Accountability and Identifiability
ABSTRACT
We propose a focus on accountability as a mechanism for ensuring security in information systems. To that end, we present a formal definition of accountability in information systems. Our definition is more general and potentially more widely applicable than the accountability notions that have previously appeared in the security literature. In particular, we treat in a unified manner scenarios in which accountability is enforced automatically and those in which enforcement must be mediated by an authority; similarly, our formalism includes scenarios in which the parties who are held accountable can remain anonymous and those in which they must be identified by the authorities to whom they are accountable. Essential elements of our formalism include event traces and utility functions and the use of these to define punishment and related notions. By not assuming the requirement of identifiability and mediation, these definitions allow us to determine when identity and mediation might or might not be required in order to achieve accountability.
Award ID: 1018557