A new risk-based authentication management model oriented on user's experience
Introduction
The observed growth of different kinds of digital services in our network society results in many security issues related to them. Sensitive personal data like account numbers, ID numbers, passwords, personal data, etc. are very attractive for potential attackers. Such data are often used for building access control systems, so it is presented to information systems. On the other hand, private data must be kept secret from unauthorized parties. For this reason, when protecting access to critical network services, it is important to prevent leakage of user private data. But how to evaluate which type of service is more vulnerable than the others is a question that usually crops up. An answer to this question could be the idea of risk analysis. The NIST special publication (Stoneburner et al., 2002) describes risk management as a continuous process of identifying, assessing and controlling threats which can have a negative impact on an organization. The goal of the risk management system is to identify potential problems before they occur, so that proper actions could be planned and invoked as needed across lifetime of projects or products to mitigate an impact associated with a risk. The risk management, according to Stoneburner et al. (2002), includes three processes: risk assessment, risk mitigation, and risk evaluation and assessment.
Risk assessment is the first step of the risk management process, where the Level of Risk is determined. The risk is a function of potential threat occurrence likelihood and its impact on an organization. Identification and definition of potential risks which can have a negative influence on company's processes or projects are extremely essential. When a risk identification is finished, as the next step a risk analysis should be performed. The goal of the analysis is to understand the specific nature of the risk and how it could affect a company.
The risk mitigation is the second step in the process of risk management, and includes prioritizing, evaluating, and implementing the appropriate risk-reducing actions recommended in the risk assessment process. During this step, companies assess their highest-ranked risks and develop a plan to alleviate them by using specific risk actions. These plans include risk mitigation processes, a risk prevention strategy and contingency plans in case the risk event would have a negative impact.
Risk evaluation and assessment is the third, last step of the risk management process. After determining the risk occurrence likelihood and possible consequences, the risk is further evaluated. The company can make decisions on whether the risk is acceptable or not.
As it was described, the whole risk management process has a significant impact on the Level of Security of services, processes, etc. In this paper a risk analysis (risk assessment) for the authentication mechanism model based on user satisfaction is proposed. The rest of the paper is organized as follows: Section 2 presents selected approaches to a risk assessment process. Section 3 defines QoP and QoE parameters. Section 4 briefly discusses the idea of a new authentication management mechanism based on user satisfaction. Section 5 considers the risk management for authentication. Section 6 contains the main theoretical results of the paper, which is a model of risk analysis. Finally, Section 7 shows the results of a simulation which describe risk factors and their impact on the Level of Security (LOS), and Section 8 concludes the paper and outlines the future work.
Section snippets
Definitions of risk and risk assessment
A term “risk” has many definitions presented in the literature. The risk according to Carroll (1995) is introduced as “probability that a threat agent (cause) will exploit system vulnerability (weakness) and thereby create an effect detrimental to the system”. In Neumann (1995) risk is defined as “adverse effects that can arise if vulnerability is exploited or if a threat is actualized”. Another description is presented in Smith (1993): “value (the worth of the asset in danger), the sum of
Definition of QoP and QoE
To evaluate Quality of Service (QoS) Wang and Crowcroft (1996) made use of parameters such as network delay, throughput, etc. Based on their value the best quality of a service and network can be established. However, modifying QoS parameters is not always enough to ensure a good quality of service. It is usually too expensive to set the best values of QoS parameters. So, an impact on user experience was conducted. As a result of the research, a Quality of Experience (QoE) parameter was
The authentication management mechanism with QoE
Authentication is a provision of assurance that a claimed characteristic of an entity (e.g., its identity) is correct. There are two issues associated with it: the choice of a proper authentication mechanism and the impact of this mechanism on user behavior. The choice of an authentication solution is not a trivial problem because many factors can have an influence on it. Moreover, even if such a solution is proposed, it usually does not consider a feedback of the entity using it. What is even
Risk management for authentication
In November 2013 Bruce Schneier in his security blog initiated a discussion on risk-based authentication (Schneier, 2013), that is, authentication where individual login attempt is given a risk score depending on factors determined by a kind of service to access, and the user profile (their history, present context, etc.). The discussion showed that such an approach is still not considered solved, but is rather interesting and natural for security practicians. However, in the research papers
Description of a user authentication
An entity who wants to use the authentication management service must first register (see Fig. 3). There are two options to do it: the first one is a simple registration in which a user fills some forms manually. The forms contain questions about the user's behavior, e.g., what they do between 9 a.m. and 5 p.m. or which Internet services a user browses at work. Following this registration, the system has a user data and is ready to work. This option is called Manual. The second option, called
Testing the contextual risk assessment method
The tests refer to four contextual categories, each with a few values:
- 1.
place: work, home, shop, cinema, airport;
- 2.
period of time: 8–16, 16–22, 22-6, 6–8;
- 3.
service: bank self-care, e-mail, forum, e-shop;
- 4.
device: PC, notebook, smart phone.
