期刊名称:Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications
印刷版ISSN:2093-5374
电子版ISSN:2093-5382
出版年度:2010
卷号:1
期号:1
页码:29-45
出版社:Innovative Information Science & Technology Research Group
摘要:The insider threat has been framed as protection of the network from insiders whose threat level may be unknown to the organization. In this paper, we propose a Budget-Based Access Control Model to mitigate the insider threat. We provide an order of magnitude price for every access right and assign each individual user a risk budget. The price for access is then personalized based on the observed historical behavior of the user. The risk budget represents the amount of risks an organiza- tion can tolerate from that employee. Each access right of a user may cost him certain risk points. The incentives come in the forms of punishments and rewards. The punishments are triggered by the risk budget exhaustion. On the other hand, those whose risk behavior is aligned with the organization's risk preferences will be rewarded. The human-subject experimental results demonstrate our model's positive in.uence on the users' risk behavior. In addition, this work is distinguished from previous risk-based access controls by our modeling of users behaviors, prevention of risk point hoarding and provision of explicit pricing. All risk-based access inherently constrains behavior incentives
