Risk-Based Access Control Model: A Systematic Literature Review

: Most current access control models are rigid, as they are designed using static policies that always give the same outcome in di ﬀ erent circumstances. In addition, they cannot adapt to environmental changes and unpredicted situations. With dynamic systems such as the Internet of Things (IoT) with billions of things that are distributed everywhere, these access control models are obsolete. Hence, dynamic access control models are required. These models utilize not only access policies but also contextual and real-time information to determine the access decision. One of these dynamic models is the risk-based access control model. This model estimates the security risk value related to the access request dynamically to determine the access decision. Recently, the risk-based access control model has attracted the attention of several organizations and researchers to provide more ﬂexibility in accessing system resources. Therefore, this paper provides a systematic review and examination of the state-of-the-art of the risk-based access control model to provide a detailed understanding of the topic. Based on the selected search strategy, 44 articles (of 1044 articles) were chosen for a closer examination. Out of these articles, the contributions of the selected articles were summarized. In addition, the risk factors used to build the risk-based access control model were extracted and analyzed. Besides, the risk estimation techniques used to evaluate the risks of access control operations were identiﬁed.


Introduction
Security is the nightmare for almost all new technologies. Providing a secure system is not an easy task. One of the significant components to resolve security challenges is to build an efficient and effective access control model. This model is utilized to manage access to system resources by allowing only authorized users who have been authenticated successfully. An access control model comprises three main items: subject, target and rules. Subjects are system users who make the access request to access system resources (targets). Rules are utilized to make the access decision, whether granting or denying access [1,2]. The main purpose of the access control is to decline unauthorized users and reduce the tasks of authorized users on a certain device. In addition, it prevents the action that could trigger a security violation [3].
There are two classes of access control approaches: traditional and dynamic. Traditional access control approaches utilize rigid and predetermined policies to determine the access decision. These static policies provide the same decision in different circumstances. Therefore, this inflexible approach cannot provide a robust security method for various dynamic and distributed systems such as the Internet of Things (IoT) and cloud computing [4]. Alternatively, dynamic access control methods employ not only static policies but also dynamic and real-time features to make access decisions. These dynamic features can involve context, trust, history events, location, time, and security risk [5].
Risk-based access control model is one of the dynamic methods that utilize the security risk value related to each access request as a criterion to determine access decisions [1]. A risk-based access control model provides several benefits over current access models. For example, it delivers more flexibility and resilience while accessing system resources by utilizing dynamic and contextual features to determine the access decision. In addition, it considers the exceptional and unpredicted access requests that are essential for some applications such as healthcare and the military, where granting access can literally save thousands of lives [6]. The ultimate goal of the risk-based access control model is to produce a scheme that promotes information sharing to increase the organization's benefit and at the same time keeps users responsible for their activities and stops the anticipated damage due to sensitive information disclosure [4].
The objective of the paper is to present a systematic literature review and investigate the state-of-the-art of the risk-based access control model, which is one of the pillars toward designing a dynamic and adaptive access control model for distributed systems. Based on the selected search plan, 44 articles (of 1044 articles) were chosen for closer investigation. Out of the retrieved and analyzed articles, the risk factors utilized to design the risk-based access control model were extracted and analyzed. Besides, the risk estimation techniques used to evaluate security risks were identified. In addition, the contributions of the selected articles were summarized. As compared to other surveys, to the best of the authors' knowledge, this is the first paper that provides a systematic literature review for the risk-based access control model.
The contribution of this paper can be summarized as follows: • Reviewing recent studies of risk-based access control models by providing a summary of the contributions of each study.

•
Identifying and analyzing various risk factors used in recent risk-based access control models. • Determining and investigating different risk estimation techniques utilized in recent risk-based access control models.
The rest of this paper is structured as follows. Section 2 gives an overview of access control approaches; Section 3 introduces the risk-based access control model and its main components; Section 4 provides the research methodology; Section 5 presents the analysis of results; Section 6 presents a discussion to show how this systematic review answered proposed research questions, and Section 7 is the conclusion.

