{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T16:07:24Z","timestamp":1774541244613,"version":"3.50.1"},"reference-count":55,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2022,3,2]],"date-time":"2022-03-02T00:00:00Z","timestamp":1646179200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,3,2]],"date-time":"2022-03-02T00:00:00Z","timestamp":1646179200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100000266","name":"engineering and physical sciences research council","doi-asserted-by":"publisher","award":["EP\/M029263\/1"],"award-info":[{"award-number":["EP\/M029263\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"published-print":{"date-parts":[[2022,12]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Analysing access control policies is an essential process for ensuring over-prescribed permissions are identified and removed. This is a time-consuming and knowledge-intensive process, largely because there is a wealth of policy information that needs to be manually examined. Furthermore, there is no standard definition of what constitutes an over-entitled permission within an organisation\u2019s access control policy, making it not possible to develop automated rule-based approaches. It is often the case that over-entitled permissions are subjective to an organisation\u2019s role-based structure, where access is be divided and managed based on different employee needs. In this context, an irregular permission could be one where an employee has frequently changed roles, thus accumulating a wide-ranging set of permissions. There is no <jats:italic>one size fits all<\/jats:italic> approach to identifying permissions where an employee is receiving more permission than is necessary, and it is necessary to examine them in the context of the organisation to establish their individual <jats:italic>risk<\/jats:italic>. Risk is not a binary measure and, in this work, an approach is built using Fuzzy Logic to determine an overall risk rating, which can then be used to make a more informed decision as to whether a user is over-entitled and presenting risk to the organisation. This requires the exploratory use of establishing resource <jats:italic>sensitivity<\/jats:italic> and user <jats:italic>trust<\/jats:italic> as measures to determine a risk rating. The paper presents a generic solution, which has been implemented to perform experimental analysis on Microsoft\u2019s New Technology File System to show how this works in practice. A simulation using expert knowledge for comparison is then performed to demonstrate how effective it is at helping the user identify potential irregular permissions.<\/jats:p>","DOI":"10.1186\/s42400-022-00112-1","type":"journal-article","created":{"date-parts":[[2022,3,2]],"date-time":"2022-03-02T03:02:46Z","timestamp":1646190166000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":14,"title":["Identifying high-risk over-entitlement in access control policies using fuzzy logic"],"prefix":"10.1186","volume":"5","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1747-9914","authenticated-orcid":false,"given":"Simon","family":"Parkinson","sequence":"first","affiliation":[]},{"given":"Saad","family":"Khana","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,3,2]]},"reference":[{"key":"112_CR1","doi-asserted-by":"crossref","unstructured":"Abie H, Balasingham I (2012) Risk-based adaptive security for smart IoT in ehealth. In: Proceedings of the 7th international conference on body area networks. ICST (Institute for Computer Sciences, Social-Informatics and...), pp 269\u2013275","DOI":"10.4108\/icst.bodynets.2012.250235"},{"key":"112_CR2","doi-asserted-by":"crossref","unstructured":"Ahmed A, Alnajem A (2012) Trust-aware access control: how recent is your transaction history? In: 2012 second international conference on digital information and communication technology and it\u2019s applications (DICTAP). IEEE, pp 208\u2013213","DOI":"10.1109\/DICTAP.2012.6215352"},{"issue":"1","key":"112_CR3","first-page":"157","volume":"19","author":"M Aqib","year":"2018","unstructured":"Aqib M, Shaikh RA (2018) A tool for access control policy validation. J Internet Technol 