Charles Morisset, Iryna Yevseyeva, Thomas Groß, Aad van Moorsel
We propose in this paper a formal model for soft enforcement, where a decision-maker is influenced towards a decision, rather than forced to select that decision. This novel type of enforcement is particularly useful when the policy enforcer cannot fully control the environment of the decision-maker, as we illustrate in the context of attribute-based access control, by limiting the control over attributes. We also show that soft enforcement can improve the security of the system when the influencer is uncertain about the environment, and when neither forcing the decision-maker nor leaving them make their own selection is optimal. We define the general notion of optimal in policy, that takes into account both the control of the influencer and the uncertainty in the system.
Keywords: security decision making, nudging, uncertainty decision analysis
Date: 10-11 September, 2014
Presented: 10th International Workshop on Security and Trust Management (STM 2014), 10-11 September 2014, Worclow, Poland.
Published: In Security and Trust Management, LNCS, Springer, Volume 8743, 2014, pp. 113-128.
Publisher URL: http://link.springer.com/chapter/10.1007%2F978-3-319-11851-2_8
Full Text: http://link.springer.com/content/pdf/10.1007%2F978-3-319-11851-2_8.pdf