An Overview of Access Control
The key objective of the access control is to limit operations performed by authorized users. In addition, it prohibits any action that could trigger a security violation [1]. An effective access control model should fulfill the security demands of confidentiality, integrity, and availability [3]. It is essential to make a reasonable distinction between authentication, authorization, and access control. Authentication is the process of verifying the identity of a user [7], while allowing or denying access to an authenticated user to carry out particular tasks on particular resources is called authorization. Access control is the process of enforcing authorization policies. Once a user is authenticated and the authorization level is identified, access control is used to enforce user permissions to prevent the user/subject from accessing anything that he/she should not be able to [3].
The history of the phrase "Access Control" has started in transportation in the first half of the 20th century. The concept of the limited-access road was suggested in 1907 to control fast-growing motor traffic. Although early cars were not as fast as today's standard, car drivers were enforced to control their speed on highways. They were enforced to enter and exit via one-way ramps to control the access to highways, which led to a reduction in the probability of cross-traffic accidents and increases the speed of traffic flows [8].
Currently, access control is applied at diverse levels in several domains such as database management systems and operating systems to control resources and allow only legal users/subjects to use system resources in an authorized way. An access control model comprises of five core elements: subjects, actions, objects, privileges, and access policies [9].
• Subjects: represents various entities that can be user, agents, or processes that make an access request to access system resources (objects). • Objects: describes system resources encompassing data or information that needed to be accessed by subjects/users. • Actions: represents various types of actions or activities that subjects can perform on a particular object such as read, write, execute, etc. • Privileges: These are the permissions that are granted to subjects to be able to carry out a particular action on a particular object. • Access policies: These are a group of rules or procedures that specify the criteria needed to determine the access decision whether granting or denying access for each access request.
The flow of an access control process can be shown in Figure 1. The flow begins when a subject/user sends an access request to the access control manager to access a particular object. Then, the access control manager compares the subject's credentials against access policies to decide whether granting or denying access. If the access is granted, the access control manager will allow the user to access the object. While if the access is denied, the access control manager will send a warning message due to insufficient credentials and ask the subject to use sufficient credentials to be able to access the requested object [9]. There are many access control approaches, which can be categorized into two main groups: traditional and dynamic access control approaches.

Traditional Access Control Models
Traditional access control (also called classical or static) approaches utilize rigid and predetermined policies to determine the access decision. These static and rigid policies provide the same decision in different circumstances. Although traditional access control approaches were successfully applied in different environments to solve various problems, these approaches are designed to provide a relationship between information associated with an access control rule logic and a resource for which access is requested. The implementation of an access control approach is subject to manipulation, which can range from an unexpected situation, including poorly written access policies to several malicious entities acquiring access to a set of existing accounts. Therefore, traditional access control approaches provide a set of advantages, but they also have drawbacks. One of these drawbacks is that it cannot handle unpredicted situations as they are based on static and predefined policies [10]. This inflexible approach cannot provide a robust security method for various dynamic and distributed systems such as IoT and Cloud Computing, which need more flexibility in accessing system resources. Instead, this static approach can be the best solution in situations where there is no way to collect a contextual feature/attribute while making the access request, for example the operating system.
There are various traditional access control approaches including Access Control List (ACL), Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC). ACL is a list of specific objects that involve lawful users together with their access permissions. ACLs are utilized in various systems, for example, UNIX systems. Although ACL is an efficient and effective model, it is not scalable, in which it cannot cope with a huge list of objects and subjects. For DAC, it is mainly built for multi-user databases and systems with few previously known users. Granting access in DAC is mainly based on the subject identity and authorization that are determined using open policies. This enables the object's owner to allow access to this object to any subject. For MAC, the level of sensitivity of objects is used to categorize objects into several sensitivity levels-for example, sensitive, not sensitive, confidential, etc. Each object has a label that specifies the sensitivity level of that object. In addition, each subject has a label that specifies the object the subject can access [11,12]. For RBAC, it involves three main components: users or subjects, roles (collections of permissions), and actions (activities performed on target resources) [13]. The basis of RBAC depends on roles, in which each role is accompanied by a set of access permissions. Each organization has several roles-for example, client, employee, manager, administrator, etc. A user can be a member of one or more roles, and a role can involve one or more users [14].

