{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T09:48:18Z","timestamp":1775036898781,"version":"3.50.1"},"reference-count":55,"publisher":"Springer Science and Business Media LLC","issue":"6","license":[{"start":{"date-parts":[[2019,1,28]],"date-time":"2019-01-28T00:00:00Z","timestamp":1548633600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2019,1,28]],"date-time":"2019-01-28T00:00:00Z","timestamp":1548633600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100000739","name":"University of Southampton","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100000739","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Mobile Netw Appl"],"published-print":{"date-parts":[[2021,12]]},"abstract":"Abstract<\/jats:title>The Internet of Things (IoT) is becoming the future of the Internet with a large number of connected devices that are predicted to reach about 50 billion by 2020. With proliferation of IoT devices and need to increase information sharing in IoT applications, risk-based access control model has become the best candidate for both academic and commercial organizations to address access control issues. This model carries out a security risk analysis on the access request by using IoT contextual information to provide access decisions dynamically. This model solves challenges related to flexibility and scalability of the IoT system. Therefore, we propose an adaptive risk-based access control model for the IoT. This model uses real-time contextual information associated with the requesting user to calculate the security risk regarding each access request. It uses user attributes while making the access request, action severity, resource sensitivity and user risk history as inputs to analyze and calculate the risk value to determine the access decision. To detect abnormal and malicious actions, smart contracts are used to track and monitor user activities during the access session to detect and prevent potential security violations. In addition, as the risk estimation process is the essential stage to build a risk-based model, this paper provides a discussion of common risk estimation methods and then proposes the fuzzy inference system with expert judgment as to be the optimal approach to handle risk estimation process of the proposed risk-based model in the IoT system.<\/jats:p>","DOI":"10.1007\/s11036-019-01214-w","type":"journal-article","created":{"date-parts":[[2019,1,28]],"date-time":"2019-01-28T21:57:35Z","timestamp":1548712655000},"page":"2545-2557","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":51,"title":["Fuzzy Logic with Expert Judgment to Implement an Adaptive Risk-Based Access Control Model for IoT"],"prefix":"10.1007","volume":"26","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4142-6377","authenticated-orcid":false,"given":"Hany F.","family":"Atlam","sequence":"first","affiliation":[]},{"given":"Robert J.","family":"Walters","sequence":"additional","affiliation":[]},{"given":"Gary B.","family":"Wills","sequence":"additional","affiliation":[]},{"given":"Joshua","family":"Daniel","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2019,1,28]]},"reference":[{"issue":"2","key":"1214_CR1","doi-asserted-by":"publisher","first-page":"243","DOI":"10.1007\/s10796-014-9492-7","volume":"17","author":"S Li","year":"2015","unstructured":"Li S, Da Xu L, Zhao S (2015) The Internet of Things: a survey. Inf Syst Front 17(2):243\u2013259","journal-title":"Inf Syst Front"},{"key":"1214_CR2","doi-asserted-by":"crossref","unstructured":"Elkhodr M, Shahrestani S, Cheung H (2013) The Internet of Things: vision & challenges. IEEE 2013 Tencon - Spring, TENCONSpring 2013 - Conf. Proc., p 218\u2013222","DOI":"10.1109\/TENCONSpring.2013.6584443"},{"issue":"2","key":"1214_CR3","first-page":"1","volume":"2","author":"HF Atlam","year":"2018","unstructured":"Atlam HF, Walters RJ, Wills GB (2018) Fog computing and the Internet of Things: a review. Big