Towards open data-driven evaluation of access control policies

Modern approaches towards the understanding of the behaviour of systems and policies have recently been driven by the abundance of open and non-open data moving away from the classical model-based approaches, in which data were secondary to the solution. In this paper, we present a similar approach by suggesting that the analysis of the risk probability for access control and security policies can be based on an empirical data-driven study. We outline a constraint-based approach that allows organisations to examine policies in light of the probabilities of internal actors damaging organisational assets. Our approach is validated using Verizon's open community dataset for security incidents, known as VERIS/VCDB.