19(1):157\u2013166","journal-title":"J Internet Technol"},{"key":"112_CR4","doi-asserted-by":"crossref","unstructured":"Atlam HF, Alenezi A, Walters RJ, Wills GB, Daniel J (2017) Developing an adaptive risk-based access control model for the internet of things. In: 2017 IEEE international conference on Internet of Things (iThings) and IEEE green computing and communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and Ieee Smart Data (SmartData). IEEE, pp 655\u2013661","DOI":"10.1109\/iThings-GreenCom-CPSCom-SmartData.2017.103"},{"key":"112_CR5","doi-asserted-by":"crossref","unstructured":"Atlam HF, Walters RJ, Wills GB, Daniel J (2019) Fuzzy logic with expert judgment to implement an adaptive risk-based access control model for IoT. Mobile Networks and Applications, pp 1\u201313","DOI":"10.1007\/s11036-019-01214-w"},{"issue":"5","key":"112_CR6","doi-asserted-by":"publisher","first-page":"1763","DOI":"10.1007\/s00500-015-1705-6","volume":"20","author":"JB Bernabe","year":"2016","unstructured":"Bernabe JB, Ramos JLH, Gomez AFS (2016) Taciot: multidimensional trust-aware access control system for the internet of things. Soft Comput 20(5):1763\u20131779","journal-title":"Soft Comput"},{"key":"112_CR7","doi-asserted-by":"crossref","unstructured":"Bodnar T, Tucker C, Hopkinson K, Bil\u00e9n SG (2014) Increasing the veracity of event detection on social media networks through user trust modeling. In: 2014 IEEE international conference on big data (Big Data). IEEE, pp 636\u2013643","DOI":"10.1109\/BigData.2014.7004286"},{"key":"112_CR8","doi-asserted-by":"crossref","unstructured":"Cheng P-C, Rohatgi P, Keser C, Karger PA, Wagner GM, Reninger AS (2007) Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: IEEE symposium on security and privacy. SP\u201907. IEEE, pp 222\u2013230","DOI":"10.1109\/SP.2007.21"},{"key":"112_CR9","unstructured":"Cheng P-C, Koved L, Singh KK (2016) Trust\/value\/risk-based access control policy. Google Patents. US Patent 9,432,375"},{"key":"112_CR10","doi-asserted-by":"crossref","unstructured":"El Hadj MA, Khoumsi A, Benkaouz Y, Erradi M (2018) Formal approach to detect and resolve anomalies while clustering abac policies. EAI Endorsed Transactions on Security and Safety 5(16)","DOI":"10.4108\/eai.13-7-2018.156003"},{"key":"112_CR11","unstructured":"Ferraiolo D, Kuhn DR, Chandramouli R (2003) Role-based access control. In: In Proceedings of the NIST-NSA National (USA) computer security conference, pp 554\u2013563"},{"issue":"2","key":"112_CR12","doi-asserted-by":"publisher","first-page":"116","DOI":"10.1016\/j.aci.2014.07.001","volume":"11","author":"O Folorunso","year":"2015","unstructured":"Folorunso O, Mustapha OA (2015) A fuzzy expert system to trust-based access control in crowdsourcing environments. Appl Comput Inform 11(2):116\u2013129","journal-title":"Appl Comput Inform"},{"issue":"3","key":"112_CR13","doi-asserted-by":"publisher","first-page":"127","DOI":"10.1108\/02686909910259103","volume":"14","author":"GT Friedlob","year":"1999","unstructured":"Friedlob GT, Schleifer LL (1999) Fuzzy logic: application for audit risk and uncertainty. Manag Audit J 14(3):127\u2013137","journal-title":"Manag Audit J"},{"key":"112_CR14","unstructured":"Gaddam A, Aissi S, Kgil T (2014) Data sensitivity based authentication and authorization. Google Patents. US Patent App. 14\/303,461"},{"key":"112_CR15","doi-asserted-by":"publisher","first-page":"296","DOI":"10.1016\/j.cose.2019.01.005","volume":"82","author":"N Gal-Oz","year":"2019","unstructured":"Gal-Oz N, Gonen Y, Gudes E (2019) Mining meaningful and rare roles from web application usage patterns. Comput Secur 82:296\u2013313","journal-title":"Comput Secur"},{"key":"112_CR16","first-page":"299","volume":"307","author":"N Helil","year":"2017","unstructured":"Helil N, Halik A, Rahman K (2017) Non-zero-sum cooperative access control game model with user trust and permission risk. Appl Math Comput 307:299\u2013310","journal-title":"Appl Math Comput"},{"issue":"6","key":"112_CR17","doi-asserted-by":"publisher","first-page":"341","DOI":"10.1109\/TDSC.2013.18","volume":"10","author":"H Hu","year":"2013","unstructured":"Hu H, Ahn G-J, Kulkarni K (2013) Discovery