Delegation Capability . . . . . . . . . . . . . . . . . . .
8.2.3 Delegation Enforcement . . . . . . . . . . . . . . . . .
8.2.4 Reasoning About Users’ Incentives To Misuse . . . . .
8.2.5 Uncertain Administrator and Unaccountable Users . .
8.2.6 RBAC with Budget and Incentives . . . . . . . . . . .
8.3 Open Questions and Future Work . . . . . . . . . . . . . . . .
Bibliography
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
129
132
133
133
134
135
135
136
136
137
137
137
138
138
142
143
146
.
.
.
.
.
.
.
.
.
149
. 150
. 151
. 151
. 153
. 154
. 155
. 156
. 157
. 158
163
x
List of Figures
2.1
2.2
A digital rights management system [55] . . . . . . . . . . . . . . 22
UCON mutability and continuity [59] . . . . . . . . . . . . . . . . 24
3.1
3.2
3.3
UCONABC model [46] . . . . . . . . . . . . . . . . . . . . . . . . . 42
Administrative model (M) . . . . . . . . . . . . . . . . . . . . . . 45
System View: identifying the authority root . . . . . . . . . . . . 50
4.1
4.2
4.3
4.4
4.5
Licensing data to a coalition. . . . . . .
Licensing data within a data processor.
A root delegation licence. . . . . . . . .
A distribution licence. . . . . . . . . .
A usage licence. . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
62
63
66
69
72
7.1
7.2
7.3
7.4
Tasks, types and consequences
states and consequences . . .
Derivation of a role’s weight .
Role escalation . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
120
121
124
129
.
.
.
.
xi
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
xii
List of Tables
1.1
Assumptions throughout thesis . . . . . . . . . . . . . . . . . . . 10
3.1
The grammar of facts . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.1
5.2
5.3
5.4
5.5
5.6
Player’s payoffs . . . .
Case one: parameters .
Case one: payoffs . . .
Case two: parameters .
Case two: payoffs . . .
Expensive resource and
6.1
6.2
Gross utility from delegation . . . . . . . . . . . . . . . . . . . . . 104
Comparison between models . . . . . . . . . . . . . . . . . . . . . 107
7.1
7.2
Enforcement models . . . . . . . . . . . . . . . . . . . . . . . . . 139
Enforcement models: analysis of implementation costs . . . . . . . 141
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
high chance
xiii
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
of punishment
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
87
90
90
91
91
92
xiv
List of Acronyms
AC
AT
B-RBAC
BARAC
CMS
DAC
DoS
DRM
IDS
MAC
MLS
ORCON
QRAAC
RAC
RBAC
SecPal
TM
TPM
TBAC
UCON
XML
XPath
XrML
Accessibility Graph
Allowed Transaction Graph
Budget-oriented Role Based Access Control
Benefit and Risk Access Control
Content Management System
Discretionary Access Control
Denial of Service
Digital Rights Management
Intrusion Detection System
Mandatory Access Control
Multi-Level Security
Originator Controled Model
Quantified Risk-Adaptive Access Control
Risk Adaptive Access Control
Role Based Access Control
SecPal Language
Trust Management
Trusted Platform Module
Task Based Access Control
Usage Control Model
Extensible Markup Language
XML Path Language
eXtensible Rights Markup Language
xv
xvi
Declaration
The work contained in this thesis has not been previously submitted for a degree
or diploma at any higher education institution. To the best of my knowledge and
belief, the thesis contains no material previously published or written by another
person except where due reference is made.
Signed:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Date:. . . . . . . . . . . . . . . . . . . . . .
xvii
xviii
Previously Published Material
[1] Farzad Salim, Jason Reid, and Ed Dawson. An administrative model for
U CONABC . In Proceedings of the Eighth Australasian Conference on Information Security, volume 105 of AISC’10, pages 32–38, Brisbane, Australia,
January 2010. Australian Computer Society, Inc. (Best Student Paper)
[2] Farzad Salim, Nicholas Paul Sheppard and Rei Safavi-Naini. A rights management approach to securing data distribution in coalitions. In Proceedings of
the Fourth International Conference on Network and System Security, NSS’10,
pages 560 –567, Melbourne, Australia, September 2010. IEEE Computer Society.
[3] Farzad Salim, Jason Reid, and Ed Dawson. Towards authorisation models
for secure information sharing: A survey and research agenda. The ISC International Journal of Information Security (ISeCure), Vol 2, pages 67–85, July
2010.
[4] Ed Dawson, Jason Reid, Farzad Salim, and Mark Burdon. Information
sharing in the 21st century: progress and challenges. In Proceedings of the
Eighth Australasian Conference on Information Security - Volume 105, AISC
’10, pages 2–2, Brisbane, Australia, 2010. Australian Computer Society, Inc.
