A risk awareness approach for monitoring the compliance of RBAC-based policies

The considerable increase of the risk associated to inner threats has motivated researches in risk assessment for access control systems. Two main approaches were adapted: (i) a risk mitigation approach via features such as constraints, and (ii) a risk quantification approach that manages access based on a quantified risk. Evaluating the risk associated to the evolutions of an access control policy is an important theme that allows monitoring the conformity of the policy in terms of risk. Unfortunately, no work has been defined in this context. We propose in this paper, a quantified risk-assessment approach for monitoring the compliance of concrete RBAC-based policies. We formalize the proposal and illustrate its application via a case of study.