and resolution of anomalies in web access control policies. IEEE Trans Dependable Secure Comput 10(6):341\u2013354","journal-title":"IEEE Trans Dependable Secure Comput"},{"key":"112_CR18","doi-asserted-by":"publisher","first-page":"116","DOI":"10.1016\/j.eswa.2018.07.006","volume":"113","author":"S Khan","year":"2018","unstructured":"Khan S, Parkinson S (2018) Eliciting and utilising knowledge for security event log analysis: an association rule mining and automated planning approach. Expert Syst Appl 113:116\u2013127","journal-title":"Expert Syst Appl"},{"key":"112_CR19","first-page":"102375","volume":"48","author":"S Khan","year":"2019","unstructured":"Khan S, Parkinson S (2019) Discovering and utilising expert knowledge from security event logs. J Inf Secur Appl 48:102375","journal-title":"J Inf Secur Appl"},{"key":"112_CR20","unstructured":"Kiedrowicz M, Stanik J, Kubiak B, Ma\u015blankowski J (2015) Selected aspects of risk management in respect of security of the document lifecycle management system with multiple levels of sensitivity. In: Kubiak BF, Ma\u015blankowski J (eds) Information management in practice, pp 231\u2013249"},{"key":"112_CR21","unstructured":"Kozhakhmet K, Bortsova G, Inoue A, Atymtayeva L (2012) Expert system for security audit using fuzzy logic. In: Midwest artificial intelligence and cognitive science conference, p 146"},{"key":"112_CR22","doi-asserted-by":"crossref","unstructured":"Leichtenstern K, Andr\u00e9 E, Kurdyukova E (2010) Managing user trust for self-adaptive ubiquitous computing systems. In: Proceedings of the 8th international conference on advances in mobile computing and multimedia, pp 409\u2013414","DOI":"10.1145\/1971519.1971589"},{"key":"112_CR23","unstructured":"Li N, Tripunitara MV (2005) On safety in discretionary access control. In: 2005 IEEE symposium on security and privacy (S&P\u201905). IEEE, pp 96\u2013109"},{"issue":"8","key":"112_CR24","doi-asserted-by":"publisher","first-page":"932941","DOI":"10.1155\/2015\/932941","volume":"11","author":"X Lu","year":"2015","unstructured":"Lu X, Qu Z, Li Q, Hui P (2015) Privacy information security classification for internet of things based on internet data. Int J Distrib Sens Netw 11(8):932941","journal-title":"Int J Distrib Sens Netw"},{"key":"112_CR25","doi-asserted-by":"crossref","unstructured":"Mahalle PN, Thakr, PA, Prasad NR, Prasad R (2013) A fuzzy approach to trust based access control in internet of things. In: Wireless VITAE 2013. IEEE, pp 1\u20135","DOI":"10.1109\/VITAE.2013.6617083"},{"key":"112_CR26","unstructured":"McLeod S (2007) Maslow\u2019s hierarchy of needs. Simply Psychol 1"},{"issue":"2","key":"112_CR27","doi-asserted-by":"publisher","first-page":"33","DOI":"10.4018\/IJACI.2016070102","volume":"7","author":"NA Mhetre","year":"2016","unstructured":"Mhetre NA, Deshpande AV, Mahalle PN (2016) Trust management model based on fuzzy approach for ubiquitous computing. Int J Ambient Comput Intell (IJACI) 7(2):33\u201346","journal-title":"Int J Ambient Comput Intell (IJACI)"},{"key":"112_CR28","doi-asserted-by":"publisher","first-page":"245","DOI":"10.1016\/j.asoc.2017.02.022","volume":"56","author":"SM Nekooei","year":"2017","unstructured":"Nekooei SM, Chen G, Rayudu RK (2017) Automatic design of fuzzy logic controllers for medium access control in wireless body area networks-an evolutionary approach. Appl Soft Comput 56:245\u2013261","journal-title":"Appl Soft Comput"},{"key":"112_CR29","doi-asserted-by":"crossref","unstructured":"Ni Q, Bertino E, Lobo J (2010) Risk-based access control systems built on fuzzy inferences. In: Proceedings of the 5th ACM symposium on information, computer and communications security. ACM, pp 250\u2013260","DOI":"10.1145\/1755688.1755719"},{"issue":"2","key":"112_CR30","doi-asserted-by":"publisher","first-page":"85","DOI":"10.1145\/354876.354878","volume":"3","author":"S Osborn","year":"2000","unstructured":"Osborn S, Sandhu R, Munawer Q (2000) Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans Inf Syst Secur (TISSEC) 3(2):85\u2013106","journal-title":"ACM Trans Inf Syst Secur (TISSEC)"},{"key":"112_CR31","doi-asserted-by":"publisher","first-page":"237","DOI":"10.1016\/j.comnet.2016.11.007","volume":"112","author":"A