Abstract
Modern approaches towards the understanding of the behaviour of systems and policies have recently been driven by the abundance of open and non-open data moving away from the classical model-based approaches, in which data were secondary to the solution. In this paper, we present a similar approach by suggesting that the analysis of the risk probability for access control and security policies can be based on an empirical data-driven study. We outline a constraint-based approach that allows organisations to examine policies in light of the probabilities of internal actors damaging organisational assets. Our approach is validated using Verizon's open community dataset for security incidents, known as VERIS/VCDB.
Original language | English |
---|---|
Pages (from-to) | 13-26 |
Number of pages | 14 |
Journal | Computer Standards & Interfaces |
Volume | 56 |
Early online date | 14 Sept 2017 |
DOIs | |
Publication status | Published - 1 Feb 2018 |
Keywords
- security metrics
- risk analysis
- access control
- data analysis