{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T04:56:16Z","timestamp":1755838576200,"version":"3.41.2"},"reference-count":37,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2017,3,13]],"date-time":"2017-03-13T00:00:00Z","timestamp":1489363200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,3,13]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>The Bring-Your-Own-Device (BYOD) paradigm favors the use of personal and public devices and communication means in corporate environments, thus representing a challenge for the traditional security and risk management systems. In this dynamic and heterogeneous setting, the purpose of this paper is to present a methodology called opportunity-enabled risk management (OPPRIM), which supports the decision-making process in access control to remote corporate assets.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>OPPRIM relies on a logic-based risk policy model combining estimations of trust, threats and opportunities. Moreover, it is based on a mobile client \u2013 server architecture, where the OPPRIM application running on the user device interacts with the company IT security server to manage every access request to corporate assets.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>As a mandatory requirement in the highly flexible BYOD setting, in the OPPRIM approach, mobile device security risks are identified automatically and dynamically depending on the specific environment in which the access request is issued and on the previous history of events.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>The main novelty of the OPPRIM approach is the combined treatment of threats (resp., opportunities) and costs (resp., benefits) in a trust-based setting. The OPPRIM system is validated with respect to an economic perspective: cost-benefit sensitivity analysis is conducted through formal methods using the PRISM model checker and through agent-based simulations using the Anylogic framework.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-05-2016-0037","type":"journal-article","created":{"date-parts":[[2017,3,1]],"date-time":"2017-03-01T08:28:36Z","timestamp":1488356916000},"page":"2-25","source":"Crossref","is-referenced-by-count":9,"title":["Design and validation of a trust-based opportunity-enabled risk management system"],"prefix":"10.1108","volume":"25","author":[{"given":"Alessandro","family":"Aldini","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jean-Marc","family":"Seigneur","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Carlos","family":"Ballester Lafuente","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xavier","family":"Titi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jonathan","family":"Guislain","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"issue":"11","key":"key2020120822500799300_ref001","doi-asserted-by":"crossref","first-page":"1503","DOI":"10.1016\/j.ress.2006.10.003","article-title":"A formal approach to the integrated analysis of security and qos","volume":"92","year":"2007","journal-title":"Journal of Reliability Engineering & System Safety"},{"first-page":"676","article-title":"Formal modeling and verification of opportunity-enabled risk management","year":"2015","key":"key2020120822500799300_ref002"},{"key":"key2020120822500799300_ref003","doi-asserted-by":"crossref","first-page":"48","DOI":"10.1109\/MC.2014.164","article-title":"Securing the \u2018bring your own device\u2019 paradigm","volume":"47","year":"2014","journal-title":"IEEE Computer"},{"key":"key2020120822500799300_ref004","first-page":"55","article-title":"Modelling risk and identifying countermeasure in organizations","volume-title":"1st International Workshop on Critical Information Infrastructures Security (CRITIS\u201d06)\u2019, Vol. 4347 of LNCS","year":"2006"},{"first-page":"1240","article-title":"Risk as dependability metrics for the evaluation of business solutions: a model-driven approach","year":"2008","key":"key2020120822500799300_ref005"},{"issue":"2","key":"key2020120822500799300_ref006","first-page":"183","article-title":"A comparative analysis of trust models for multi-agent systems","volume":"1","year":"2013","journal-title":"Lecture Notes on Software Engineering"},{"first-page":"167","article-title":"A trust-and-risk aware RBAC framework: tackling insider threat","year":"2012","key":"key2020120822500799300_ref007"},{"first-page":"164","article-title":"Decentralized trust management","year":"1996","key":"key2020120822500799300_ref008"},{"key":"key2020120822500799300_ref009","unstructured":"Borshchev, A. (2013), \u201cThe big book of simulation modeling\u201d, Technical report."},{"key":"key2020120822500799300_ref010","unstructured":"Cavoukian, A. (2013), \u201cBYOD (bring your own device): is your organization ready?\u201d, Technical report, Information and Privacy Commissioner."},{"issue":"1","key":"key2020120822500799300_ref011","doi-asserted-by":"crossref","first-page":"61","DOI":"10.1007\/s10703-013-0183-7","article-title":"Automatic verification of competitive stochastic systems","volume":"43","year":"2013","journal-title":"Formal Methods in System Design"},{"key":"key2020120822500799300_ref012","unstructured":"Clarke, J., Gomez Hidalgo, M., Lioy, A., Petkovic, M., Vishik, C. and Ward, J. (2012), \u201cConsumerization of IT: top risks and opportunities\u201d, Technical report, European Network and Information Security Agency (ENISA)."