Visible to the public On the Possibility of Insider Threat Prevention Using Intent-Based Access Control (IBAC)

TitleOn the Possibility of Insider Threat Prevention Using Intent-Based Access Control (IBAC)
Publication TypeJournal Article
Year of Publication2017
AuthorsAlmehmadi, A., El-khatib, K.
JournalIEEE Systems Journal
KeywordsAccess Control, Accuracy, authentication, authorisation, brain signals, Collaboration, electroencephalogram (EEG), electroencephalography, event-related potential (ERP), Human Behavior, human factors, IBAC, identity enrolment, identity recognition, industrial property, information technology, insider threat, insider threat prevention, insider threats, intellectual property, intent authentication, intent-based access control, intention detection, involuntary electroencephalogram reactions, malicious insiders, Metrics, motivation detection, nonidentity-based authentication, P300, physiology, policy-based governance, pubcrawl, Resiliency, Terrorism

Existing access control mechanisms are based on the concept of identity enrolment and recognition and assume that recognized identity is a synonym to ethical actions, yet statistics over the years show that the most severe security breaches are the results of trusted, identified, and legitimate users who turned into malicious insiders. Insider threat damages vary from intellectual property loss and fraud to information technology sabotage. As insider threat incidents evolve, there exist demands for a nonidentity-based authentication measure that rejects access to authorized individuals who have mal-intents of access. In this paper, we study the possibility of using the user's intention as an access control measure using the involuntary electroencephalogram reactions toward visual stimuli. We propose intent-based access control (IBAC) that detects the intentions of access based on the existence of knowledge about an intention. IBAC takes advantage of the robustness of the concealed information test to assess access risk. We use the intent and intent motivation level to compute the access risk. Based on the calculated risk and risk accepted threshold, the system makes the decision whether to grant or deny access requests. We assessed the model using experiments on 30 participants that proved the robustness of the proposed solution.

Citation Keyalmehmadi_possibility_2017