data Cogn Comput 2(2):1\u201318","journal-title":"Big data Cogn Comput"},{"key":"1214_CR4","unstructured":"Ashton K (2009) That \u2018Internet of Things\u2019 thing. RFID J 4986"},{"key":"1214_CR5","first-page":"212","volume":"2005","author":"ITU","year":"2005","unstructured":"ITU (2005) The Internet of Things. Itu Internet Rep 2005:212","journal-title":"Itu Internet Rep"},{"key":"1214_CR6","unstructured":"ITU (2012) Overview of the Internet of things. Ser. Y Glob. Inf. infrastructure, Internet Protoc. Asp. next-generation networks - Fram. Funct. Archit. Model., p. 22"},{"key":"1214_CR7","unstructured":"Habib K, Leister W (2015) Context-aware authentication for the Internet of Things. Elev Int Conf Auton Auton Syst Fined 134\u2013139"},{"key":"1214_CR8","doi-asserted-by":"crossref","unstructured":"Dos Santos DR, Westphall CM, Westphall CB (2014) A dynamic risk-based access control architecture for cloud computing. IEEE\/IFIP NOMS 2014 - IEEE\/IFIP Netw. Oper. Manag. Symp. Manag. a Softw. Defin. World, p 1\u20139","DOI":"10.1109\/NOMS.2014.6838319"},{"issue":"3","key":"1214_CR9","doi-asserted-by":"publisher","first-page":"484","DOI":"10.1109\/TIFS.2015.2493983","volume":"11","author":"JK Liu","year":"2016","unstructured":"Liu JK, Au MH, Huang X, Lu R, Li J (2016) Fine-grained two-factor access control for web-based cloud computing services. IEEE Trans Inf Forensics Secur 11(3):484\u2013497","journal-title":"IEEE Trans Inf Forensics Secur"},{"issue":"4","key":"1214_CR10","doi-asserted-by":"crossref","first-page":"850","DOI":"10.1109\/TIFS.2015.2512533","volume":"11","author":"A Castiglione","year":"2016","unstructured":"Castiglione A et al (2016) Hierarchical and shared access control. IEEE Trans Inf Forensics Secur 11(4):850\u2013865","journal-title":"IEEE Trans Inf Forensics Secur"},{"issue":"4","key":"1214_CR11","doi-asserted-by":"publisher","first-page":"912","DOI":"10.1109\/TIFS.2017.2774439","volume":"13","author":"J Shen","year":"2018","unstructured":"Shen J, Zhou T, Chen X, Li J, Susilo W (2018) Anonymous and traceable group data sharing in cloud computing. IEEE Trans Inf Forensics Secur 13(4):912\u2013925","journal-title":"IEEE Trans Inf Forensics Secur"},{"issue":"3","key":"1214_CR12","doi-asserted-by":"publisher","first-page":"2385","DOI":"10.1007\/s10586-016-0701-7","volume":"20","author":"H Wang","year":"2017","unstructured":"Wang H, Zheng Z, Wu L, Li P (2017) New directly revocable attribute-based encryption scheme and its application in cloud storage environment. Clust Comput 20(3):2385\u20132392","journal-title":"Clust Comput"},{"issue":"X","key":"1214_CR13","first-page":"1","volume":"X","author":"Q Lin","year":"2018","unstructured":"Lin Q, Yan H, Huang Z, Chen W, Shen J, Tang Y (2018) An ID-based linearly homomorphic signature scheme and its application in blockchain. IEEE Access X(X):1\u20138","journal-title":"IEEE Access"},{"key":"1214_CR14","doi-asserted-by":"crossref","unstructured":"Chen P, Pankaj C, Karger PA, Wagner GM, Schuett A (2007) Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. 2007 IEEE Symp. Secur. Privacy(SP\u201907), p 222\u2013227","DOI":"10.1109\/SP.2007.21"},{"issue":"4","key":"1214_CR15","doi-asserted-by":"publisher","first-page":"447","DOI":"10.1016\/j.cose.2012.02.006","volume":"31","author":"RA Shaikh","year":"2012","unstructured":"Shaikh RA, Adi K, Logrippo L (2012) Dynamic risk-based decision methods for access control systems. Comput Secur 31(4):447\u2013464","journal-title":"Comput Secur"},{"key":"1214_CR16","doi-asserted-by":"crossref","unstructured":"Atlam HF, Alassafi MO, Alenezi A, Walters RJ, Wills GB (2018) XACML for building access control policies in Internet of Things. In: Proceedings of the 3rd International Conference on Internet of Things, Big Data and Security (IoTBDS 2018)","DOI":"10.5220\/0006725102530260"},{"key":"1214_CR17","unstructured":"Jason C (2004) Horizontal integration: broader access models for realizing