TU Darmstadt / ULB / TUbiblio

Policy Override in Practice: Model, Evaluation, and Decision Support

Bartsch, Steffen (2012):
Policy Override in Practice: Model, Evaluation, and Decision Support.
In: Security and Communication Networks, DOI: 10.1002/sec.547,
[Article]

Abstract

The predominant strategy in restricting permissions in information systems is to limit users on the basis of the ‘need-to-know’ principle. Although appropriate in highly security-sensitive contexts, this culture of protection will, in other contexts, often reduce users' productivity and is seen as a hassle because the everyday exceptions to the routine tasks can be severely hindered. This paper proposes a more flexible authorization model, policy override, which allows end users to override authorization in a controlled manner. In this article, I describe the authorization model and its implementation in a medium enterprise's business application. I evaluated policy override use over a period of 1 year through quantitative and qualitative analysis to identify challenges and offer advice on the implementation of policy override in practice. One important challenge is the setting of adequate bounds for policy override. To overcome this obstacle, I propose and evaluate a qualitative risk-based calculus that offers decision support to balance additional risks of policy override with the benefits of more flexible authorization.

Item Type: Article
Erschienen: 2012
Creators: Bartsch, Steffen
Title: Policy Override in Practice: Model, Evaluation, and Decision Support
Language: English
Abstract:

The predominant strategy in restricting permissions in information systems is to limit users on the basis of the ‘need-to-know’ principle. Although appropriate in highly security-sensitive contexts, this culture of protection will, in other contexts, often reduce users' productivity and is seen as a hassle because the everyday exceptions to the routine tasks can be severely hindered. This paper proposes a more flexible authorization model, policy override, which allows end users to override authorization in a controlled manner. In this article, I describe the authorization model and its implementation in a medium enterprise's business application. I evaluated policy override use over a period of 1 year through quantitative and qualitative analysis to identify challenges and offer advice on the implementation of policy override in practice. One important challenge is the setting of adequate bounds for policy override. To overcome this obstacle, I propose and evaluate a qualitative risk-based calculus that offers decision support to balance additional risks of policy override with the benefits of more flexible authorization.

Journal or Publication Title: Security and Communication Networks
Uncontrolled Keywords: Secure Data
Divisions: 20 Department of Computer Science > Theoretical Computer Science - Cryptography and Computer Algebra
LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
20 Department of Computer Science > SECUSO - Security, Usability and Society
Profile Areas > Cybersecurity (CYSEC)
LOEWE > LOEWE-Zentren
20 Department of Computer Science
Profile Areas
LOEWE
Date Deposited: 28 Jul 2016 18:35
DOI: 10.1002/sec.547
Identification Number: Bartsch11scn
Export:
Suche nach Titel in: TUfind oder in Google

Optionen (nur für Redakteure)

View Item View Item