Integrating Trust-Based Adaptive Security Framework with Risk Mitigation to enhance SaaS User Identity and Access Control based on User Behavior

Akpotor Scott, Johnson

January 2022

In recent years, the emerging trends in cloud computing technologies have given rise to different computing services through the Internet. Organizations across the globe have seized this opportunity as a critical business driver for computing resource access and utilities that will indeed support significant business operations. Embracing SaaS as a crucial business factor enhances corporate business strategy through economies of scale, easy manageability, cost-effectiveness, non-geographical dependence, high reliability, flexible resources, and fast innovation. However, this has also come with various risks due to the limitation of traditional user identity and access control solutions’ inability to effectively identify and manage cloud users’ authorization process when interacting with the cloud. The limit can result in a legitimate user account's impersonation to carry out malicious activities after the user account is compromised to go undetected since traditional solutions seldom function based on user behavior trust level behind any account. Furthermore, the limitation is a significant vulnerability to the cloud environment. This vulnerability is known to be exploited by threats that can eventually lead to substantial unacceptable risks that can undermine security principles or requirements such as confidentiality, integrity, and availability. Significant consequences of this risk are categorized into financial damages, legal implications, reputational damages, and regulatory implications to the cloud environment. As a result, a solution that could contribute to the remediation of these potential risks incurred due to the limitation of user identity and access control management was proposed and designed as User Behavior Trust-Based Adaptive Security framework. The design aims to enhance how cloud users' identity and access control might be managed effectively based on a user behavior trust context and adaptation of corresponding access control measures through adaptive security. The design capability was manifested by integrating it into the standard ISO/2705:2018 Risk Management process. Although, there have been several good information security frameworks such as ISO/IEC 27005:2018 and other technical countermeasures such as SaaS Identity & Access Management (IDaaS) to deal with this risk on the public cloud services. However, they are based on static mitigation approaches, so there is a solid need to shift towards a more dynamic strategical approach. The presented design work, User Behavior Trust-Based Adaptive Security framework, intends to serve as a proposed guideline for risk mitigation that would enhance user identity and access control limitations across the cloud. The solution functions by a trust modeling process that evaluates cloud user activities to compute a user behavior comprehensive trust degree. The resulting data is further used as input feeds parameters into a policy decision point process. The policy decision point process adapts the input parameters to user behavior trust level and behavior risk rating to determine the appropriate access control decision. Ultimately, the adaptive security solution consults the policy decision points to dynamically enforce the corresponding controls measures based on the access control decision received as input feed. The report also conducts a risk assessment process to identify vulnerabilities, threats, and risks related to user behavior trust level and risk rating regarding SaaS resources. Then adapt the mitigation solution, User Behavior Trust-Based Adaptive Security framework, as a possible risk treatment within the risk management process ISO/2705:2018. This report uses a design methodology derived from User Behavior Trust Modelling scientific research work, Gartner Adaptive Security Architecture Model, and eXtensible Access Control Markup Language's policy decision point concept. The design evaluates user behavior trust level by the trust modeling, while the integrated policy decision point processes the trust level to make the access control decision which is later enforced by the adaptive security solution. The report further adapts the risk management procedure ISO/2705:2018 to identify risk from user behavior and trust level, then implements the design solution as a possible risk treatment. The research findings were documented as Results and Discussion, where the functional and operational aspects of the designed framework were provided. In addition, the effects of applying the framework as a possible risk treatment solution were observed through conducting an ISO/2705:2018 risk management procedure. The notable outcome of a reduction of identified risk levels was an improvement in user attitude or behavior, which eventually increased user behavior trust level and reduced associated behavior risk. At the same time, the discussion detailed the interpretation of the results, implications, and limitation of the research, why the framework could be considered a remediation solution beyond the state-of-the-art for cloud user identity and access management—precisely by integrating user behavior, trust, policy decision making with adaptive security into risk management process to reduce IDM-associated risk in the SaaS. Finally, this study has outlined the significance of adopting the designed framework as a possible mitigation solution to enhance the shortcomings of user identity and access control management in the cloud. It has demonstrated that SaaS identified risk can be reduced to an acceptable level when user behavior and activities are taken seriously. Insight into the current trust state and associated risk level of cloud users are vital for continuous risk monitoring and reduction. The solution is to be used as a recommended guideline that might significantly contribute to the research community and information security field of cloud security. Future research direction to consider the possibility of simulating and transforming this conceptual and abstract framework into a real-world working solution due to research work limitations. The framework was designed based on recognized and accepted scientific and technological principles and concepts, from user behavior trust modeling, eXtensible access control markup language, and adaptive security architecture. In addition, to extend this concept to a future research area that will focus exclusively on application-processes behavior.

Risk Assessment

Security countermeasure

Risk Management

Risk Mitigation

Adaptive Security Controls

Threats

Risk

Vulnerabilities

User Behavior Trust Degree

User Behavior Risk Rating

Policy Decision Point

Policy Enforcement Point

User Behavior Trust Model

Adaptive Security Architecture

SaaS

Public Cloud.