Ouaddah","year":"2017","unstructured":"Ouaddah A, Mousannif H, Elkalam AA, Ouahman AA (2017) Access control in the internet of things: big challenges and new opportunities. Comput Netw 112:237\u2013262","journal-title":"Comput Netw"},{"key":"112_CR32","doi-asserted-by":"crossref","unstructured":"Park Y, Gates SC, Teiken W, Cheng P-C (2011) An experimental study on the measurement of data sensitivity. In: Proceedings of the first workshop on building analysis datasets and gathering experience returns for security, pp 70\u201377","DOI":"10.1145\/1978672.1978681"},{"key":"112_CR33","doi-asserted-by":"crossref","unstructured":"Park Y, Gates C, Gates SC (2013) Estimating asset sensitivity by profiling users. In: European symposium on research in computer security. Springer, pp 94\u2013110","DOI":"10.1007\/978-3-642-40203-6_6"},{"issue":"4","key":"112_CR34","doi-asserted-by":"publisher","first-page":"2","DOI":"10.1147\/JRD.2016.2557638","volume":"60","author":"Y Park","year":"2016","unstructured":"Park Y, Teiken W, Rao JR, Chari S (2016) Data classification and sensitivity estimation for critical asset discovery. IBM J Res Dev 60(4):2\u20131","journal-title":"IBM J Res Dev"},{"issue":"7","key":"112_CR35","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1016\/S1353-4858(17)30069-7","volume":"2017","author":"S Parkinson","year":"2017","unstructured":"Parkinson S (2017) Use of access control to minimise ransomware impact. Netw Secur 2017(7):5\u20138","journal-title":"Netw Secur"},{"key":"112_CR36","doi-asserted-by":"publisher","first-page":"27","DOI":"10.1016\/j.jisa.2016.04.004","volume":"30","author":"S Parkinson","year":"2016","unstructured":"Parkinson S, Crampton A (2016) Identification of irregularities and allocation suggestion of relative file system permissions. J Inf Secur Appl 30:27\u201339. https:\/\/doi.org\/10.1016\/j.jisa.2016.04.004","journal-title":"J Inf Secur Appl"},{"key":"112_CR37","first-page":"52","volume":"40","author":"S Parkinson","year":"2018","unstructured":"Parkinson S, Khan S (2018) Identifying irregularities in security event logs through an object-based chi-squared test of independence. J Inf Secur Appl 40:52\u201362","journal-title":"J Inf Secur Appl"},{"key":"112_CR38","doi-asserted-by":"publisher","first-page":"274","DOI":"10.1016\/j.eswa.2016.02.027","volume":"55","author":"S Parkinson","year":"2016","unstructured":"Parkinson S, Somaraki V, Ward R (2016) Auditing file system permissions using association rule mining. Expert Syst Appl 55:274\u2013283. https:\/\/doi.org\/10.1016\/j.eswa.2016.02.027","journal-title":"Expert Syst Appl"},{"issue":"16","key":"112_CR39","doi-asserted-by":"publisher","first-page":"4433","DOI":"10.1002\/cpe.4433","volume":"30","author":"S Parkinson","year":"2018","unstructured":"Parkinson S, Vallati M, Crampton A, Sohrabi S (2018) Graphbad: a general technique for anomaly detection in security information and event management. Concurr Comput Pract Exp 30(16):4433","journal-title":"Concurr Comput Pract Exp"},{"issue":"1","key":"112_CR40","doi-asserted-by":"publisher","first-page":"14","DOI":"10.1186\/s42400-019-0031-1","volume":"2","author":"S Parkinson","year":"2019","unstructured":"Parkinson S, Khan S, Bray J, Shreef D (2019) Creeper: a tool for detecting permission creep in file system access controls. Cybersecurity 2(1):14","journal-title":"Cybersecurity"},{"key":"112_CR41","volume-title":"Fuzzy logic: implementation and applications","author":"MJ Patyra","year":"2012","unstructured":"Patyra MJ, Mlynek DJ (2012) Fuzzy logic: implementation and applications. Springer, Berlin"},{"key":"112_CR42","unstructured":"Pfleeger CP, Pfleeger SL (2002) Security in Computing. Prentice Hall Professional Technical Reference"},{"key":"112_CR43","doi-asserted-by":"crossref","unstructured":"Rahmati A, Fernandes E, Eykholt K, Prakash A (2018) Tyche: a risk-based permission model for smart homes. In: 2018 IEEE cybersecurity development (SecDev), pp. 29\u201336. IEEE","DOI":"10.1109\/SecDev.2018.00012"},{"issue":"1","key":"112_CR44","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1016\/j.cose.2005.06.007","volume":"25","author":"I