An approach to access control under uncertainty

Salim, Farzad, Reid, Jason F., Dulleck, Uwe, & Dawson, Edward (2011) An approach to access control under uncertainty. In ARES, IEEE, Vienna University of Technology, Vienna, pp. 1-8.

View at publisher


In dynamic and uncertain environments such as healthcare, where the needs of security and information availability are difficult to balance, an access control approach based on a static policy will be suboptimal regardless of how comprehensive it is. The uncertainty stems from the unpredictability of users’ operational needs as well as their private incentives to misuse permissions. In Role Based Access Control (RBAC), a user’s legitimate access request may be denied because its need has not been anticipated by the security administrator. Alternatively, even when the policy is correctly specified an authorised user may accidentally or intentionally misuse the granted permission. This paper introduces a novel approach to access control under uncertainty and presents it in the context of RBAC. By taking insights from the field of economics, in particular the insurance literature, we propose a formal model where the value of resources are explicitly defined and an RBAC policy (entailing those predictable access needs) is only used as a reference point to determine the price each user has to pay for access, as opposed to representing hard and fast rules that are always rigidly applied.

Impact and interest:

12 citations in Scopus
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

186 since deposited on 04 Sep 2011
8 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 45673
Item Type: Conference Paper
Refereed: Yes
Keywords: Access Control, Authorisation, RBAC, Risk, Insider Problem, Incentives, Budget.
DOI: 10.1109/ARES.2011.11
ISBN: 9780769544854 (elec) 9781457709791 (print)
Subjects: Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > COMPUTER SOFTWARE (080300) > Computer System Security (080303)
Divisions: Current > QUT Faculties and Divisions > QUT Business School
Past > Schools > Computer Science
Past > QUT Faculties & Divisions > Faculty of Science and Technology
Past > Institutes > Information Security Institute
Current > Schools > School of Economics & Finance
Copyright Owner: Copyright 2011 IEEE
Deposited On: 04 Sep 2011 22:46
Last Modified: 11 Dec 2013 03:47

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page