information dominance. MITRE Corp. Tech. Rep. JSR- 04-132"},{"key":"1214_CR18","unstructured":"McGraw R (2009) Risk-Adaptable Access Control (RAdAC). In: Privilege Manag. Work. NIST\u2013National Inst. Stand. Technol. Technol. Lab"},{"key":"1214_CR19","doi-asserted-by":"crossref","unstructured":"Zhang L, Brodsky A, Jajodia S (2006) Toward information sharing: benefit and risk access control (barac). In: the Proc. of the Seventh IEEE International Workshop on Policies for Distributed Systems and Networks. Washington, DC, USA, p 45\u201353","DOI":"10.1109\/POLICY.2006.36"},{"key":"1214_CR20","doi-asserted-by":"crossref","unstructured":"Diep NN, Hung LX, Zhung Y, Lee S, Lee Y, Lee H (2007) Enforcing access control using risk assessment. Fourth Eur. Conf. Univers. Multiservice Networks, p 419\u2013424","DOI":"10.1109\/ECUMN.2007.19"},{"key":"1214_CR21","doi-asserted-by":"publisher","first-page":"86","DOI":"10.1016\/j.cose.2013.03.010","volume":"39","author":"H Khambhammettu","year":"2013","unstructured":"Khambhammettu H, Boulares S, Adi K, Logrippo L (2013) A framework for risk assessment in access control systems. Comput Secur 39:86\u2013103","journal-title":"Comput Secur"},{"key":"1214_CR22","doi-asserted-by":"crossref","unstructured":"Ni Q, Bertino E, Lobo J (2010) Risk-based access control systems built on fuzzy inferences. Proc. 5th ACM Symp. Information, Comput. Commun. Secur. ser. ASIACCS 10. New York, NY, USA ACM, p 250\u2013260","DOI":"10.1145\/1755688.1755719"},{"key":"1214_CR23","doi-asserted-by":"crossref","unstructured":"Li J, Bai Y, Zaman N (2013) A fuzzy modeling approach for risk-based access control in eHealth cloud. Proc. - 12th IEEE Int. Conf. Trust. Secur. Priv. Comput. Commun. Trust. 2013, p 17\u201323","DOI":"10.1109\/TrustCom.2013.66"},{"key":"1214_CR24","doi-asserted-by":"crossref","unstructured":"Rajbhandari L, Snekkenes EA (2011) Using game theory to analyze risk to privacy: an initial insight. Priv. Identity Manag. Life, Springer Berlin Heidelb., p 41\u201351","DOI":"10.1007\/978-3-642-20769-3_4"},{"key":"1214_CR25","doi-asserted-by":"crossref","unstructured":"Sharma M, Bai Y, Chung S, Dai L (2012) Using risk in access control for cloud-assisted ehealth. High Perform. Comput. Commun. 2012 IEEE 9th Int. Conf. Embed. Softw. Syst. (HPCC-ICESS), 2012 IEEE 14th Int. Conf., p 1047\u20131052","DOI":"10.1109\/HPCC.2012.153"},{"key":"1214_CR26","doi-asserted-by":"crossref","unstructured":"Wang Q, Jin H (2011) Quantified risk-adaptive access control for patient privacy protection in health information systems, the 6th ACM Symposium on Information, Computer and Communications Security, Hong Kong, China","DOI":"10.1145\/1966913.1966969"},{"key":"1214_CR27","doi-asserted-by":"crossref","unstructured":"Atlam HF, Alenezi A, Walters RJ, Wills GB (2017) An overview of risk estimation techniques in risk-based access control for the Internet of Things. In: Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security (IoTBDS 2017), p 254\u2013260","DOI":"10.5220\/0006292602540260"},{"key":"1214_CR28","doi-asserted-by":"crossref","unstructured":"Farroha B, Farroha D (2012) Challenges of \u2018operationalizing\u2019 dynamic system access control: Transitioning from ABAC to RAdAC. Syst. Conf. (SysCon), 2012 IEEE Int., p 1\u20137","DOI":"10.1109\/SysCon.2012.6189525"},{"key":"1214_CR29","doi-asserted-by":"crossref","unstructured":"Ouaddah A, Bouij-Pasquier I, Abou Elkalam A, Ait Ouahman A (2015) Security analysis and proposal of new access control model in the Internet of Thing. 