},{"key":"key2020120822500799300_ref013","unstructured":"Dimmock, N. (2005), \u201cUsing trust and risk for access control in global computing\u201d, PhD thesis, University of Cambridge, Cambridge."},{"key":"key2020120822500799300_ref014","unstructured":"ENISA (2006), \u201cRisk assessment and risk management methods: information packages for small and medium sized enterprises (SMEs)\u201d, Technical report."},{"issue":"1","key":"key2020120822500799300_ref015","article-title":"Bring your own device (byod): security risks and mitigating strategies","volume":"4","year":"2013","journal-title":"Journal of Global Research in Computer Science"},{"year":"2011","key":"key2020120822500799300_ref016","article-title":"Using quantified risk and benefit to strengthen the security of information sharing"},{"year":"2012","key":"key2020120822500799300_ref017","article-title":"Making devices trustworthy: security and trust feedback in the Internet of Things"},{"key":"key2020120822500799300_ref018","unstructured":"ISO 27005 (2008), \u201cInformation technology \u2013 security techniques \u2013 information security risk management\u201d, Technical report."},{"key":"key2020120822500799300_ref019","unstructured":"ISO 31000 (2009), \u201cRisk management \u2013 principles and guidelines\u201d, Technical report."},{"key":"key2020120822500799300_ref020","unstructured":"ISO\/IEC (2009), \u201cGuide 73 \u2013 risk management vocabulary\u201d, Technical report."},{"key":"key2020120822500799300_ref021","first-page":"209","article-title":"Trust and reputation systems","volume-title":"\u201cFoundations of Security Analysis and Design IV\u201d, Vol. 4677 of LNCS","year":"2007"},{"first-page":"288","article-title":"A hybrid trust model for authorisation using trusted platforms","year":"2011","key":"key2020120822500799300_ref022"},{"first-page":"585","article-title":"PRISM 4.0: verification of probabilistic real-time systems","year":"2011","key":"key2020120822500799300_ref023"},{"key":"key2020120822500799300_ref024","first-page":"231","article-title":"Risk analysis of changing and evolving systems using CORAS","volume-title":"\u201cFoundations of Security Analysis and Design VI\u201d, Vol. 6858 of LNCS","year":"2011"},{"key":"key2020120822500799300_ref025","unstructured":"Marsh, S. (1994), \u201cFormalising trust as a computational concept\u201d, Phd thesis, Department of Mathematics and Computer Science, University of Stirling, Stirling."},{"issue":"12","key":"key2020120822500799300_ref026","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1016\/S1353-4858(12)70111-3","article-title":"BYOD security challenges: control and protect your most sensitive data","volume":"2012","year":"2012","journal-title":"Network Security"},{"first-page":"25","article-title":"An application restriction system for bring-your-own-device scenarios","year":"2016","key":"key2020120822500799300_ref027"},{"year":"2015","key":"key2020120822500799300_ref028","article-title":"Are you ready to lose control? A theory on the role of trust and risk perception on bring-your-own-device policy and information system service quality"},{"key":"key2020120822500799300_ref029","unstructured":"Ponemon (2013), \u201cCost of data breach study: global analysis\u201d, Technical report."},{"key":"key2020120822500799300_ref030","first-page":"2427","article-title":"Review of considerations for mobile device based secure access to financial services and risk handling strategy for cios, cisos and ctos","volume":"6","year":"2015","journal-title":"International Journal of Advanced Networking and Applications"},{"first-page":"82","article-title":"A survey of trust and risk metrics for a BYOD mobile working world","year":"2014","key":"key2020120822500799300_ref031"},{"first-page":"189","article-title":"Risk-based decision method for access control systems","year":"2011","key":"key2020120822500799300_ref032"},{"key":"key2020120822500799300_ref033","unstructured":"Shostack, A. (2008), \u201cReinvigorate your threat modeling process\u201d, MSDN Magazine."},{"first-page":"1698","article-title":"Case study: legal requirements for the use of social login features for online reputation updates","year":"2014","key":"key2020120822500799300_ref034"},{"key":"key2020120822500799300_ref035","unstructured":"The White House (2012), \u201cA toolkit to support Federal Agencies implementing bring your own device (BYOD) programs\u201d, Technical report, Digital Services Advisory Group and Federal Chief Information Officers Council."},{"first-page":"411","article-title":"Risk management in the era of byod: the quintet of technology adoption, controls, liabilities, user perception, and user behavior","year":"2013","key":"key2020120822500799300_ref036"},{"first-page":"45","article-title":"Toward information sharing: benefit and risk access control (BARAC)","year":"2006","key":"key2020120822500799300_ref037"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-05-2016-0037\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-05-2016-0037\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:54Z","timestamp":1753406574000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/1\/2-25\/109752"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,3,13]]},"references-count":37,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2017,3,13]]}},"alternative-id":["10.1108\/ICS-05-2016-0037"],"URL":"https:\/\/doi.org\/10.1108\/ics-05-2016-0037","relation":{},"ISSN":["2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2017,3,13]]}}}