Consider the difference between role-based access control (in which the data an employee is allowed to access is determined by his or her place in the organization) and a newer model called risk-based or incentive-based access control. Role-based access control assumes a perfect understanding about an individual’s role and his or her need for access to resources. Access may be difficult to gain, but it is typically long-lived and inflexibly spelled out in IT or HR departments. Employees are motivated to have as much access as possible, in order not to be blocked from seeing a file, for example, at what appears to them to be an arbitrarily determined moment. That often leads to workarounds, such as password sharing among employees who must access multiple systems to do their jobs. Yet sharing passwords and access structurally, systematically subverts access control.
In contrast, incentive-based access control provides a rough estimate of the risk inherent in accessing information. It grants an employee access to company data for the time period requested—for a price. Each employee has a risk budget, which is spent at a rate that corresponds to particular access rights and actions. So the employee who keeps access rights when they are no longer needed will have less freedom to work with sensitive data later. But an employee who urgently needs access can obtain it quickly and efficiently. Of course, certain tasks can remain always prohibited, such as approving a bidder or issuing a check. But overall, giving employees a risk budget rather than a static role gives them the incentive to minimize the employer’s risks.
Some researchers have proposed broadening the adoption of security standards by changing default settings in software and hardware so that security is difficult to avoid, or by striving to make overall systems easier to use. Inarguably, it is sometimes appropriate to force or persuade people to use security technologies. But each of these steps fails as a model for security as a whole because it approaches security as a goal that can be reached rather than a risk that must be managed.
Viewing security as a series of threats that must be overcome is a vestige of the military model of computer security. Computer security is not a war to be won against the malicious. Rather, computer security is a continuing interaction with the networked environment. Just as the natural environment has inherent risks and benefits, so does the networked environment.
L. Jean Camp is professor of informatics and computing at Indiana University and the author of Trust and Risk in Internet Commerce.