Roles in information security - A survey and classification of the research area

Since the publication of a seminal paper on “RBAC – role based access control models” in 1996 (IEEE Computer) a huge amount of work has been published on the application of sociological role theory in Information Security. Theoretical role models and interpretations as well as several commercial products are for instance based on the role concept and use them as their underlying access control paradigm. A conducted scientific literature collection revealed 866 publications dealing with roles in the context of Information Security. Although there is an ANSI/NIST standard and an ISO standard proposal there are a variety of competing models and application scenarios available and based on their different concepts and interpretations there is lack of consensus and clarity. Additionally, in practice several interpretations of the role concept have developed, dealing with the usage of theoretical findings on roles to improve existing security technologies. Because of the current situation there is need for a comprehensive article surveying the different proposals and streams of research on roles in Information Security. The goal and major contribution of this survey are a categorization of existing research into different classes following a three-level classification methodology. Based on a well-defined methodology a general categorization of the complete underlying set of publications, including general statistical data is provided. The main part of the work is investigating 30 identified research directions, evaluating their importance, and analyzing research tendencies and trends. An electronic bibliography including all surveyed publications together with the classification information is provided additionally. As a final contribution of the paper future trends in the area of role -research based on the data collected and own personal interpretations are predicted.