Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Consider the difference between role-based access control (in which the data an employee is allowed to access is determined by his or her place in the organization) and a newer model called risk-based or incentive-based access control. Role-based access control assumes a perfect understanding about an individual’s role and his or her need for access to resources. Access may be difficult to gain, but it is typically long-lived and inflexibly spelled out in IT or HR departments. Employees are motivated to have as much access as possible, in order not to be blocked from seeing a file, for example, at what appears to them to be an arbitrarily determined moment. That often leads to workarounds, such as password sharing among employees who must access multiple systems to do their jobs. Yet sharing passwords and access structurally, systematically subverts access control.

In contrast, incentive-based access control provides a rough estimate of the risk inherent in accessing information. It grants an employee access to company data for the time period requested—for a price. Each employee has a risk budget, which is spent at a rate that corresponds to particular access rights and actions. So the employee who keeps access rights when they are no longer needed will have less freedom to work with sensitive data later. But an employee who urgently needs access can obtain it quickly and efficiently. Of course, certain tasks can remain always prohibited, such as approving a bidder or issuing a check. But overall, giving employees a risk budget rather than a static role gives them the incentive to minimize the employer’s risks.

Some researchers have proposed broadening the adoption of security standards by changing default settings in software and hardware so that security is difficult to avoid, or by striving to make overall systems easier to use. Inarguably, it is sometimes appropriate to force or persuade people to use security technologies. But each of these steps fails as a model for security as a whole because it approaches security as a goal that can be reached rather than a risk that must be managed. 

Viewing security as a series of threats that must be overcome is a vestige of the military model of computer security. Computer security is not a war to be won against the malicious. Rather, computer security is a continuing interaction with the networked environment. Just as the natural environment has inherent risks and benefits, so does the networked environment.

L. Jean Camp is professor of informatics and computing at Indiana University and the author of Trust and Risk in Internet Commerce.

2 comments. Share your thoughts »

Credit: Technology Review

Tagged: Business, Business Impact, Securing Data

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me