The Economic Impact of Role-Based Access Control
Information technology has enabled U.S. businesses to improve their employees’ productivity, integrate their supply chains, and automate and improve their interactions with customers. Increasingly, more functions, including inventory management, invoice payments, and customer support, are handled over intranets and the Internet. As organizations increase the functionality and information offered on internal and external networks, controlling access to information and other resources becomes more complex and costly. In addition, security failures can disrupt an organization’s operations and can have financial, legal, human safety, personal privacy, and public confidence impacts. Access control systems within a computer network are used to control the actions, functions, applications, and operations of legitimate users within an organization and to protect the integrity of the information stored within the system. Role-based access control (RBAC) is a relatively new access control system that maps to organizational-specific structures in a way that reduces direct and indirect administrative costs and improves security. The National Institute of Standards and Technology (NIST) began working on RBAC in the early 1990s after a study of federal agency security needs identified the need to develop a better method for managing large networked systems and complex access issues (Ferraiolo, Gilbert, and Lynch, 1992). Over the past decade, NIST’s RBAC project has made significant contributions to the development and adoption of RBAC through publishing in the professional literature, sponsoring conferences and outreach projects, and supplying infrastructure tools to industry. The objectives of this study was to conduct a microeconomics impact assessment of the (1) benefits of RBAC relative to alternative access control systems, and (2) economic return from the NIST/Information Technology Laboratory (ITL) RBAC project’s contributions to the development and adoption of RBAC. Based on interviews with software developers and companies using RBAC-enabled products, we projected that the net present value of RBAC through 2006 will be approximately $671 million. NIST’s contributions were estimated to account for 44 percent of the benefits of RBAC, leading to a social rate of return to the NIST/RBAC project of approximately 62 percent.