Ray","year":"2006","unstructured":"Ray I, Kumar M (2006) Towards a location-based mandatory access control model. Comput Secur 25(1):36\u201344","journal-title":"Comput Secur"},{"key":"112_CR45","doi-asserted-by":"crossref","unstructured":"Ryutov T, Zhou L, Neuman C, Leithead T, Seamons KE (2005) Adaptive trust negotiation and access control. In: Proceedings of the tenth ACM symposium on access control models and technologies, pp. 139\u2013146. ACM","DOI":"10.1145\/1063979.1064004"},{"key":"112_CR46","unstructured":"Salem MB, Bhatti R, Solderitsch J (2013) Method and system for resource management based on adaptive risk-based access controls. Google Patents. US Patent App. 13\/774,356"},{"key":"112_CR47","doi-asserted-by":"crossref","unstructured":"Samarati P, de Vimercati SC (2000) Access control: policies, models, and mechanisms. In: International school on foundations of security analysis and design, pp. 137\u2013196. Springer, Berlin","DOI":"10.1007\/3-540-45608-2_3"},{"issue":"9","key":"112_CR48","doi-asserted-by":"publisher","first-page":"40","DOI":"10.1109\/35.312842","volume":"32","author":"RS Sandhu","year":"1994","unstructured":"Sandhu RS, Samarati P (1994) Access control: principle and practice. IEEE Commun Mag 32(9):40\u201348","journal-title":"IEEE Commun Mag"},{"issue":"2","key":"112_CR49","doi-asserted-by":"publisher","first-page":"38","DOI":"10.1109\/2.485845","volume":"29","author":"RS Sandhu","year":"1996","unstructured":"Sandhu RS, Coyne EJ, Feinstein HL, Youman CE (1996) Role-based access control models. Computer 29(2):38\u201347","journal-title":"Computer"},{"key":"112_CR50","doi-asserted-by":"crossref","unstructured":"Shahriar H, Zulkernine M (2011) A fuzzy logic-based buffer overflow vulnerability auditor. In: 2011 IEEE ninth international conference on dependable, autonomic and secure computing. IEEE, pp 137\u2013144","DOI":"10.1109\/DASC.2011.45"},{"key":"112_CR51","doi-asserted-by":"publisher","first-page":"493","DOI":"10.1016\/j.procs.2015.03.087","volume":"45","author":"R Shaikh","year":"2015","unstructured":"Shaikh R, Sasikumar M (2015) Data classification for achieving security in cloud computing. Procedia Comput Sci 45:493\u2013498","journal-title":"Procedia Comput Sci"},{"key":"112_CR52","unstructured":"Sherwin K (2016) Hierarchy of trust: the 5 experiential levels of commitment. https:\/\/www.nngroup.com\/articles\/commitment-levels"},{"key":"112_CR53","doi-asserted-by":"crossref","unstructured":"Stanik J (2017) System risk model of the it system supporting the processing of documents at different levels of sensitivity. In: MATEC Web of Conferences, vol. 125, p. 02011. EDP Sciences","DOI":"10.1051\/matecconf\/201712502011"},{"issue":"1","key":"112_CR54","first-page":"45","volume":"19","author":"YA Younis","year":"2014","unstructured":"Younis YA, Kifayat K, Merabti M (2014) An access control model for cloud computing. J Inf Secur Appl 19(1):45\u201360","journal-title":"J Inf Secur Appl"},{"issue":"1","key":"112_CR55","first-page":"1","volume":"2015","author":"A Zhou","year":"2015","unstructured":"Zhou A, Li J, Sun Q, Fan C, Lei T, Yang F (2015) A security authentication method based on trust evaluation in VANETs. EURASIP J Wirel Commun Netw 2015(1):1\u20138","journal-title":"EURASIP J Wirel Commun Netw"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00112-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-022-00112-1\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00112-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,3,2]],"date-time":"2022-03-02T03:06:42Z","timestamp":1646190402000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-022-00112-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,3,2]]},"references-count":55,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,12]]}},"alternative-id":["112"],"URL":"https:\/\/doi.org\/10.1186\/s42400-022-00112-1","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,3,2]]},"assertion":[{"value":"14 July 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"17 January 2022","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"2 March 2022","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"6"}}