We consider four Scenarios composed of values of context parameters for these categories:
- 1.
notebook & work & 8–16 & forum;
- 2.
8–16 & work & notebook & e-shop;
- 3.
8–16 & PC & airport & bank self-care;
- 4.
PC & e-shop & 22-6 & cinema.
Before the risk calculation procedure is explained
Conclusions and discussions
In this paper risk analysis of a new authentication management mechanism was presented. Firstly, parameters of risk were described. Secondly, based on a few scenarios, risk analysis and assessment was performed. The results of simulations showed, according to the used methodology, that the calculated Level of Risk depends on three main factors: a security experience of a user, a kind of service (data which an authenticated user wishes to access) and an authentication mechanism. The Level of
Mariusz Sepczuk received his B.S. degree in 2010 and his M.S. degree in 2011, both in Telecommunication from The Warsaw University of Technology, Poland. He is now Ph.D. student at Warsaw University of Technology, Poland. His research interests are: authentication, Quality of Protection, Quality of Experience and context-aware systems. Moreover, he is interested in penetration tests, malware analysis, Security Information and Event Management, system and network security and cryptography
References (75)
- et al.
Continuous and transparent multimodal authentication: reviewing the state of the art
Cluster Comput
(2016) - et al.
Towards the realisation of context-risk-aware access control in pervasive computing
Telecommun Syst
(2010) - et al.
Managing information security risks. The OCTAVESM approach
(2002) - et al.
On the possibility of insider threat prevention using Intent-Based Access Control (IBAC)
IEEE Syst J
(2015) - et al.
A metric-based approach to assess risk for on cloud federated identity management
J Net Syst Manage
(2012) - et al.
A new quantitative approach for information security risk assessment
(2009) - et al.
Quantitative Security Risk Assessment (SRA) method: an empirical case study
(2009) - et al.
A framework for risk-aware role based access control
(2013) Computer security
(1995)PRINCE user's guide to CRAMM
(1993)
Project risk management
Risk-aware role-based access control
Towards quality of experience-based reputation models for future web service provisioning
Telecommun Syst
iRisk evaluation
Risk management using behavior based Bayesian networks
Using trust and risk in role-based access control policies
Securing cloud computing's blind-spots using strong and risk-based MFA
The security-specific eight stage risk assessment methodology
Quality of Protection (QoP): a quantitative unifying paradigm to protection service grades
Distortion risk measure of the transformation of unimodal distributions into multimodal functions
A generic quantitative relationship between quality of experience and quality of service
A novel security risk assessment model for information system
Risk management
2011 Information technology—Security techniques—Information security risk management
Methods for objective and subjective assessment of quality
Implicit authentication for mobile devices
Towards risk-aware policy based framework for big data security and privacy
ISRAM: information security risk analysis method
Comp Sec
A causal model for information Security Risk Assessment
Error analysis with application in engineering
CoRBAC—Context-oriented Role-Based Access Control
Stud Info
Adaptable security mechanism for dynamic environments
Comp Sec
Risk based access control in cloud computing
Adversary-driven state-based system security evaluation
Information security risk assessment, aggregation, and mitigation
Modeling and tuning security from a quality of service perspective
Cited by (0)
Mariusz Sepczuk received his B.S. degree in 2010 and his M.S. degree in 2011, both in Telecommunication from The Warsaw University of Technology, Poland. He is now Ph.D. student at Warsaw University of Technology, Poland. His research interests are: authentication, Quality of Protection, Quality of Experience and context-aware systems. Moreover, he is interested in penetration tests, malware analysis, Security Information and Event Management, system and network security and cryptography protocols.
Zbigniew Kotulski is a Professor at the Institute of Telecommunications of the Faculty of Electronics and Information Technology, Warsaw University of Technology, Poland. He received his M.Sc. in applied mathematics from the Warsaw University of Technology and Ph.D. and D.Sc. degrees from the Institute of Fundamental Technological Research of the Polish Academy of Sciences. Zbigniew Kotulski is the author and co-author of 5 books and over 200 research papers on applied probability, cryptographic protocols and network security.