Assigning Responsibility for Failed Obligations

Irwin, Keith; Yu, Ting; Winsborough, William H.

doi:10.1007/978-0-387-09428-1_21

Cited by 6 publications

(6 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…On the first hand, if a and c share a source forbidding an agent to harm another in the way c did, then a liability can be derived from that, and the corresponding sanction will be considered independently from x. It can also be the case that c broke one of its own norms and is sanctionned for that [10], but that its liability is not towards b. On the other hand, if c has not violated any norm applying to it, then it is not faulty in any way and has neither to be sanctionned nor to provide a reparation.…”

Section: Logical Model Of Obligation and Responsibilitymentioning

confidence: 99%

“…By default, any delegation that is not allowed is forbidden, and deny has priority over allow. The overall rule for deriving an obligation delegation from a delegation attempt is described by (10).…”

Section: Modelling Obligation Delegationmentioning

confidence: 99%

“…delObAttempt(A, P, B, C, X, FRoption, Loption), O(B, P, C, X), allow(B, A, P, C, X, FRoption, Loption, ), ¬deny(B, A, P, C, X, FRoption, Loption, ) delOb(A, P, B, C, X, FRoption, Loption) (10) Obligation chains We have seen that an obligation can be delegated with or without delegating (or sharing) liability towards the original obligator. In order to decide whether an agent is liable towards another for a given obligation, one must know whether there is a chain of obligations (including both the initial one and the delegated ones) between them, and whether liability has been shared or forwarded at each step.…”

Section: Modelling Obligation Delegationmentioning

confidence: 99%

“…Yet, agents can violate their obligations due to various causes that can be related to agents themselves (e.g. lack of time or competence), or to other agents who have performed (or not) actions such that they have blocked out the fulfillment of the obligation, or finally to system faults, such as a system dysfunctioning or insufficient authorization/resource [10]. For these reasons, it is necessary to have means to clearly identify the responsibility of agents that are involved in the obligation violation, especially when obligations are delegated to one or more other agents.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Delegation of Obligations and Responsibility

Ghorbel

Cuppens

Cuppens-Boulahia

et al. 2011

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Abstract. In this paper, we discuss the issue of responsibilities related to the fulfillment and the violation of obligations. We propose to formally define the different aspects of responsibility, namely causal responsibility, functional responsibility, liability as well as sanctions, and to examine how delegation influences these concepts. Our main aim is to identify the responsibility of each agent that is involved in the delegation of obligations. More precisely, we try to answer to the following questions: who is responsible for the obligation fulfillment? When a violation occurs, which agents are causally responsible for this violation? Who is liable for this violation and to whom? And finally, who must be sanctioned?

show abstract

Section: Logical Model Of Obligation and Responsibilitymentioning

confidence: 99%

Section: Modelling Obligation Delegationmentioning

confidence: 99%

Section: Modelling Obligation Delegationmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Delegation of Obligations and Responsibility

Ghorbel

Cuppens

Cuppens-Boulahia

et al. 2011

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

show abstract

“…Many application domains, including healthcare information systems, require the inclusion of obligations as part of their access control policies [3,7,13]. An obligation is an action that needs to be performed by a user before or after accessing a resource 1 .…”

Section: Introductionmentioning

confidence: 99%

Beyond accountability

Baracaldo

Joshi

2013

Proceedings of the 18th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

Recently, the importance of including obligations as part of access control systems for privilege management, for example, in healthcare information systems, has been well recognized. In an access control system, an a posteriori obligation states which actions need to be performed by a user after he has accessed a resource. There is no guarantee that a user will fulfill a posteriori obligations. Not fulfilling these obligations may incur financial loss, or loss of goodwill and productivity to the organization. In this paper, we propose a trust-and-obligation based framework that reduces the risk exposure of an organization associated with a posteriori obligations. We propose a methodology to assign trust values to users to indicate how trustworthy they are with regards to fulfilling their obligations. When access requests that trigger a posteriori obligations are evaluated, the requesting users' trust values and the criticality of the associated obligations are used. Our framework detects and mitigates insider attacks and unintentional damages that may result from violating a posteriori obligations. Our framework also provides mechanisms to determine misconfigurations of obligation policies. We evaluate our framework through simulations and demonstrate its effectiveness.

show abstract

xESB: An Enterprise Service Bus for Access and Usage Control Policy Enforcement

Gheorghe

Neuhaus

Crispo

2010

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Enforcing complex policies that span organizational domains is an open challenge. Current work on SOA policy enforcement splits security in logical components that can be distributed across domains, but does not offer any concrete solution to integrate this security functionality so that it works across security services for organization-wide policies. In this paper, we propose xESB, an enhanced version of an Enterprise Message Bus (ESB), where we monitor and enforce preventive and reactive policies, both for access control and usage control policies, and both inside one domain and between domains. In addition, we introduce indicators that help SOA administrators assess the effectiveness of their policies. Our performance measurements show that policy enforcement at the ESB level comes with only moderate penalties.

show abstract

Assigning Responsibility for Failed Obligations

Cited by 6 publications

References 16 publications

Delegation of Obligations and Responsibility

Delegation of Obligations and Responsibility

Beyond accountability

xESB: An Enterprise Service Bus for Access and Usage Control Policy Enforcement

Contact Info

Product

Resources

About