TY - GEN
T1 - Decide now or decide later? Quantifying the tradeoff between prospective and retrospective access decisions
AU - Zhang, Wen
AU - Chen, You
AU - Cybulski, Thaddeus R.
AU - Fabbri, Daniel
AU - Gunter, Carl A.
AU - Lawlor, Patrick
AU - Liebovitz, David
AU - Malin, Bradley
PY - 2014/11/3
Y1 - 2014/11/3
N2 - One of the greatest challenges an organization faces is determining when an employee is permitted to utilize a certain resource in a system. This "insider threat" can be addressed through two strategies: i) prospective methods, such as access control, that make a decision at the time of a request, and ii) retrospective methods, such as post hoc auditing, that make a decision in the light of the knowledge gathered afterwards. While it is recognized that each strategy has a distinct set of benefits and drawbacks, there has been little investigation into how to provide system administrators with practical guidance on when one or the other should be applied. To address this problem, we introduce a framework to compare these strategies on a common quantitative scale. In doing so, we translate these strategies into classification problems using a context-based feature space that assesses the likelihood that an access request is legitimate. We then introduce a technique called bispective analysis to compare the performance of the classification models under the situation of non-equivalent costs for false positive and negative instances, a significant extension on traditional cost analysis techniques, such as analysis of the receiver operator characteristic (ROC) curve. Using domain-specific cost estimates and access logs of several months from a large Electronic Medical Record (EMR) system, we demonstrate how bispective analysis can support meaningful decisions about the relative merits of prospective and retrospective decision making for specific types of hospital personnel.
AB - One of the greatest challenges an organization faces is determining when an employee is permitted to utilize a certain resource in a system. This "insider threat" can be addressed through two strategies: i) prospective methods, such as access control, that make a decision at the time of a request, and ii) retrospective methods, such as post hoc auditing, that make a decision in the light of the knowledge gathered afterwards. While it is recognized that each strategy has a distinct set of benefits and drawbacks, there has been little investigation into how to provide system administrators with practical guidance on when one or the other should be applied. To address this problem, we introduce a framework to compare these strategies on a common quantitative scale. In doing so, we translate these strategies into classification problems using a context-based feature space that assesses the likelihood that an access request is legitimate. We then introduce a technique called bispective analysis to compare the performance of the classification models under the situation of non-equivalent costs for false positive and negative instances, a significant extension on traditional cost analysis techniques, such as analysis of the receiver operator characteristic (ROC) curve. Using domain-specific cost estimates and access logs of several months from a large Electronic Medical Record (EMR) system, we demonstrate how bispective analysis can support meaningful decisions about the relative merits of prospective and retrospective decision making for specific types of hospital personnel.
KW - Access control
KW - Audit
KW - Context
KW - Data mining
KW - Decision support
UR - http://www.scopus.com/inward/record.url?scp=84910653704&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84910653704&partnerID=8YFLogxK
U2 - 10.1145/2660267.266034
DO - 10.1145/2660267.266034
M3 - Conference contribution
AN - SCOPUS:84910653704
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1182
EP - 1192
BT - Proceedings of the ACM Conference on Computer and Communications Security
PB - Association for Computing Machinery
T2 - 21st ACM Conference on Computer and Communications Security, CCS 2014
Y2 - 3 November 2014 through 7 November 2014
ER -