2015 Int. Conf. Electr. Inf. Technol., p30\u201335","DOI":"10.1109\/EITech.2015.7162936"},{"key":"1214_CR30","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.cose.2017.08.007","volume":"72","author":"J Li","year":"2018","unstructured":"Li J, Zhang Y, Chen X, Xiang Y (2018) Secure attribute-based data sharing for resource-limited users in cloud computing. Comput Secur 72:1\u201312","journal-title":"Comput Secur"},{"key":"1214_CR31","doi-asserted-by":"crossref","unstructured":"Atlam HF, Alenezi A, Alharthi A, Walters R, Wills G (2017) Integration of cloud computing with internet of things: challenges and open issues. In: 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), no. June, p 670\u2013675","DOI":"10.1109\/iThings-GreenCom-CPSCom-SmartData.2017.105"},{"issue":"8","key":"1214_CR32","doi-asserted-by":"publisher","first-page":"2201","DOI":"10.1109\/TPDS.2013.271","volume":"25","author":"J Li","year":"2014","unstructured":"Li J, Huang X, Li J, Chen X, Xiang Y (2014) Securely outsourcing attribute-based encryption with checkability. IEEE Trans Parallel Distrib Syst 25(8):2201\u20132210","journal-title":"IEEE Trans Parallel Distrib Syst"},{"key":"1214_CR33","first-page":"1","volume":"3","author":"J Hern\u00e1ndez-Ramos","year":"2013","unstructured":"Hern\u00e1ndez-Ramos J, Jara A (2013) Distributed capability-based access control for The Internet of Things. J Internet Serv Inf Secur 3:1\u201316","journal-title":"J Internet Serv Inf Secur"},{"key":"1214_CR34","doi-asserted-by":"crossref","unstructured":"Wang Q, Jin H (2011) Quantified risk-adaptive access control for patient privacy protection in health information systems. Proc. 6th ACM Symp. Information, Comput. Commun. Secur. - ASIACCS \u201811, p 406\u2013410","DOI":"10.1145\/1966913.1966969"},{"key":"1214_CR35","doi-asserted-by":"crossref","unstructured":"Li Y, Sun H, Chen Z, Ren J, Luo H (2008) Using trust and risk in access control for grid environment. Secur. Technol. 2008. SECTECH \u201808. Int. Conf., p 13\u201316","DOI":"10.1109\/SecTech.2008.50"},{"key":"1214_CR36","doi-asserted-by":"crossref","unstructured":"Watanabe H, Fujimura S, Nakadaira A, Miyazaki Y, Akutsu A, Kishigami J (2016) Blockchain contract: securing a blockchain applied to smart contracts. 2016 IEEE Int. Conf. Consum. Electron., p 467\u2013468","DOI":"10.1109\/ICCE.2016.7430693"},{"key":"1214_CR37","unstructured":"Yin J, Tang C, Zhang X, McIntosh M (2006) On estimating the security risks of composite software services. In: In First Program Analysis for Security and Safety Workshop Discussion (PASSWORD 2006)"},{"issue":"12","key":"1214_CR38","first-page":"1106","volume":"10","author":"SE Ramona","year":"2011","unstructured":"Ramona SE (2011) Advantages and disadvantages of quantitative and qualitative information risk approaches. Chinese Bus Rev 10(12):1106\u20131110","journal-title":"Chinese Bus Rev"},{"key":"1214_CR39","doi-asserted-by":"crossref","unstructured":"Bai Y, Wang D (1982) Fundamentals of fuzzy logic control \u2013 fuzzy sets, fuzzy rules and defuzzifications. Adv Fuzzy Log Technol Ind Appl 17\u201336","DOI":"10.1007\/978-1-84628-469-4_2"},{"issue":"3","key":"1214_CR40","first-page":"1198","volume":"2","author":"U Kose","year":"2012","unstructured":"Kose U (2012) Fundamentals of fuzzy logic with an easy-to-use, interactive fuzzy control application. Int J Mod Eng Res 2(3):1198\u20131203","journal-title":"Int J Mod Eng Res"},{"key":"1214_CR41","unstructured":"Leung K, Verga S (2007) Expert judgement in risk assessment expert judgement in risk assessment. Def. R&D Canada Cent. Oper. Res. Anal., no. December, p 321\u2013354"},{"key":"1214_CR42","doi-asserted-by":"crossref","unstructured":"Turisov\u00e1 R, Mihok J, K\u00e1d\u00e1rov\u00e1 J (2012) Verification of the risk assessment model through an expert judgment. Kval. Inovacia Prosper. Qual Innov Prosper 37\u201348","DOI":"10.12776\/qip.v16i1.60"},{"key":"1214_CR43","unstructured":"Shapiro A, Koissi M (2015) Risk assessment applications of fuzzy logic, no. March. Casualty Actuarial Society, Canadian Institute of Actuaries"},{"key":"1214_CR44","first-page":"30","volume":"30","author":"G Stoneburner","year":"2002","unstructured":"Stoneburner G, Goguen A, Feringa A (2002) Risk management guide for information technology systems. Nist Spec Publ Sp 30:30","journal-title":"Nist Spec Publ Sp"},{"key":"1214_CR45","first-page":"1","volume":"1","author":"K Binmore","year":"1999","unstructured":"Binmore K, Vulkan N (1999) Applying game theory to automated negotiation. Econ Res Electron Netw 1:1\u20139","journal-title":"Econ Res Electron Netw"},{"key":"1214_CR46","doi-asserted-by":"crossref","unstructured":"Hamdi M, Abie H (2014) Game-based adaptive security in The Internet of Things for eHealth. 