(Keynote)
[5] Farzad Salim, Jason Reid, Uwe Dulleck, and Ed Dawson. Towards a game
theoretic approach to authorisation. In Decision and Game Theory for Security
(GameSec), volume 6442 of Lecture Notes in Computer Science, pages 208–
219, Springer/Heidelberg, November 2010.
[6] Farzad Salim, Jason Reid, Uwe Dulleck and Ed Dawson. Access Control:
Allocating Resources to Selfish Agents. In Special Issue on Decision and Game
xix
Theory for Security, IEEE Communications Society, Vol 6,No 4, pages 18-21,
April 2011.
[7] Ed Dawson, Farzad Salim, Jason Reid, Uwe Dulleck. Authorisation Models
for Dynamic Environments. Presented at 9th International Conference on
Applied Cryptography and Network Security (ACNS), June 2011. (Keynote)
[8] Farzad Salim, Jason Reid, Ed Dawson and Uwe Dulleck. An Approach to
Access Control Under Uncertainty. In In Proceedings of Sixth International
Conference on Availability, Reliability and Security, pages 1-8, IEEE Computer Society, August 2011. (Best Paper)
[9] Farzad Salim, Uwe Dulleck, Jason Reid and Ed Dawson. Optimal Budget
Allocation in Budget-based Access Control. In In Proceedings of Sixth International Conference on Availability, Reliability and Security, IEEE Computer
Society, pages 591-596, August 2011.
xx
Acknowledgements
I may not have reached this point in my studies were it not for the inspiration and support offered to me by a number of talented individuals, to whom
I would like to express my thanks and appreciation. My sincere gratitude goes
to my supervisors, Prof. Emeritus Ed Dawson, Dr. Jason Reid and Prof. Uwe
Dulleck for their excellent guidance, encouragement and support. Ed’s vision
and experience, Jason’s meticulous approach and Uwe’s poignant comments has
significantly improved the quality of my thesis. Dr. Nicholas Sheppard and
Prof. Rei Safavi-Naini also deserve special mention for their valuable input and
collaboration on the work that formed Chapter 4 of this thesis.
During my time as a doctoral student in the Information Security Institute
(ISI) I had a chance to meet many interesting individuals. I want to express my
gratitude to my good friend Mark Branagan, his unique sense of humour, wits
and ability to discuss topics with passion has brought joy to many of my days
at ISI. I would also like to acknowledge the friendship of Sajal Bhatia whose
positive personality provided a calming influence. I was also lucky to enjoy the
friendship of Juanma González Nieto, who along with Jason and Andrew Clark
made excellent squash buddies.
In addition, I’d like to thank all the members of ISI for their friendship and
contributions to a supportive atmosphere. I would particularly like to mention:
Ali Alhamdan, James Birket, Colin Boyd, Chai Wen Chuah, Craig Costello,
Chris Djamaludin, Ernest Foo, Choudary Gorantla, Huseyin Hisil, Nishchal
Kush, Lakshmi Kuppusamy, Kaleb Lee, Georg Lippold, Andrew Marrington,
Mufeed Al Mashrafi, Kenneth Radke, Jothi Rangasamy, Jason Smith, Douglas
Stebila, Suriadi Suriadi, Sui Guan Teo and Andrew White.
My deep and sincere gratitude goes to my parents, who formed part of my
vision to be a constructive part of the whole. Their unconditional love, encouragement and support gave me the confidence to push boundaries and explore. I
xxi
am grateful to my brother and my sisters for always being there for me. I would
also like to thank my father-in-law, mother-in-law and sisters-in-law for their
love and support throughout the course of my PhD. Last but not least I would
like to thank my love Yasaman, who I met in the first week after enrolling in the
PhD program. Without her love, support, patience and optimism I would have
not been able to finish.
xxii
Chapter 1
Introduction
In past decades information systems have been revolutionised by low-cost information and communications technology. This has led organisations to try to
derive competitive advantage through specialisation, strategic partnerships, and
collaboration. Today, ad-hoc collaboration, outsourcing and resource sharing
between organisations is not only a possibility but a necessity for their survival
and competitiveness. For instance, government and private organisations that
are part of a nation’s critical infrastructure (e.g., electricity, telecommunications)
share information to recognise system vulnerabilities, provide response to threats
and to minimise the expected consequence of adverse events. In healthcare, electronic health record systems are used to collect and share health information
about patients within and between hospitals, laboratories and potentially with
government officials or insurance companies.
It is therefore paramount for organisations to strike a balance between protection of their sensitive resources while providing timely access to resources.
Achieving this balance is a challenge both when resources are shared between
organisations and when resources are being allocated to employees within a single organisation. On the one hand employees need enough access to resources
to perform their tasks. On the other hand more access brings about an increasing risk of misuse. This misuse may be intentional, where an employee uses
the permission to use the resource for personal benefit, or unintentional through
carelessness, or being socially engineered to give access to an adversary [1]. In
this setting, the ultimate goal and responsibility of a security administrator is to
1