Dynamic Access Control Models
The core principle of dynamic access control models is that they consider not only access policies but also dynamic and contextual features that are collected at the time of the access request to make access decisions [15]. This provides more flexibility and can adjust to various situations and circumstances while making the access decision.
The need to adopt dynamic access control approaches should be one of the essential priorities to provide efficient and flexible access control model. However, most existing access methods are relying on static and rigid access policies and manual processes. These approaches are unable to provide a roadmap to improve automation significantly. This absence of automation results in a heavy involvement of human analysis that is error-prone and susceptible to various types of attacks based on social engineering. Additionally, current classical approaches have issues with resolving risks and threats in real time, especially when handling a previously unidentified threat. This is because these approaches make their access decision based on a set of policies built by a security analyst, who cannot resolve different access control situations in real time but can deal only with problems that were recognized before [16].
Instead of static policies, dynamic access methods use dynamic and real-time features to provide access decisions. These dynamic features can include trust, context, history, risk and operational need. Besides, these dynamic methods can adapt to different situations and circumstances at the time of deciding access decisions [5,17]. This dynamic access control approach can be valuable for several applications such as healthcare and the military, where considering exceptional access requests to provide the access can literally save thousands of lives. Table 1 provides a comparison between traditional and dynamic access control approaches.

Item
Traditional Access Control Dynamic Access Control

Features
It uses predetermined and static policies to determine the access decision.
It uses access policies and contextual features that are collected at the time of making the access request to determine the access decision.

Grant Decision
The access is granted only if it matches one of the rules in the access policy.
The access is granted based on the context and the policy. The decision can be overridden based on the context.

Deny Decision
The access is denied only if it does not match any rule in the access policy.
The access is denied based on the context and the policy. The change in the context can lead to changing the decision immediately.

Advantages
• Easy to understand, test, and maintain.

•
Faster to be produced.

•
Objective method, so the outcome is more accurate.

•
No contextual data is required, so it faster in making access decisions.
• Adapt to unpredicted situations and conditions that policies cannot expect. • Improve flexibility while accessing system resources.

•
Resolving risks and threats in real time, especially when handling a previously unidentified threat.

•
Can literally save lives in healthcare and military applications.

Weaknesses
• Cannot adapt to changes in situations and circumstances, which affect flexibility.

•
The policy is imperfect and do not have a plan for all contingencies, so many problems may arise.

Applications
The applications that do not have access to real-time features/attributes such as the operating system.
Various dynamic and distributed systems need dynamic access control to provide more flexibility including IoT and cloud applications, etc.
The security risk is one of the dynamic features that is used to build a risk-based access control model. The next section provides an overview of the risk-based access control model.

Risk-Based Access Control Model
Commonly, the risk is the possibility of loss or injury. It is about some incident that may arise in the future and cause losses. According to Elky [18], the risk is defined as "the possible damage that may arise from the existing operation or from some upcoming incident". The risk is found in numerous domains of our life. From the information technology security perspective, the security risk is defined as the damage that undesirably affects operation and its related information, while the process of understanding and mitigating against issues that may result in a breach of confidentiality, integrity, or availability of an information system is called risk management [18].
Security risk in the access control context can be defined as the possibility of information leakage and the value of this information that may occur from accessing system resources [1]. Risk-based access control model utilizes the security risk as a criterion to make the access decision for each access request. This model is based on estimating the security risk value associated with each access request dynamically, and it then uses the estimated risk value to decide whether granting or denying access [4]. Mathematically, the most popular formula to represent the risk in a quantitative form is the likelihood/ probability of an incident to occur multiplied by the impact regarding that incident [19].
There are several methods to build a risk-based access control model. These methods have certain common features from different models. The main elements of a risk-based access control model are shown in Figure 2. The risk-based access control model comprises three key modules. The risk estimation is the main module, which gets access requests from users, analyzes them, collects the required information of risk factors, and estimates the security risk value related to each access request. Then, the estimated risk value is compared against access policies to decide the access decision whether granting or denying the access [20].

