Dynamic Security Enforcement based on Business Decisions


Enforcing security can come at a cost. When profitable functionality of
a system is disrupted by a security mechanism, the anticipated profits
might be lost. If, for instance, a user’s transaction in an online shop
is aborted by a mechanism, the user is prevented from buying. However,
not enforcing security can also cause costs, for instance when continuing
a transaction reveals sensitive payment information about other users.
Existing enforcement approaches, to the best of our knowledge, focus on
enforcing security without taking into account missed opportunities
through disrupted functionality. In this talk, I will discuss how security
and functionality can be incorporated into dynamic security enforcement
in a way that enables informed, risk-minimizing business decisions and
adapts to the decisions made. In addition, I will present the  current
status of our formal model as well as the remaining open issues.