TY - GEN
T1 - Towards a game theoretic authorisation model
AU - Salim, Farzad
AU - Reid, Jason
AU - Dulleck, Uwe
AU - Dawson, Ed
PY - 2010
Y1 - 2010
N2 - Authorised users (insiders) are behind the majority of security incidents with high financial impacts. Because authorisation is the process of controlling users' access to resources, improving authorisation techniques may mitigate the insider threat. Current approaches to authorisation suffer from the assumption that users will (can) not depart from the expected behaviour implicit in the authorisation policy. In reality however, users can and do depart from the canonical behaviour. This paper argues that the conflict of interest between insiders and authorisation mechanisms is analogous to the subset of problems formally studied in the field of game theory. It proposes a game theoretic authorisation model that can ensure users' potential misuse of a resource is explicitly considered while making an authorisation decision. The resulting authorisation model is dynamic in the sense that its access decisions vary according to the changes in explicit factors that influence the cost of misuse for both the authorisation mechanism and the insider.
AB - Authorised users (insiders) are behind the majority of security incidents with high financial impacts. Because authorisation is the process of controlling users' access to resources, improving authorisation techniques may mitigate the insider threat. Current approaches to authorisation suffer from the assumption that users will (can) not depart from the expected behaviour implicit in the authorisation policy. In reality however, users can and do depart from the canonical behaviour. This paper argues that the conflict of interest between insiders and authorisation mechanisms is analogous to the subset of problems formally studied in the field of game theory. It proposes a game theoretic authorisation model that can ensure users' potential misuse of a resource is explicitly considered while making an authorisation decision. The resulting authorisation model is dynamic in the sense that its access decisions vary according to the changes in explicit factors that influence the cost of misuse for both the authorisation mechanism and the insider.
UR - http://www.scopus.com/inward/record.url?scp=78650744648&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-17197-0_14
DO - 10.1007/978-3-642-17197-0_14
M3 - Conference contribution
AN - SCOPUS:78650744648
SN - 3642171966
SN - 9783642171963
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 208
EP - 219
BT - Decision and Game Theory for Security - First International Conference, GameSec 2010, Proceedings
T2 - 1st International Conference on Decision and Game Theory for Security, GameSec 2010
Y2 - 22 November 2010 through 23 November 2010
ER -