Methodology
The risk-based access control model has several advantages in terms of flexibility and ability to provide an effective security model for dynamic systems. This systematic literature review is conducted to examine and investigate current research regarding risk-based access control models and explain the findings of the conducted review. A systematic literature review is mainly conducted as a way to specify, evaluate, and interpret all available research related to specific research questions, certain subjects, or phenomenon of interest [21].
Conducting a systematic literature review passed through five stages, as depicted in Figure 3. The first stage aims to formulate the research questions that the current review paper attempts to answer and then decide the criteria to include or exclude articles in the second stage to make sure that the selected articles are the best and most appropriate regarding the review objectives. The third stage is the main stage that discusses at length which different databases will be searched to locate relevant articles. The fourth stage analyzes the results and then in the fifth stage, the results of each research question will be discussed. This approach/methodology was adopted to make the reader fully aware of the stages of conducting this systematic literature review. The methodology was started by defining the research questions to have a specific target while reviewing multiple publications. Then, inclusion and exclusion criteria were presented to show how the retrieved publication are filtered to reach the target of the study. Data sources where publications were retrieved are also presented to show the digital libraries utilized to collect these publications. In addition, the selection of relevant articles is discussed. The adopted methodology has several advantages in which it aims to describe the full process utilized to reach the target of the study to make the reader fully aware of all the procedures conducted by the researcher. In addition, this approach was adopted in several previous systematic literature reviews. On the other hand, this approach produces some drawbacks in which it limits the scope of the review/study, which may not give all the information about a certain topic to the reader.

Research Questions
The current study/paper aims to answer the subsequent research questions: • RQ1: What are recent and peer-reviewed literature regarding risk-based access control models? • RQ2: What are the risk factors used to build risk-based access control models? • RQ3: What are risk estimation techniques employed in risk-based access control models?

Inclusion and Exclusion Criteria
Inclusion and exclusion criteria for selecting the appropriate research were employed. These criteria are mainly aimed to answer research questions and ensure designing efficient literature review. Inclusion criteria were:

Data Sources
Searches were carried out via digital libraries. This systematic review involved the following electronic databases: A keyword-based search was employed to collect the articles that relevant to the topic and research questions. The main keywords that were utilized involve:

Selection of Relevant Articles
Selecting relevant and recent studies with respect to the risk-based access control model started with 1044 articles collected from various online digital libraries that were decided in the previous section. The selection process on the collected publications was divided into three phases: • Phase 1: The results of the search and collected publications were filtered depending on the inclusion and exclusion criteria that were discussed in Section 4.2. The search conducted was not bounded by a specific range of years to be able to collect all relevant publications regarding risk-based access control models.
• Phase 2: The publications collected from various online digital libraries were assessed depending on the relevance of the publication to the topic and research questions by examining only the title and abstract. • Phase 3: The main purpose of this phase was to remove the duplicates of the collected publications from six different online digital libraries.

Analysis of Results
The inclusion and exclusion criteria were applied on the collected publications through three phases, as depicted in Figure 4. Based on the assessment through reading only the title and the abstract and its relevance to the research questions, 986 publications were excluded. In addition, the duplicates between different online digital databases were excluded, in which 32 duplicate publications were excluded. The search that was executed in six different well-known online databases enables us to collect, as much as possible, most of the publications that are relevant to risk-based access control models. The result of the collected publications from each online database and the resultant number of publications after applying the three selection phases can be shown in Table 2. The results show that Google Scholar was the richest data source of publications related to risk-based access control models. In addition, Figure 5 illustrates the number of articles published per year. The results show that the risk-based access control model started to attract the attention of the researcher after 2010. However, it is still an undiscovered area for multiple researchers. Given the steady number of publications in 2011, 2012, and 2013, we can see that the number of publications started to decrease, which reaches only one in 2019. In addition, Figure 6 categorizes retrieved publications regarding risk-based access control models into either journal or conference publication per year. The results show that most publications that match our research questions were conference publications. In addition, Table 3 contains basic information about the analyzed and selected publications, which involve a publication's ID, publication citation, publication type, and year of publication. All selected/retrieved articles were published in peer-reviewed journals and conference proceedings. Besides, the selected publications contain only 3 book chapters, which are also peer-reviewed.

