Adapting usage control as a deterrent to address the inadequacies of access controls

Padayachee, Keshnee; Eloff, J. H. P.

doi:10.1016/j.cose.2009.03.003

Cited by 5 publications

(3 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Information accountability means the use of information should be transparent so it is possible to determine whether a particular use is appropriate under a given set of rules and that the system enables individuals and institutions to be held accountable for misuse [49]. Some research work is already heading in this direction, for instance, there is a body of work on audit-based solutions for data access in healthcare systems [50], or suggesting means of deterrence for information that requires more than traditional access control enforcement [51], or others offering a posteriori control for systems that require flexibility with accesses that are unanticipated under special circumstances [52]. However, there is a lack of such work in the context of hyper-connected systems like social networks, where the end user is the major active player, i.e.…”

Section: A System-centric To Cross-domain Privacy Requirementsmentioning

confidence: 99%

Privacy Requirements: Present & Future

Anthonysamy

Rashid

Chitchyan

2017

2017 IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Society Track (ICSE-SEIS)

View full text Add to dashboard Cite

Software systems are increasingly open, handle large amounts of personal or other sensitive data and are intricately linked with the daily lives of individuals and communities. This poses a range of privacy requirements. Such privacy requirements are typically treated as instances of requirements pertaining to compliance, traceability, access control, verification or usability. Though important, such approaches assume that the scope for the privacy requirements can be established a priori and that such scope does not vary drastically once the system is deployed. User data and information, however, exists in an open, hyper-connected and potentially "unbounded" environment. Furthermore, "privacy requirements-present" and "privacy requirements-future" may differ significantly as the privacy implications are often emergent a posteriori. Effective treatment of privacy requirements, therefore, requires techniques and approaches that fit with the inherent openness and fluidity of the environment through which user data and information flows. This paper surveys state of the art and presents some potential directions in the way privacy requirements should be treated. We reflect on the limitations of existing approaches with regards to unbounded privacy requirements and highlight a set of key challenges for requirements engineering research with regards to managing privacy in such unbounded settings.

show abstract

Section: A System-centric To Cross-domain Privacy Requirementsmentioning

confidence: 99%

Privacy Requirements: Present & Future

Anthonysamy

Rashid

Chitchyan

2017

2017 IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Society Track (ICSE-SEIS)

View full text Add to dashboard Cite

show abstract

“…Within this real-world inter-organisational cooperation scenario, it was found that traditional access controls do not comply with the organisation's requirements and that cooperation and competitive reasons motivate the use of interactive and optimistic access controls [12]. Since the flexibility offered by optimistic access control may well be exploited, Padayachee and Eloff [4] proposed that optimistic access control should be complemented with usage control.…”

Section: Background To Access Controlsmentioning

confidence: 99%

“…Padayachee and Eloff [4] presented a model for addressing the inadequacies of access controls, which involved a reformulation of usage control as a mechanism to deter users from information abuse, rather than one that is entirely dependent on denial of access. Padayachee and Eloff's [4] approach towards deterrence control is an application of optimistic access control, which is useful in cases where openness and availability are more important than complete confidentiality [5]. Optimistic access control involves a combination of audit and accountability aspects as deterrent mechanisms to encourage trustworthy behaviour.…”

Section: Introductionmentioning

confidence: 99%

Evaluating Usage Control Deterrents

Padayachee¹,

Eloff²

2012

SACJ

Self Cite

View full text Add to dashboard Cite

This paper explores the effectiveness of usage control deterrents. Usage control enables finer-grained control over the usage of objects than do traditional access control models. Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures. In this context, an adaptation of usage control is assessed as a proactive means of deterrence control to protect information that cannot be adequately or reasonably protected by access control. These deterrents are evaluated using the design science methodology. Parallel prototypes were developed with the aim of producing multiple alternatives, thereby shifting the focus from purely usability testing to model testing.

show abstract