?url_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Adc&rft.title=Approaches+to+access+control+under+uncertainty&rft.creator=Salim%2C+Farzad&rft.subject=information+security%2C+access+control+model%2C+role+based+access+control%2C+usage+control%2C+insider+threat%2C+economics%2C+game+theory%2C+agency+theory%2C+uncertainty%2C+information+asymmetry%2C+incentives%2C+audit%2C+accountability%2C+healthcare%2C+data+breach&rft.description=The+ultimate+goal+of+an+access+control+system+is+to+allocate+each+user+the+precise+level+of+access+they+need+to+complete+their+job+-+no+more+and+no+less.+This+proves+to+be+challenging+in+an+organisational+setting.+On+one+hand+employees+need+enough+access+to+the+organisation%E2%80%99s+resources+in+order+to+perform+their+jobs+and+on+the+other+hand+more+access+will+bring+about+an+increasing+risk+of+misuse+-+either+intentionally%2C+where+an+employee+uses+the+access+for+personal+benefit%2C+or+unintentionally%2C+through+carelessness+or+being+socially+engineered+to+give+access+to+an+adversary.%0D%0A%0D%0AThis+thesis+investigates+issues+of+existing+approaches+to+access+control+in+allocating+optimal+level+of+access+to+users+and+proposes+solutions+in+the+form+of+new+access+control+models.+These+issues+are+most+evident+when+uncertainty+surrounding+users%E2%80%99+access+needs%2C+incentive+to+misuse+and+accountability+are+considered%2C+hence+the+title+of+the+thesis.%0D%0A%0D%0AWe+first+analyse+access+control+in+environments+where+the+administrator+is+unable+to+identify+the+users+who+may+need+access+to+resources.+To+resolve+this+uncertainty+an+administrative+model+with+delegation+support+is+proposed.+Further%2C+a+detailed+technical+enforcement+mechanism+is+introduced+to+ensure+delegated+resources+cannot+be+misused.%0D%0A%0D%0AThen+we+explicitly+consider+that+users+are+self-interested+and+capable+of+misusing+resources+if+they+choose+to.+We+propose+a+novel+game+theoretic+access+control+model+to+reason+about+and+influence+the+factors+that+may+affect+users%E2%80%99+incentive+to+misuse.%0D%0A%0D%0ANext+we+study+access+control+in+environments+where+neither+users%E2%80%99+access+needs+can+be+predicted+nor+they+can+be+held+accountable+for+misuse.+It+is+shown+that+by+allocating+budget+to+users%2C+a+virtual+currency+through+which+they+can+pay+for+the+resources+they+deem+necessary%2C+the+need+for+a+precise+pre-allocation+of+permissions+can+be+relaxed.+The+budget+also+imposes+an+upper-bound+on+users%E2%80%99+ability+to+misuse.+A+generalised+budget+allocation+function+is+proposed+and+it+is+shown+that+given+the+context+information+the+optimal+level+of+budget+for+users+can+always+be+numerically+determined.%0D%0A%0D%0AFinally%2C+Role+Based+Access+Control+(RBAC)+model+is+analysed+under+the+explicit+assumption+of+administrators%E2%80%99+uncertainty+about+self-interested+users%E2%80%99+access+needs+and+their+incentives+to+misuse.+A+novel+Budget-oriented+Role+Based+Access+Control+(B-RBAC)+model+is+proposed.+The+new+model+introduces+the+notion+of+users%E2%80%99+behaviour+into+RBAC+and+provides+means+to+influence+users%E2%80%99+incentives.+It+is+shown+how+RBAC+policy+can+be+used+to+individualise+the+cost+of+access+to+resources+and+also+to+determine+users%E2%80%99+budget.+The+implementation+overheads+of+B-RBAC+is+examined+and+several+low-cost+sub-models+are+proposed.&rft.publisher=Queensland+University+of+Technology&rft.date=2012&rft.type=Thesis&rft.format=application%2Fpdf&rft.relation=https%3A%2F%2Feprints.qut.edu.au%2F58408%2F1%2FFarzad_Salim_Thesis.pdf&rft.rights=free_to_read&rft.relation=Salim%2C+Farzad+(2012)+Approaches+to+access+control+under+uncertainty.+PhD+thesis%2C+Queensland+University+of+Technology.&rft.id_number=https%3A%2F%2Feprints.qut.edu.au%2F58408%2F&rft.identifier=Information+Security+Institute%3B+Science+%26+Engineering+Faculty