Beyond risk-based access control: towards incentive-based access control

Authors:
Debin Liu;Ninghui Li;XiaoFeng Wang;L. Jean Camp
Affiliations:
School of Informatics and Computing, Indiana University, Bloomington, Indiana;Department of Computer Science, Purdue University, West Lafayette, Indiana;School of Informatics and Computing, Indiana University, Bloomington, Indiana;School of Informatics and Computing, Indiana University, Bloomington, Indiana
Venue:
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
Year:
2011

Citing 2
Cited 0

Trading in risk: using markets to improve access control

Proceedings of the 2008 workshop on New security paradigms
Mitigating Inadvertent Insider Threats with Incentives

Financial Cryptography and Data Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

In recent years, risk-based access control has been proposed as an alternative to traditional rigid access control models such as multi-level security and role-based access control. While these approaches make the risks associated with exceptional access accountable and encourage the users to take low-risk actions, they also create the disincentives for seeking necessary risky accesses. We introduce novel incentive mechanism based on Contract Theory. Another benefit of our approach is avoiding accurate estimate of the risk associated with each access. We demonstrate that Nash Equilibria can be achieved in which the user's optimal strategy is performing the risk-mitigation efforts to minimize her organization's risk, and conduct human-subject studies to empirically confirm the theoretical results.