Discussion
The risk-based access control model is one of the hot topics that many scholars are investigating to provide flexible, dynamic, and operative access control approach in distributed and dynamic systems. This paper can be a good starting point for such researchers to understand this model and review existing work related to proposed research questions. In this section, a discussion of the retrieved/analyzed publications was presented to show how the retrieved publications answered the proposed research questions. RQ1: What are recent and peer-reviewed literature regarding risk-based access control models?
To answer this research question, retrieved/analyzed publications that are related to risk-based access control models will be discussed. Recent and peer-review publication outlined risk-based access control models are discussed. Table 4 summarizes the contributions of each publication. Table 4. Summary of recent studies outlined risk-based access control models.

Summary of the Contributions of Each Publication
Chen et al. [4] This paper presented a risk-based model that is based on the Multi-Level Security (MLS) approach. The paper utilized the risk value resulted from the difference between object and subject security level as a risk factor. Then, the fuzzy logic system was applied to represent the risk as a binary value, where 0 allows the access and 1 denies the access.
Diep et al. [20] This paper presented the main elements needed to build a dynamic and flexible risk-based access control model by collecting environmental information, assess it, and make the access decision using a risk assessment.
Ni et al. [34] This paper used the same elements of the risk-based model proposed by Diep et al. [20] but with the use of the fuzzy logic system to estimates the risk value associated with the access request. They indicated that the fuzzy logic system is an efficient method for evaluating the security risks of access control operations. The major difference between both publications was the risk estimation technique adopted to assess the security risk of each access request.
Lee et al. [28] This paper provided a risk-based model by utilizing the risk assessment. The authors collected environmental and contextual information and assessed it based on outcomes of actions in term of CIA (Confidentiality, Integrity, and Availability). In addition, the MultiFactor Evaluation Process (MFEP) technique was utilized with the risk assessment to estimate the security risk value related to each access request to decide the access decision.
Chun and Atluri [50] This paper proposed a risk-based model that employs the concept of "access first and verify later"; hence, the required information/data can be accessed immediately without delaying access. The paper also utilized semantics to build situation role hierarchies, which are used to assess the security risk to provide access decisions.
McGraw et al. [32] This paper proposed a Risk-Adaptable Access Control (RAdAC) model, which is based on estimating the security risk and operational needs to grant or deny access. This model was implemented to first estimate the risk associated with the access request then compares the estimated risk with the access control policy. After that, the system verifies the operational needs, if the associated operational needs and the policy are met; then, the access is granted.
Kandala et al. [27] This paper utilized the Risk-Adaptable Access Control (RAdAC) model developed by McGraw et al. [32] to identify different risk components with the operational needs using the Attribute-Based Access Control (ABAC) model. This paper integrated the ABAC model with the risk-based model to use other user attributes as risk factors.
Molloy et al. [44] This paper reviewed open problems in risk-based access control systems and proposed using market approaches to identify the risk allocation and tolerance for each organization. The paper utilized the simulation to show the advantages of risk-based access control that promote security and information sharing.
Clark et al. [46] This paper presented a risk-based access control model and how it can overcome issues with uncertainty and time-varying security specifications. The paper utilized resource sensitivity as a probability distribution, security labels, and clearance level to estimate the risk using the fuzzy logic system in various real-world situations.

Summary of the Contributions of Each Publication
Helil et al. [47] This paper introduced a trust and risk-based access control model by combining trust and risk as risk factors to enhance data protection and information accessibility. Each user's trustworthiness and their related risk values were employed to decide the access decision.
Molloy et al. [33] This paper presented a new learning and risk-based architecture for distributed policy enforcement under uncertainty. The paper utilized learned classifiers of access control decisions to improve the accuracy of the access decision.
Rajbhandari and Snekkenes [39] This paper introduced a risk-based model that utilizes user's benefits rather than subjective probability as a risk factor to decide the access decision. The authors demonstrated that game theory can be used as a risk estimation approach to assess security risks.
Shaikh et al. [36] and Shaikh et al. [5] The paper [36] proposed a dynamic risk-based decision method. This method used the user past behavior with the risk history to estimates the security risk value associated with each access request. Besides, it gave reward and penalty points for subjects/users after completing a transaction based on the estimated risk value associated with the transaction. The work presented in [36] was extended in [5] to involve the process of implementing the risk estimation process to identify good and bad users based on their past behavior.
Wang and Jin [15] This paper proposed a quantified risk-based model. The risk value is estimated based on the purpose of access to different data sensitivity levels. The risk estimation process was performed by employing the concept of Shannon entropy from information theory. A prototype using medical history records was utilized to illustrate the efficiency of their suggested model.

