Information systems security design methods: implications for information systems development
ACM Computing Surveys (CSUR)
Role-Based Access Control Models
Computer
Optimistic security: a new access control paradigm
Proceedings of the 1999 workshop on New security paradigms
A model of accountability, confidentiality and override for healthcare and other applications
RBAC '00 Proceedings of the fifth ACM workshop on Role-based access control
A new dimension in access control: studying maintenance engineering across organizational boundaries
CSCW '02 Proceedings of the 2002 ACM conference on Computer supported cooperative work
Using trust and risk in role-based access control policies
Proceedings of the ninth ACM symposium on Access control models and technologies
Information Security Risk Analysis
Information Security Risk Analysis
A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Understanding the perpetration of employee computer crime in the organisational context
Information and Organization
Enforcing Access Control Using Risk Assessment
ECUMN '07 Proceedings of the Fourth European Conference on Universal Multiservice Networks
Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Computer Security: Principles and Practice
Computer Security: Principles and Practice
Towards a mechanism for discretionary overriding of access control
SP'04 Proceedings of the 12th international conference on Security Protocols
Hi-index | 0.00 |
Policy override is gaining traction in the research community to improve the efficiency and usability of authorization mechanisms. These mechanisms turn the conventional privileges into a soft boundary that may be overridden by users in exceptional situations. The challenge for the practical deployment of the policy override mechanisms often is whether policy override is adequate and, if so, to which extent. In this paper, we propose a calculus to support this decision-making process. The calculus is based on proven risk assessment practices and derives a qualitative result on the adequacy for specific roles and override extents. Moreover, we developed a tool to support the policy override risk assessment. The calculus and the tool are briefly evaluated in two distinct contexts.