Formal definition of a malicious changeload, describing scenarios of abuse in access control that were used in the resilience evaluation of a self-adaptive authorisation infrastructure.• Definition of a generic simulation-based approach for evaluating the resilience of self-adaptive authorisation infrastructures under repeatable conditions of system and environmental change.