Sara (Scout) Sinclair: "Access Control as Risk Management"


Wednesday, February 11, 2009, 12:00pm to 1:30pm


Maxwell Dworkin 2nd Floor Lounge Area

CRCS Privacy and Security Lunch Seminar

Date: Wednesday, February 11, 2009
Time: 12:00pm-1:30 pm
Place: Maxwell Dworkin 2nd Floor Lounge Area

Speaker: Sara “Scout” Sinclair

Title: Access Control as Risk Management

Abstract: Access control aims to provide the correct permissions to users of a computer system: if Alma can access resources that are not necessary to her job, she may (either willfully or accidentally) cause harm. Similarly, if Ben is denied legitimate access to resources, the resultant slowdown can pose additional cost to his organization. Much work has focused on access control for highly sensitive environments, such as the intelligence community, and on the formally provable assurances of such policies. Other work on Role-Based Access Control (RBAC) and Role Engineering has tried to address issues in the deployment and maintenance of access control systems, but important challenges remain for practitioners in investment banking, healthcare, and other industries. Looking beyond the expressive powers and provable characteristics of access policies, this talk casts access control as a problem of cost and risk management. Building on a number of case studies drawn from real organizations, we will consider the tradeoffs inherent to access control management, and identify specific costs and risks therein. We will also use this framework to examine a number of trends in access control research, and to argue for new approaches to these familiar problems.

Bio: Bio:Sara “Scout” Sinclair is a Ph.D. candidate in Computer Science at Dartmouth College, where she is a member of the PKI/Trust Laboratory and the Institute for Security, Technology and Society.  Her research interests are at the intersection of human organizations and secure computer systems; she focuses particularly on access control, system usability at the enterprise level, and information security management practice and policy.  During her dissertation research she has partnered extensively with the healthcare and investment banking industries, and collaborates with research colleagues in business, sociology, psychology, and law.  In 2008 she co-edited “Insider Attack and Cyber Security: Beyond the Hacker,” a volume in Springer’s Advances in Information Security series.

Scout received her B.A. in Computer Science and French from Wellesley College in 2004.  In addition to computer security, she is an informal student of graphic design, fiber arts, and aviculture.