Assigning responsibility for failed obligations

Keith Irwin, Ting Yu, William H. Winsborough

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Citations (Scopus)


Traditional security policies largely focus on access control. Though essential, access control is only one aspect of security. In particular, the correct behavior and reliable operation of a system depends not only on what users are permitted to do, but oftentimes on what users are required to do. Such obligatory actions are integral to the security procedures of many enterprises. Unlike access control, obligations assigned to individual users are often unenforceable, that is, the system cannot ensure that each obligation will be fulfilled. Accurately determining who was at fault when obligations are not met is essential for responding appropriately, be it in terms of modified trust relationships or other recourse. In this paper, based on a formal metamodel of obligations, we propose an approach for fault assessment through active online tracking of responsibilities and dependencies between obligations.We identify and formalize two key properties for the correct assessment of fault, and design responsibility assignment and fault assessment algorithms for a concrete yet general access control and obligation system.

Original languageEnglish
Title of host publicationTrust Management II
Subtitle of host publicationProceedings of IFIPTM 2008: Joint iTrust and PST Conferences on Privacy, Trust Management and Security
EditorsYücel Karabulut, Mitchell Mitchell, Peter Herrmann, Christian Damsgaard Jensen
Number of pages16
Publication statusPublished - 28 May 2008

Publication series

NameIFIP International Federation for Information Processing
ISSN (Print)1571-5736


ASJC Scopus subject areas

  • Information Systems and Management

Cite this

Irwin, K., Yu, T., & Winsborough, W. H. (2008). Assigning responsibility for failed obligations. In Y. Karabulut, M. Mitchell, P. Herrmann, & C. D. Jensen (Eds.), Trust Management II: Proceedings of IFIPTM 2008: Joint iTrust and PST Conferences on Privacy, Trust Management and Security (pp. 327-342). (IFIP International Federation for Information Processing; Vol. 263).