Elsevier

Computers & Security

Volume 73, March 2018, Pages 17-33
Computers & Security

A new risk-based authentication management model oriented on user's experience

https://doi.org/10.1016/j.cose.2017.10.002Get rights and content

Abstract

With the increasing role of numerous Internet services, more and more private data must be protected. One of the mechanisms which is used to ensure data security is user authentication. A reliable authentication mechanism is a foundation of security of a remote service but, on the other hand, it is also a source of user frustration because of fear of losing access in case of three failures. A remedy to this problem could be contextual secure authentication. Such a protocol should provide multi-level authentication mechanism which increases user satisfaction without decreasing a protection level. In this paper we propose a risk analysis procedure of a new authentication management model using contextual data and oriented on user experience. We describe an approach to risk assessment of the mechanism, which supports a process of choosing the proper multi-step authentication procedure. On this basis, it is possible to provide a security solution which keeps balance between user satisfaction (related to QoE) and the obtained Level of Security (related to QoP).

Introduction

The observed growth of different kinds of digital services in our network society results in many security issues related to them. Sensitive personal data like account numbers, ID numbers, passwords, personal data, etc. are very attractive for potential attackers. Such data are often used for building access control systems, so it is presented to information systems. On the other hand, private data must be kept secret from unauthorized parties. For this reason, when protecting access to critical network services, it is important to prevent leakage of user private data. But how to evaluate which type of service is more vulnerable than the others is a question that usually crops up. An answer to this question could be the idea of risk analysis. The NIST special publication (Stoneburner et al., 2002) describes risk management as a continuous process of identifying, assessing and controlling threats which can have a negative impact on an organization. The goal of the risk management system is to identify potential problems before they occur, so that proper actions could be planned and invoked as needed across lifetime of projects or products to mitigate an impact associated with a risk. The risk management, according to Stoneburner et al. (2002), includes three processes: risk assessment, risk mitigation, and risk evaluation and assessment.

Risk assessment is the first step of the risk management process, where the Level of Risk is determined. The risk is a function of potential threat occurrence likelihood and its impact on an organization. Identification and definition of potential risks which can have a negative influence on company's processes or projects are extremely essential. When a risk identification is finished, as the next step a risk analysis should be performed. The goal of the analysis is to understand the specific nature of the risk and how it could affect a company.

The risk mitigation is the second step in the process of risk management, and includes prioritizing, evaluating, and implementing the appropriate risk-reducing actions recommended in the risk assessment process. During this step, companies assess their highest-ranked risks and develop a plan to alleviate them by using specific risk actions. These plans include risk mitigation processes, a risk prevention strategy and contingency plans in case the risk event would have a negative impact.

Risk evaluation and assessment is the third, last step of the risk management process. After determining the risk occurrence likelihood and possible consequences, the risk is further evaluated. The company can make decisions on whether the risk is acceptable or not.

As it was described, the whole risk management process has a significant impact on the Level of Security of services, processes, etc. In this paper a risk analysis (risk assessment) for the authentication mechanism model based on user satisfaction is proposed. The rest of the paper is organized as follows: Section 2 presents selected approaches to a risk assessment process. Section 3 defines QoP and QoE parameters. Section 4 briefly discusses the idea of a new authentication management mechanism based on user satisfaction. Section 5 considers the risk management for authentication. Section 6 contains the main theoretical results of the paper, which is a model of risk analysis. Finally, Section 7 shows the results of a simulation which describe risk factors and their impact on the Level of Security (LOS), and Section 8 concludes the paper and outlines the future work.

