Quality in the Access to Information

In this paper we define access-control properties and metrics that are useful in evaluating the risk of using alternative authorization systems. We define a formal notation to express access-control models, and apply it to a subset of the most representative ones. This notation is used to evaluate analytically a set of properties on authorization systems, e.g., lower bounds of the minimum amount of information required to control access to information sources, performance of access-control schemes, and quality-of-access measurements. We define possible threats to access-control services, and describe how these attacks reflect the quality of an access function. We discuss the classical concept of suitability in the definition of access rights, claiming that it could be considered too conservative under certain circumstances of attacks. Finally, we prove that it is possible to evaluate analytically certain measurements of the performance and effectiveness of particular access-control models in specific threatening environments, rather than simply to rely on empirical results that are difficult to compare. These measurements provide an idea of the quality of an access-control model, at least comparatively.