Computer Systems

Datorsystem

Telecommunications

Telekommunikation

Communication Systems

Kommunikationssystem

Annan elektroteknik och elektronik

Mitigating fraud in South African medical schemes

Legotlo, Tsholofelo Gladys

10 1900

The medical scheme industry in South Africa is competitive in relation to international standards. The medical scheme sector, as part of the healthcare industry, is negatively affected by the high rate of fraud perpetrated by providers, members and syndicates, which results in medical schemes funding fraudulent claims. The purpose of the study was to explore strategies to mitigate fraud in medical scheme claims. A qualitative research methodology was followed in this study, which adopted a case study approach. Empirical data was analysed through thematic analysis, with the aid of ATLAS.ti software. The study found that healthcare service providers mainly defraud medical schemes by submitting false claims. A holistic approach should be followed to mitigate fraud in medical scheme claims. This approach should encompass regularly identifying trends in fraudulent claims and implementing appropriate control strategies. Collaboration within the medical scheme industry and with other stakeholders would also help to elevate the fight against medical scheme fraud to a new level. Implementing the recommendations from the study will assist medical schemes to reduce the funds expended on fraudulent claims, thereby improving their financial viability and decreasing the rate of increase in medical scheme contributions for members. / Business Management / M. Com. (Business Management)

South Africa

Healthcare

Medical schemes

Fraud

Healthcare fraud

Operational risk

Qualitative

Case study

Thematic analysis

ATLAS.ti

Risk mitigation

658.4730968

Fraud -- South Africa

Fraud -- South Africa -- Prevention

Forensic accounting -- South Africa

Risk management -- South Africa

Fraud investigation -- South Africa

Economics of nitrogen fertilization: Site-specific application, risk implications, and greenhouse gas emissions

Karatay, Yusuf Nadi

18 February 2020

In Anbetracht des Kompromisses zwischen der Erzielung des höchsten Gewinns und der geringsten Umweltbelastung ist ein tiefes Verständnis der ökonomischen Folgen der Stickstoff (N) Düngung erforderlich. Die vorliegende Doktorarbeit liefert umfassende Einblicke in (i) die Auswirkungen des standortspezifischen N-Managements (SSNM) auf die Rentabilität und Risikominderung, (ii) die Auswirkungen von Unsicherheiten und Risikoeinflüssen auf optimale N-Düngergaben und (iii) das Potenzial und die Kosten der Vermeidung von Treibhausgas (THG) Emissionen durch N-Düngereduktion. Ein Modellierungsansatz wurde entwickelt, um die Wirkung von Ertrag und Proteingehalt, Wirtschafts- und Risikoauswirkungen sowie THG-Emissionen auf die N-Düngung zu simulieren. Die Ergebnisse der Arbeit zeigen, dass SSNM die Wirtschaftlichkeit verbessert, indem es eine höhere Weizenqualität und damit Preisprämien erzielt. SSNM reduziert das Risiko, die Backqualität nicht zu erreichen, und es gibt keine wesentlichen Nachteile beim Verlustrisikomanagement im Vergleich zum einheitlichen Management. Preisprämien für eine höhere Weizenqualität bieten Anreize für höhere N-Düngergaben. Prämien verflachen die Gewinnfunktion weiter, was unzureichende Argumente für eine Absenkung des N-Inputs aus der Wirtschaftlichkeitssicht liefert, selbst bei einer hohen Risikoaversion der Landwirte. Eine moderate Reduzierung der mineralischen N-Düngung kann die THG-Emissionen bei moderaten Opportunitätskosten mindern. Die THG-Vermeidung durch N-Düngereduktion in einer bestimmten Region kann unter Berücksichtigung kultur- und ertragszonenspezifischer Ertragswirkungen optimiert werden. Insgesamt liefert diese Arbeit wichtige Erkenntnisse über die Chancen und Nachteile der Anpassung der N-Düngergaben. Darüber hinaus leistet sie einen direkten Beitrag zur Identifizierung von kosten- und risikoeffizienten N-Managementoptionen und bildet die Grundlage für effektive politische Ansätze zur THG-Vermeidung durch selektive N-Düngereduktion. / Considering the tradeoff between achieving the highest profit and causing the lowest environmental impact, there is a need for a profound understanding of the economic consequences of nitrogen (N) fertilizer application. The present doctoral research provides comprehensive insights into (i) effects of site-specific N management (SSNM) on profitability and risk mitigation; (ii) impacts of uncertainties and risk implications on optimal N fertilizer rates; and (iii) potential and costs of mitigating greenhouse gas (GHG) emissions by N fertilizer reduction. A modelling approach was developed to simulate the response of yield, protein, economic and risk implications, and GHG emissions to N fertilizer application. Findings of the thesis show that SSNM improves profitability by achieving higher grain quality, thus, price premiums. SSNM reduces the risk of not reaching the baking grain quality and poses no considerable disadvantage on downside risk management compared to uniform management. Price premiums for higher wheat quality provide incentives for higher N input rates. Premiums further flatten the profit function, giving insufficient arguments for lowering N input from a farm profitability perspective, even in presence of high risk aversion of farmers. Moderate reduction of mineral N fertilizer can mitigate GHG emissions at moderate opportunity costs. GHG mitigation by N fertilizer reduction in a given region can be optimized considering crop and yield-zone-specific yield responses. Overall, this thesis provides important insights on chances and drawbacks of adjusting N fertilizer rates. Moreover, it makes a direct contribution in identifying cost- and risk-efficient N management options and provides a basis for effective policy approaches to reduce GHG emissions by selective N fertilizer reduction.

Reaktiver Stickstoff

Stickstoffdünger

N-Mineralisation

Ertragsfunktion

Präzisionsackerbau

teilflächenspezifische Düngung

variable Düngung

Ertragskartierung

N-Sensor

Wirtschaftlichkeit

komparative Kostenvorteile

Risikovermeidung

Monte Carlo Simulation

THG-Emissionen

Klimawandel

Vermeidungskosten

Reactive nitrogen

N fertilizer

N mineralization

yield response function

precision farming

site-specific application

variable rate application

yield mapping

N sensor

profitability

comparative advantage

risk mitigation

Monte Carlo simulation

GHG emissions

climate change

abatement costs

ZB 92100

ZC 17800

ZD 69200

ddc:630