Section snippets

Definitions of risk and risk assessment

A term “risk” has many definitions presented in the literature. The risk according to Carroll (1995) is introduced as “probability that a threat agent (cause) will exploit system vulnerability (weakness) and thereby create an effect detrimental to the system”. In Neumann (1995) risk is defined as “adverse effects that can arise if vulnerability is exploited or if a threat is actualized”. Another description is presented in Smith (1993): “value (the worth of the asset in danger), the sum of

Definition of QoP and QoE

To evaluate Quality of Service (QoS) Wang and Crowcroft (1996) made use of parameters such as network delay, throughput, etc. Based on their value the best quality of a service and network can be established. However, modifying QoS parameters is not always enough to ensure a good quality of service. It is usually too expensive to set the best values of QoS parameters. So, an impact on user experience was conducted. As a result of the research, a Quality of Experience (QoE) parameter was

The authentication management mechanism with QoE

Authentication is a provision of assurance that a claimed characteristic of an entity (e.g., its identity) is correct. There are two issues associated with it: the choice of a proper authentication mechanism and the impact of this mechanism on user behavior. The choice of an authentication solution is not a trivial problem because many factors can have an influence on it. Moreover, even if such a solution is proposed, it usually does not consider a feedback of the entity using it. What is even

Risk management for authentication

In November 2013 Bruce Schneier in his security blog initiated a discussion on risk-based authentication (Schneier, 2013), that is, authentication where individual login attempt is given a risk score depending on factors determined by a kind of service to access, and the user profile (their history, present context, etc.). The discussion showed that such an approach is still not considered solved, but is rather interesting and natural for security practicians. However, in the research papers

Description of a user authentication

An entity who wants to use the authentication management service must first register (see Fig. 3). There are two options to do it: the first one is a simple registration in which a user fills some forms manually. The forms contain questions about the user's behavior, e.g., what they do between 9 a.m. and 5 p.m. or which Internet services a user browses at work. Following this registration, the system has a user data and is ready to work. This option is called Manual. The second option, called

Testing the contextual risk assessment method

The tests refer to four contextual categories, each with a few values:

  • 1.

    place: work, home, shop, cinema, airport;

  • 2.

    period of time: 8–16, 16–22, 22-6, 6–8;

  • 3.

    service: bank self-care, e-mail, forum, e-shop;

  • 4.

    device: PC, notebook, smart phone.

We consider four Scenarios composed of values of context parameters for these categories:

  • 1.

    notebook & work & 8–16 & forum;

  • 2.

    8–16 & work & notebook & e-shop;

  • 3.

    8–16 & PC & airport & bank self-care;

  • 4.

    PC & e-shop & 22-6 & cinema.

Before the risk calculation procedure is explained

Conclusions and discussions

In this paper risk analysis of a new authentication management mechanism was presented. Firstly, parameters of risk were described. Secondly, based on a few scenarios, risk analysis and assessment was performed. The results of simulations showed, according to the used methodology, that the calculated Level of Risk depends on three main factors: a security experience of a user, a kind of service (data which an authenticated user wishes to access) and an authentication mechanism. The Level of

Mariusz Sepczuk received his B.S. degree in 2010 and his M.S. degree in 2011, both in Telecommunication from The Warsaw University of Technology, Poland. He is now Ph.D. student at Warsaw University of Technology, Poland. His research interests are: authentication, Quality of Protection, Quality of Experience and context-aware systems. Moreover, he is interested in penetration tests, malware analysis, Security Information and Event Management, system and network security and cryptography

References (75)

  • A.A. Abdulwahid et al.

    Continuous and transparent multimodal authentication: reviewing the state of the art

    Cluster Comput

    (2016)
  • A. Ahmed et al.

    Towards the realisation of context-risk-aware access control in pervasive computing

    Telecommun Syst

    (2010)
  • C. Alberts et al.

    Managing information security risks. The OCTAVESM approach

    (2002)
  • A. Almehmadi et al.

    On the possibility of insider threat prevention using Intent-Based Access Control (IBAC)

    IEEE Syst J

    (2015)
  • P. Arias-Cabarcos et al.

    A metric-based approach to assess risk for on cloud federated identity management

    J Net Syst Manage

    (2012)
  • A. Asosheh et al.

