A framework for risk assessment in access control systems

We describe a framework for risk assessment specifically within the context of risk-based access control systems, which make authorization decisions by determining the security risk associated with access requests and weighing such security risk against operational needs together with situational conditions. Our framework estimates risk as a product of threat and impact scores. The framework that we describe includes four different approaches for conducting threat assessment: an object sensitivity-based approach, a subject trustworthiness-based approach and two additional approaches which are based on the difference between object sensitivity and subject trustworthiness. We motivate each of the four approaches with a series of examples. We also identify and formally describe the properties that are to be satisfied within each approach. Each of these approaches results in different threat orderings, and can be chosen based on the context of applications or preference of organizations. We also propose formulae to estimate the threat of subject-object accesses within each of the four approaches of our framework. We then demonstrate the application of our threat assessment framework for estimating the risk of access requests, which are initiated by subjects to perform certain actions on data objects, by using the methodology of NIST Special Publication 800-30. We show that risk estimates for access requests actually differ based on the threat assessment approach that has been chosen. Therefore, organizations must make prudent judgement while selecting a threat assessment function for risk-based access control systems.