DeSPoT: A Method for the Development and Specification of Policies for Trust Negotiation

Information systems are ever more connected to the Internet, which gives wide opportunities for interacting with other actors, systems and resources and for exploiting the open and vast marked. This pushes the limits for security mechanisms which in general are too rigorous to fully adapt to such a dynamic and heterogeneous environment. Trust mechanisms can supplement the security mechanisms in this situation to reduce the risk by means of trusted evidences. We propose DeSPoT, a method for the development and specification of policies for trust negotiation. The method supports the capturing of requirements for the trust policy as a specification of acceptable risk, and the specification of trust policies that fulfill the requirements. DeSPoT is created to be easy to use for business level experts, yet demonstrated in an industrial study to be useful for those who develop and maintain the system conducting trust negotiation within acceptable risk. Adherence to a DeSPoT policy should ensure that the target fulfills the organizational level requirements to the trust behavior, and that the target is not exposed to unacceptable risk. The paper gives an example-driven presentation of the method.

Oppdragsgiver: Research Council og Norway