Evaluating the comprehensive complexity of authorization-based access control policies using quantitative metrics

Access control models allow flexible authoring and management of security policies, using high-level statements. They enable the expression of structured and expressive policies. However, they have an impact on the policy characteristics. The complexity of such policies is one of the affected characteristics. We propose a series of quantitative metrics to assess comprehensive complexity of policies. By comprehensive, we mean the difficulty of understanding a policy by administrators. We formalize the concepts of authorization-based access control models, to propose general metrics regardless of the model. We also show the application of the proposed metrics through a content management system (CMS) policy example. We outline a proof-of-concept to evaluate the feasibility of our proposal, based on SELinux policies for a general-purpose CMS.