Authors:
Malek Belhaouane
;
Joaquin Garcia-Alfaro
and
Hervé Debar
Affiliation:
Institut Mines-Telecom and Télécom SudParis, France
Keyword(s):
ICT Security, Authorization, Access Control, Quantitative Security, Security Assurance, Security Metrics.
Related
Ontology
Subjects/Areas/Topics:
Information and Systems Security
;
Security in Information Systems
;
Security Metrics and Measurement
Abstract:
Access control models allow flexible authoring and management of security policies, using high-level statements.
They enable the expression of structured and expressive policies. However, they have an impact on
the policy characteristics. The complexity of such policies is one of the affected characteristics. We propose
a series of quantitative metrics to assess comprehensive complexity of policies. By comprehensive, we mean
the difficulty of understanding a policy by administrators. We formalize the concepts of authorization-based
access control models, to propose general metrics regardless of the model. We also show the application of
the proposed metrics through a content management system (CMS) policy example. We outline a proof-of-concept
to evaluate the feasibility of our proposal, based on SELinux policies for a general-purpose CMS.