Abie and Balasingham [35]
This paper implemented the concept of security risks to identify access decisions by proposing a risk-based adaptive security framework that employs the game theory as the risk estimation method to asses risk loses and their future benefits by collecting contextual information in the healthcare environment.
Arias-Cabarcos et al. [25] This paper utilized the risk-based access control model in the federated identity management process in cloud computing. It utilized the security risk to provide the access decision and diminish weaknesses and risks when access decisions about collaboration are made. The paper also proposed a hierarchical risk aggregation system for cloud federation.
Chen and Crampton [57] This paper incorporated the security risk with RBAC to build a risk-aware role-based access control model. In addition, the paper discussed the issues in the proposed risk-aware model and its implementation procedures.
Molloy et al. [38] This paper utilized the risk-based access control model to make access decisions by utilizing the benefits of access as a risk factor. The paper also proposed an improved model that uses learned classifiers to provide efficient and accurate access decisions.
Sharma et al. [40] This paper presented a task-based access control model that estimates the risk value based on the action to be performed by the requester. The risk estimation process evaluates the risk using outcomes of actions to make the access decision.
Baracaldo and Joshi [26] This paper proposed a framework that extends the RBAC model to incorporate trust with risk to provide the access decision. The authors argued that their framework can be adjusted to different changes in users' behavior by using a threshold value that is defined using a risk assessment process.
Badar et al. [48] This paper proposed utilizing classification to assess the risk value related to each access request. The paper presented two approaches; the first approach presented an access control matrix to evaluate the risk of granting access depending on user-permission assignments. The second approach specified the best contextual role that provides the lowest risk and allows maximum accessibility by integrating security risk with RBAC.
Bijon et al. [13] This paper proposed a framework that combines the RBAC with the security risk to specify access decisions. The paper introduced the concept of RBAC-based risk-awareness and also provided a formal description of an adaptive risk-aware RBAC model.

