Using Budget-Based Access Control to Manage Operational Risks Caused by Insiders

The insider threat has been framed as protection of the network from insiders whose threat level may be unknown to the organization. In this paper, we propose a Budget-Based Access Control Model to mitigate the insider threat. We provide an order of magnitude price for every access right and assign each individual user a risk budget. The price for access is then personalized based on the observed historical behavior of the user. The risk budget represents the amount of risks an organization can tolerate from that employee. Each access right of a user may cost him certain risk points. The incentives come in the forms of punishments and rewards. The punishments are triggered by the risk budget exhaustion. On the other hand, those whose risk behavior is aligned with the organization’s risk preferences will be rewarded. The human-subject experimental results demonstrate our model’s positive influence on the users’ risk behavior. In addition, this work is distinguished from previous risk-based access controls by our modeling of users behaviors, prevention of risk point hoarding and provision of explicit pricing. All risk-based access inherently constrains behavior incentives.