"Need-to-know" principle and fuzzy security clearances modelling

The paper discusses the assignment of security clearances to employees in a security conscious organisation. New approaches are suggested for solving two major problems. First, full implementation of the `̀ needto-know'' principle is provided by the introduction of data access statements (DAS) as part of an employee's job description. Second, for the problem of setting up border points between different security clearances, the paper introduces a fuzzy set model. This model helps to solve this problem, effectively connecting it with the cost of security. hierarchy the highest security clearance you must have''. Such an approach clearly incurs significant problems. In the one extreme a person might have a security clearance that is too high for his/her job, which increases the total cost of the security system. The higher the security clearance, the higher the cost (for instance of security training). On the opposite side a person with a security clearance too low for his/her job must obtain temporary authority for accessing specific documents. Such a procedure could be costly, time consuming and decrease the efficiency of operations. Portougal and Janczewski (1998) demonstrated in detail the consequences of the described approach in complex hierarchical structures. A competing and more logical idea is to apply the `̀ need to know'' principle. Unfortunately, this principle does not give adequate guidance to the management as to how to set-up security clearances for each member of the staff. Amoroso (1994) describes the `̀ principle of least privilege''. The recommended application is based on subdividing the information system into certain data domains. Data domains in the main contain secret or confidential information. Users have privileges (or rights to access) to perform operations for which they have a legitimate need. `̀ Legitimate need'' for a privilege is generally based on a job function (or a role). If a privilege includes access to a domain with confidential data, then the user is assigned a corresponding security clearance. It is easy to see the main flaw of this approach is that a user has access to the whole domain even if he/she might not need a major part of it. Thus the assigned security clearance may be excessive. A similar problem arises regarding the security category of an object. A particular document (domain) could be labelled `̀ confidential'' or `̀ top secret'' even if it contains a single element of confidential (top secret) information. In this paper we suggest another realisation of the `̀ need to know'' principle. Our method is based on the data access statements (DAS), defined for every employee as part of their job description. DAS lists all data elements needed by an employee to perform her/his duties effectively. Thus we shift the assignment of security clearance from the domain level to the element level. Figure 1 summarises existing methodologies of assigning security clearance to members of organisations. Our approach allows not only the solving of the difficult problem of defining individual security clearances. It also connects this problem to more general problems of the security of the organisation as a whole, to the problem of security cost and cost optimisation. In the first chapter we introduce an example of a production facility which we will use for explaining our method. In the second chapter we define the DAS being the basic measure of employee security clearance. In the next chapter we describe modelling security clearances and factors influencing this activity. In this chapter we also introduce fuzzy sets to define security clearances and show their applicability by an example. The paper concludes with a summary of the results and suggestions for future research. A production facility example To illustrate the problem of data security in a production environment we consider the case of a production facility. Let us assume that this facility has four managers with their responsibilities determined in the following areas: general, planning, manufacturing, purchasing and sales. Each of them is responsible for a number of activities. All this is shown in Figure 2 (after Portougal and Janczewski, 1998). It should be noted that: . each production unit manufactures different products; . each organisational unit employs at least one manager; . if a person has access to specific data but uses only part of it, it is assumed that he/ she is using all of it. Therefore all data collected is used. The production facility has an information system. Table I lists all the data elements used within this organisation. Every data element has an assigned confidentiality parameter (CP), which characterises its importance from the point of view of security. For more about assigning CPs refer to Portougal and Janczewski (1998). In this example we assume that each data element is independent, so knowledge of a particular element does not allow one to find the value of the other. In order not to overcomplicate the example we assume all CP equal to 1. Data access statement There is a lot of attention in literature to employee specifications and job analysis. It is strange though, that one of the most important aspects of the job analysis, which is information use, is completely out of [ 211 ] Lech J. Janczewski and Victor Portougal `̀ Need-to-know'' principle and fuzzy security clearances modelling Information Management & Computer Security 8/5 [2000] 210±217 specification. We suggest that in addition to the main content of a job description a data access statement (DAS) for every employee be added. Schuler et al. (1992) defined the following components of a job description: . job or payroll title; . job number and job group to which the job belongs; . department and/or division where the job is located; . name of incumbent and name of job analyst; . primary function or summary of the job; . description of the major duties and responsibilities of the job; . description of the skills, knowledge and abilities; . relationship to other jobs. The job description is the best place to define the security clearance of an employee through a DAS. It could be, for instance, an additional `̀ bullet point'' in the above list. DAS was introduced earlier by Portougal and Janczewski (1998), and was defined as follows: . DAS of a staff member is a vector, containing data access statements elements (DASE) as its components. . Each DASE defines what type of access to information/data is allowed (read, write, delete, etc.). . Each DASE is defined as a result of the analysis of the job description document related to the given position. . Each DASE has a confidentiality parameter CP assigned (being an element of the organisation's database it should have the same value (CP), e.g. from Table I). DAS statements for the facility presented in Figure 2 are shown in Table II. The row numbers indicate corresponding DASE, like `̀ 1'' denotes the volume of production. At the bottom of the column the total value of information accessible is shown. We shall call it SCV ± security clearance value, thus tying the assignment of a security clearance to the volume of accessible information. Modelling security clearances The security clearance allows a person to access a certain part of a database. We can assume that the optimum security clearance is assigned strictly in accordance with the `̀ need to know'' principle. Unfortunately, the `̀ need to know'' principle assigns to every employee a specific area of the database, and generally there will be as many different areas as the number of employees. At the same time, there is always a limited (twofour) number of security clearances. Thus the assigned clearance will practically always be different from optimum, below or above that optimal point. Clearly, the probability of an information leak goes up, when the difference between the actually assigned clearance and the optimum clearance is increasing. At the same time assigning extra security clearance involves extra cost. Let us analyse the cost of assigning security clearances to particular persons in a more detailed way. The best known security standard, British Code of Practice (BS 7799, 1995) introduces ten categories of security measures divided into such domains as: . management of information security; . security of the physical site; . computer and network security; . access control; . system development and maintenance; . personnel security; . business contingency planning. It is obvious that there is a positive correlation between security of the system, numbers of security measures, and their costs, i.e.: more security measures ˆ) more secure system ˆ) more costs Many sources (Frank, 1992) indicate the above correlation is not linear but has a tendency to grow exponentially. Similar situations exist in the case of assigning security clearances. The higher security clearance of an employee means a higher expenditure to the employer. The structure of costs would be somehow different from the Figure 1 Taxonomy of assigning security clearances methods [ 212 ] Lech J. Janczewski and Victor Portougal `̀ Need-to-know'' principle and fuzzy security clearances modelling Information Management & Computer Security 8/5 [2000] 210±217