A framework for risk-aware role based access control

Over the years, role based access control (RBAC) has remained a dominant form of access control both in the industry and academia. More recently, the need for risk awareness in access control has received considerable attention in the research community in light of issues such as insider threats. Although RBAC facilitates risk mitigation via features such as constraints (e.g. static and dynamic separation of duty), a quantified approach of risk awareness/mitigation has emerged as a promising research theme due to its inherent flexibility. In this approach, risk/cost metrics are computed for various entities involved in access control such as users and objects and a risk threshold limits the permissions that can be exercised. The quantified approach accommodates dynamism in access decisions based on contexts/situations such as an employee accessing a sensitive file using a work computer versus accessing using her own device. In this paper, we analyze the difference between the traditional constraint-based risk mitigation and the recent quantified risk-aware approaches in RBAC and propose a framework for introducing risk-awareness in RBAC models that incorporates quantified-risk. We also provide a formal specification of an adaptive risk-aware RBAC model by enhancing the NIST core RBAC model.