2014 IEEE Int Conf Commun ICC 2014, p 920\u2013925","DOI":"10.1109\/ICC.2014.6883437"},{"key":"1214_CR47","unstructured":"Shang K, Hossen Z (2013) Applying fuzzy logic to risk assessment and decision-making. Casualty Actuar. Soc. Can. Inst. Actuar. Soc. Actuar., p 1\u201359"},{"issue":"3","key":"1214_CR48","doi-asserted-by":"publisher","first-page":"1183","DOI":"10.1109\/JSYST.2014.2306210","volume":"10","author":"S Wang","year":"2016","unstructured":"Wang S, Fan C, Hsu CH, Sun Q, Yang F (2016) A vertical handoff method via self-selection decision tree for internet of vehicles. IEEE Syst J 10(3):1183\u20131192","journal-title":"IEEE Syst J"},{"key":"1214_CR49","unstructured":"Boc K (2012) Fuzzy approach to risk analysis and its advantages against the qualitative approach. In: Proceedings of the 12th International Conference \u201cReliability and Statistics in Transportation and Communication\u201d. 12: 234\u2013239"},{"key":"1214_CR50","volume-title":"Managing information security risks: the octave approach","author":"CJ Alberts","year":"2002","unstructured":"Alberts CJ, Dorofee A (2002) Managing information security risks: the octave approach. Addison-Wesley Longman Publishing Co., Inc., Boston"},{"issue":"4","key":"1214_CR51","doi-asserted-by":"publisher","first-page":"199","DOI":"10.1016\/0020-0255(75)90036-5","volume":"8","author":"LA Zadeh","year":"1975","unstructured":"Zadeh LA (1975) The concept of a linguistic variable and its applications to approximate reasoning. Inf Sci (Ny) 8(4):199\u2013249","journal-title":"Inf Sci (Ny)"},{"key":"1214_CR52","volume-title":"Fuzzy sets and fuzzy information granulation theory","author":"D Ruan","year":"2000","unstructured":"Ruan D (2000) Fuzzy sets and fuzzy information granulation theory. Bejing Normal Univeristy Press, Bejing"},{"key":"1214_CR53","first-page":"307","volume":"31","author":"D Pluess","year":"2013","unstructured":"Pluess D, Groso A, Meyer T (2013) Expert Judegement in risk analysis: a strategy to overcome Uncertainities. Chem Eng Trans 31:307\u2013312","journal-title":"Chem Eng Trans"},{"key":"1214_CR54","doi-asserted-by":"publisher","first-page":"66","DOI":"10.1016\/j.jmir.2011.12.002","volume":"43","author":"A Bolderston","year":"2012","unstructured":"Bolderston A (2012) Conducting a research interview. J Med Imaging Radiat Sci 43:66\u201376","journal-title":"J Med Imaging Radiat Sci"},{"key":"1214_CR55","doi-asserted-by":"crossref","unstructured":"Ross TJ (2010) Fuzzy logic with engineering applications. John Wiley & Sons, Ltd","DOI":"10.1002\/9781119994374"}],"container-title":["Mobile Networks and Applications"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11036-019-01214-w\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11036-019-01214-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11036-019-01214-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,9,13]],"date-time":"2023-09-13T07:15:53Z","timestamp":1694589353000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11036-019-01214-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,1,28]]},"references-count":55,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2021,12]]}},"alternative-id":["1214"],"URL":"https:\/\/doi.org\/10.1007\/s11036-019-01214-w","relation":{},"ISSN":["1383-469X","1572-8153"],"issn-type":[{"value":"1383-469X","type":"print"},{"value":"1572-8153","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,1,28]]},"assertion":[{"value":"28 January 2019","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}