A Threat Analysis Model for Identity and Access Management

Nadia Jemil Abdu, Ulrike Lechner


Cyber attacks as a threat to business and national security have become concerns to organizations and governments. Potential impacts of attacks are financial loss, fraud, reputation damage, and legal costs. Identification of security threats is part of securing information systems as it involves identifying threats and challenges which need to be addressed by implementing appropriate countermeasures and realistic security requirements. Our study focuses on threat analysis and modeling for digital identities and identity management within and across complex and networked systems. Further, a preliminary version of a reference threat analysis model that supports threat analysis for identity management is proposed and discussed in this paper.


  1. Ahmad, Z., Suziah, K. & Manan, A., 2010. A Study on Threat Model for Federated Identities in Federated Identity Management System. , pp.618-623.
  2. Benantar, M., 2006. Access Control Systems: Security, Identity Management and Trust Models, Springer.
  3. Bertino, E. & Takahashi, K., 2010. Identity Management: Concepts, Technologies, and Systems, Artech House.
  4. Bhargav-Spantzel, A., Squicciarini, A.C. & Bertino, E., 2005. Establishing and protecting digital identity in federation systems. Proceedings of the 2005 workshop on Digital identity management, 14(3), pp.11-19. Available at: http://iospress.metapress.com/content/ FRCJV8NFEMH5DXC9\nhttp://doi.acm.org/10.1145/1 102486.1102489.
  5. Bulgurcu, B., Cavusoglu, H. & Benbasat, I., 2010. Information Security Policy Compliance: An Empirical Study Of Rationality-Based Beliefs And Information Security Awareness. MIS Quarterly, 34(3), pp.523- 548.
  6. Dominicini, C. et al., 2010. Threat Modeling an Identity Management System for Mobile Internet. In Proc. of the 9th International Information and Telecommunication Technologies Symposium (I2TS'10).
  7. Dong, X., Clark, J. a. & Jacob, J.L., 2008. Threat modelling in user performed authentication. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 5308 LNCS, pp.49-64.
  8. Dutt, V., Ahn, Y.-S. & Gonzalez, C., 2012. Cyber Situation Awareness: Modeling Detection of Cyber Attacks With Instance-Based Learning Theory. Human Factors: The Journal of the Human Factors and Ergonomics Society, 55(3), pp.605-618. Available at: http://hfs.sagepub. com/cgi/doi/10.1177/001872081 2464045 [Accessed May 4, 2015].
  9. Eisenhardt, K., 1989. (1989) Building theories from case study research A. M. Huberman & M. B. Miles, eds. Academy of Management Review, 14(4), pp.532-550.
  10. Evans Pughe, C., 2008. A crisis of identity. , (June). Available at: www.theiet.org/engtechmag.
  11. Fettke, P. & Loos, P. eds., 2007. Reference Modeling for Business Systems Analysis, Idea Group Publishing.
  12. Jason, B. & Mitchell, J.C., 2011. Security Modeling and Analysis. IEEE Security and Privacy, 9(June), pp.18- 25. Available at: http://ieeexplore.ieee.org/xpl/article Details.jsp?arnumber=5708126.
  13. Kostadinov, D., 2014. Cyber Threat Analysis. Infosec Institute. Available at: http://resources.infosecinstitute. com/cyber-threat-analysis/.
  14. March, S.T. & Smith, G.F., 1995. Design and natural science research on information technology. Decision Support Systems, 15, pp.251-266.
  15. Möckel, C. & Abdallah, A.E., 2010. Threat modeling approaches and tools for securing architectural designs of an e-banking application. 2010 6th International Conference on Information Assurance and Security, IAS 2010, pp.149-154.
  16. Myagmar, S., 2005. Threat Modeling as a Basis for Security Requirements. In StorageSS 7805: Proceedings of the 2005 ACM workshop on Storage security and survivability, pp.94-102.
  17. Novakouski, M., 2013. User-Centric Identity Management: A Future Vision for IdM. CrossTalk: The Journal of Defense Software Engineering, 26(SeptemberOctober).
  18. Paintsil, E., 2013. Towards Automation of Privacy and Security Risks Analysis in Identity Management Systems. 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp.720-727. Available at: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm? arnumber=6680907 [Accessed April 21, 2015].
  19. Pudar, S., Manimaran, G. & Liu, C.-C., 2009. PENET: A practical method and tool for integrated modeling of security attacks and countermeasures. Computers & Security, 28(8), pp.754-771. Available at: http://linkinghub.elsevier.com/retrieve/pii/S01674048 09000522 [Accessed August 3, 2015].
  20. Pwc, 2011. Cybercrime: Global Economic Crime Survey. , (November). Available at: www.pwc.com/ crimesurvey.
  21. Rosemann, M., 2003. Application Reference Models and Building Blocks for Management and Control. In P. Bernus, L. Nemes, & G. Schmidt, eds. Handbook on Enterprise Architecture SE - 17. International Handbooks on Information Systems. Springer Berlin Heidelberg, pp. 595-615. Available at: http://dx.doi.org/10.1007/978-3-540-24744-9_17.
  22. Shostack, A., 2014. Threat Modeling: Designing for Security, John Wiley & Sons, Inc.
  23. Siponen, M. & Vance, A., 2010. Neutralization: New Insights Into The Problem Of Employee Information Systems Security Violations. MIS Quarterly, 34(3), pp.487-502.
  24. Slamanig, D. & Stranacher, K., 2014. User-Centric Identity as a Service-Architecture for eIDs with Selective Attribute Disclosure. , pp.153-163.
  25. Staite, C. & Bahsoon, R., 2012. Evaluating identity management architectures. In Proceedings of the 3rd international ACM SIGSOFT symposium on Architecting Critical Systems - ISARCS 7812. New York, New York, USA: ACM Press, p. 11. Available at: http://dl.acm.org/citation.cfm?doid=2304656.2304659.
  26. Stango, A., Prasad, N.R. & Kyriazanos, D.M., 2009. A threat analysis methodology for security evaluation and enhancement planning. Proceedings - 2009 3rd International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2009, pp.262-267.
  27. UcedaVélez, T. & Morana, M.M., 2015. Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis,
  28. Xu, D. & Nygard, K., 2005. A Threat-Driven Approach to Modeling and Verifying Secure Software., pp.342-346.
  29. Zissis, D. & Lekkas, D., 2012. Addressing cloud computing security issues. Future Generation Computer Systems, 28(3), pp.583-592. Available at: http://linking hub.elsevier.com/retrieve/pii/S0167739X10002554 [Accessed July 11, 2014].

Paper Citation

in Harvard Style

Abdu N. and Lechner U. (2016). A Threat Analysis Model for Identity and Access Management . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 498-502. DOI: 10.5220/0005790304980502

in Bibtex Style

author={Nadia Jemil Abdu and Ulrike Lechner},
title={A Threat Analysis Model for Identity and Access Management},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},

in EndNote Style

JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - A Threat Analysis Model for Identity and Access Management
SN - 978-989-758-167-0
AU - Abdu N.
AU - Lechner U.
PY - 2016
SP - 498
EP - 502
DO - 10.5220/0005790304980502