Assigning responsibility for failed obligations

Keith Irwin, Ting Yu, William H. Winsborough

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Citations (Scopus)

Abstract

Traditional security policies largely focus on access control. Though essential, access control is only one aspect of security. In particular, the correct behavior and reliable operation of a system depends not only on what users are permitted to do, but oftentimes on what users are required to do. Such obligatory actions are integral to the security procedures of many enterprises. Unlike access control, obligations assigned to individual users are often unenforceable, that is, the system cannot ensure that each obligation will be fulfilled. Accurately determining who was at fault when obligations are not met is essential for responding appropriately, be it in terms of modified trust relationships or other recourse. In this paper, based on a formal metamodel of obligations, we propose an approach for fault assessment through active online tracking of responsibilities and dependencies between obligations.We identify and formalize two key properties for the correct assessment of fault, and design responsibility assignment and fault assessment algorithms for a concrete yet general access control and obligation system.

Original languageEnglish
Title of host publicationIFIP International Federation for Information Processing
Pages327-342
Number of pages16
Volume263
DOIs
Publication statusPublished - 28 May 2008
Externally publishedYes

Publication series

NameIFIP International Federation for Information Processing
Volume263
ISSN (Print)15715736

Fingerprint

Responsibility
Obligation
Fault
Access control
Security policy
Metamodel
Assignment
Integral

ASJC Scopus subject areas

  • Information Systems and Management

Cite this

Irwin, K., Yu, T., & Winsborough, W. H. (2008). Assigning responsibility for failed obligations. In IFIP International Federation for Information Processing (Vol. 263, pp. 327-342). (IFIP International Federation for Information Processing; Vol. 263). https://doi.org/10.1007/978-0-387-09428-1_21

Assigning responsibility for failed obligations. / Irwin, Keith; Yu, Ting; Winsborough, William H.

IFIP International Federation for Information Processing. Vol. 263 2008. p. 327-342 (IFIP International Federation for Information Processing; Vol. 263).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Irwin, K, Yu, T & Winsborough, WH 2008, Assigning responsibility for failed obligations. in IFIP International Federation for Information Processing. vol. 263, IFIP International Federation for Information Processing, vol. 263, pp. 327-342. https://doi.org/10.1007/978-0-387-09428-1_21
Irwin K, Yu T, Winsborough WH. Assigning responsibility for failed obligations. In IFIP International Federation for Information Processing. Vol. 263. 2008. p. 327-342. (IFIP International Federation for Information Processing). https://doi.org/10.1007/978-0-387-09428-1_21
Irwin, Keith ; Yu, Ting ; Winsborough, William H. / Assigning responsibility for failed obligations. IFIP International Federation for Information Processing. Vol. 263 2008. pp. 327-342 (IFIP International Federation for Information Processing).
@inproceedings{37506934d2ac47dd9e84fd59482530a1,
title = "Assigning responsibility for failed obligations",
abstract = "Traditional security policies largely focus on access control. Though essential, access control is only one aspect of security. In particular, the correct behavior and reliable operation of a system depends not only on what users are permitted to do, but oftentimes on what users are required to do. Such obligatory actions are integral to the security procedures of many enterprises. Unlike access control, obligations assigned to individual users are often unenforceable, that is, the system cannot ensure that each obligation will be fulfilled. Accurately determining who was at fault when obligations are not met is essential for responding appropriately, be it in terms of modified trust relationships or other recourse. In this paper, based on a formal metamodel of obligations, we propose an approach for fault assessment through active online tracking of responsibilities and dependencies between obligations.We identify and formalize two key properties for the correct assessment of fault, and design responsibility assignment and fault assessment algorithms for a concrete yet general access control and obligation system.",
author = "Keith Irwin and Ting Yu and Winsborough, {William H.}",
year = "2008",
month = "5",
day = "28",
doi = "10.1007/978-0-387-09428-1_21",
language = "English",
isbn = "9780387094274",
volume = "263",
series = "IFIP International Federation for Information Processing",
pages = "327--342",
booktitle = "IFIP International Federation for Information Processing",

}

TY - GEN

T1 - Assigning responsibility for failed obligations

AU - Irwin, Keith

AU - Yu, Ting

AU - Winsborough, William H.

PY - 2008/5/28

Y1 - 2008/5/28

N2 - Traditional security policies largely focus on access control. Though essential, access control is only one aspect of security. In particular, the correct behavior and reliable operation of a system depends not only on what users are permitted to do, but oftentimes on what users are required to do. Such obligatory actions are integral to the security procedures of many enterprises. Unlike access control, obligations assigned to individual users are often unenforceable, that is, the system cannot ensure that each obligation will be fulfilled. Accurately determining who was at fault when obligations are not met is essential for responding appropriately, be it in terms of modified trust relationships or other recourse. In this paper, based on a formal metamodel of obligations, we propose an approach for fault assessment through active online tracking of responsibilities and dependencies between obligations.We identify and formalize two key properties for the correct assessment of fault, and design responsibility assignment and fault assessment algorithms for a concrete yet general access control and obligation system.

AB - Traditional security policies largely focus on access control. Though essential, access control is only one aspect of security. In particular, the correct behavior and reliable operation of a system depends not only on what users are permitted to do, but oftentimes on what users are required to do. Such obligatory actions are integral to the security procedures of many enterprises. Unlike access control, obligations assigned to individual users are often unenforceable, that is, the system cannot ensure that each obligation will be fulfilled. Accurately determining who was at fault when obligations are not met is essential for responding appropriately, be it in terms of modified trust relationships or other recourse. In this paper, based on a formal metamodel of obligations, we propose an approach for fault assessment through active online tracking of responsibilities and dependencies between obligations.We identify and formalize two key properties for the correct assessment of fault, and design responsibility assignment and fault assessment algorithms for a concrete yet general access control and obligation system.

UR - http://www.scopus.com/inward/record.url?scp=44149127452&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=44149127452&partnerID=8YFLogxK

U2 - 10.1007/978-0-387-09428-1_21

DO - 10.1007/978-0-387-09428-1_21

M3 - Conference contribution

SN - 9780387094274

VL - 263

T3 - IFIP International Federation for Information Processing

SP - 327

EP - 342

BT - IFIP International Federation for Information Processing

ER -