    A new quantitative approach for information security risk assessment

    (2009)
  • D.V. Bernardo et al.

    Quantitative Security Risk Assessment (SRA) method: an empirical case study

    (2009)
  • K.Z. Bijon et al.

    A framework for risk-aware role based access control

    (2013)
  • J.M. Carroll

    Computer security

    (1995)
  • Central Computer & Telecommunications Agency

    PRINCE user's guide to CRAMM

    (1993)
  • C. Chapman et al.

    Project risk management

    (1997)
  • ChenL. et al.

    Risk-aware role-based access control

    (2012)
  • T. Ciszkowski et al.

    Towards quality of experience-based reputation models for future web service provisioning

    Telecommun Syst

    (2012)
  • C. Clymer et al.

    iRisk evaluation

  • R. Dantu et al.

    Risk management using behavior based Bayesian networks

    (2005)
  • N. Dimmock et al.

    Using trust and risk in role-based access control policies

    (2004)
  • M.T. Dlamini et al.

    Securing cloud computing's blind-spots using strong and risk-based MFA

    (2016)
  • D.L. Drake et al.

    The security-specific eight stage risk assessment methodology

    (1994)
  • O. Gerstel et al.

    Quality of Protection (QoP): a quantitative unifying paradigm to protection service grades

    (2001)
  • D. Guegan et al.

    Distortion risk measure of the transformation of unimodal distributions into multimodal functions

  • T. Hossfeld et al.

    A generic quantitative relationship between quality of experience and quality of service

    (2010)
  • L. Huiying

    A novel security risk assessment model for information system

    (2010)
  • ISO 31000

    Risk management

  • ISO/IEC 27005

    2011 Information technology—Security techniques—Information security risk management

    (2011)
  • ITU-T

    Methods for objective and subjective assessment of quality

    (1998)
  • M. Jakobsson et al.

    Implicit authentication for mobile devices

    (2009)
  • J. Joshi et al.

    Towards risk-aware policy based framework for big data security and privacy

    (2014)
  • B. Karabacaka et al.

    ISRAM: information security risk analysis method

    Comp Sec

    (2005)
  • S. Kondakci

    A causal model for information Security Risk Assessment

    (2010)
  • Z. Kotulski et al.

    Error analysis with application in engineering

    (2010)
  • H. Krawczyk et al.

    CoRBAC—Context-oriented Role-Based Access Control

    Stud Info

    (2013)
  • B. Ksiezopolski et al.

    Adaptable security mechanism for dynamic environments

    Comp Sec

    (2007)
  • H. Lakshmi et al.

    Risk based access control in cloud computing

    (2015)
  • E. LeMay et al.

    Adversary-driven state-based system security evaluation

    (2010)
  • A. Lenstra et al.

    Information security risk assessment, aggregation, and mitigation

    (2004)
  • S. Lindskog

    Modeling and tuning security from a quality of service perspective

    (2005)

    • Cited by (0)

    Mariusz Sepczuk received his B.S. degree in 2010 and his M.S. degree in 2011, both in Telecommunication from The Warsaw University of Technology, Poland. He is now Ph.D. student at Warsaw University of Technology, Poland. His research interests are: authentication, Quality of Protection, Quality of Experience and context-aware systems. Moreover, he is interested in penetration tests, malware analysis, Security Information and Event Management, system and network security and cryptography protocols.

    Zbigniew Kotulski is a Professor at the Institute of Telecommunications of the Faculty of Electronics and Information Technology, Warsaw University of Technology, Poland. He received his M.Sc. in applied mathematics from the Warsaw University of Technology and Ph.D. and D.Sc. degrees from the Institute of Fundamental Technological Research of the Polish Academy of Sciences. Zbigniew Kotulski is the author and co-author of 5 books and over 200 research papers on applied probability, cryptographic protocols and network security.

    View full text
    © 2017 Elsevier Ltd. All rights reserved.