Summary of the Contributions of Each Publication
Dos Santos et al. [37] This paper presented a dynamic risk-based model to achieve a highly scalable system in a cloud federation. In addition, the paper introduced a prototype implementation for the proposed model to show the effectiveness of their suggested model.
Khambhammettu et al. [6] This paper presented a framework depending on subject trustworthiness, object sensitivity, and the difference between them using a risk assessment. However, this framework requires a system administrator with broad experience to provide a sensible metric for each input before conducting the risk assessment process.
Li et al. [24] This paper utilized the fuzzy logic system to estimate the risk associated with access to healthcare information. Three risk factors involving action severity, data sensitivity, and risk history were utilized. In addition, a fuzzy risk metric is assigned to each risk factor to decide whether granting or denying access.
Burnett et al. [53] This paper proposed a trust and risk-aware access control model that provides policy coverage and dynamic access decisions. The paper defined a zone policy model that allows the data owner to have total control over his/her own data. Trust is used to define the verification of whether the requester respected the obligations that are assigned to him/her or not. The paper also utilized a probabilistic computational trust model, called subjective logic, to formulate their trust assessment. The risk estimation was done using a classic method of defining expected loss in term of unwanted disclosure.
Babu and Bhanu [45] This paper proposed building a trust and risk-based access control model to provide access decisions in cloud computing. The paper introduced a privilege management procedure that combines the security risk with trust to create an efficient and scalable access control system.
Choi et al. [23] This paper presented a framework for a context-sensitive risk-based model for medical information systems. This framework categorized information to calculate the risk value and apply the risk through treatment-based permission profiling and specifications. This framework provided the access decision based on the severity of the context and treatment.
Namitha et al. [31] This paper implemented a risk-based access control model based on user features including years of experience, designation, defect level, location index, time index, and probationary period and estimate the risk value using a mathematical function.
Armando et al. [56] This paper proposed a framework that integrates the risk with trust to provide access decisions. The access decision is determined by comparing the risk value with the trust, in which the access is granted if the trust value is higher than the risk value. The paper also presented mitigation strategies to increase the trust level and reduce the risk.
Diaz-Lopez et al. [30] This paper presented a risk-based access control model that adopted dynamic countermeasures to adjust to various changes in the risk value of system resources. The paper utilized genetic algorithms to build the most suitable set of countermeasures for a specific situation.
Dos Santos et al. [1] and Dos Santos et al. [22] The paper [1] proposed a risk-based access control model that uses the idea of quantifying risk and aggregating them to decide access decisions. The risk value is mainly evaluated based on predetermined risk policies that are created either by the system security administrator or the resource owner. Further, a prototype of this model is created using risk metrics provided in the work of Sharma et al. [40]. This work was extended in [22] to develop an ontology-based method to estimate the risk value depending on the context and adjusting values of risk metrics and using predetermined access policies to make the access decision.
Metoui et al. [49] and Metoui et al. [52] The paper [49] proposed a risk-aware framework that combines the privacy risk with the user trust to identify threats related to each access request. The access decision is determined by comparing the privacy-risk with the user trust in which if the user trust is higher than the privacy risk, the access will be granted. Otherwise, access will be denied. This work was extended in [52] to implement the risk estimation process based on privacy risk and user trust. In addition, several access scenarios were presented to show the effectiveness of their proposed risk estimation approach. The paper [52] also introduced adaptive adjustment strategies to increase the trust level and reduce privacy risk.

Summary of the Contributions of Each Publication
Atlam et al. [41], Atlam et al. [42] and Atlam and Wills [29] The paper proposed [41] a dynamic and adaptive risk-based access control model by using user context, resource sensitivity, action severity, and risk history to compute the security risk value related to each access request. The paper also proposed using a smart contract to track user behavior during access sessions to detect and prevent malicious actions. This work was extended in [42] to show the validation of the proposed risk-based model using 20 security experts. In addition, the paper [42] discussed some of the risk estimation techniques and proposed the fuzzy logic system as the most appropriate approach for the IoT context where there are no available datasets. This work was extended in [29] to propose the fuzzy logic system with expert judgement as the risk estimation method to implement their proposed risk-based model. The paper showed a detailed description of using the fuzzy logic system to estimate the security risk value associated with each access request, showing the access control scenarios of the network router.
Atlam et al. [9] The paper introduced eXtensible Access Control Markup Language (XACML) as the suitable language for implementing access control policies for the IoT system. In addition, the paper adopted XACML to build the access policies for the risk-based access control model.
Atlam et al. [43] This paper provided an overview of risk estimation techniques in risk-based access control for the IoT. The paper discussed the benefits and drawbacks of various quantitative risk estimation techniques that are required to implement a risk-based access control model.

Dankar et al. [54]
This paper proposed a conceptual risk-aware model, which utilizes real-time and contextual information in the surrounding environment to make the access decision. The paper also implemented some mitigation measures to enforce the access decision in case of having a high-risk value in the access request.
Rahmati et al. [51] This paper introduced a risk-based access control model to build a system called Tyche, which is a system that controls the risk in physical devices. Tyche presents the concept of risk-based access decisions in which it classifies various applications into several risk groups. Then, each risk group has a set of permissions based on the risk value.

RQ2: What are the risk factors used to build risk-based access control models?
One of the essential parts of a risk-based access control model is to choose the effective risk factors that determine access decisions efficiently. Many risk factors can be used to estimate the risk value associated with the access request to make the access decision dynamically and efficiently. To answer this research question, risk factors utilized in recent risk-based access control models were reviewed. Then, a brief overview of these risk factors is provided. This is followed by showing the risk factors extracted from retrieved/analyzed publications, as depicted in Table 5.
• Subject Clearance (Role): It represents the subject security level acquired from the system administrator. The most popular clearances in the military are Top Secret, Secret, Confidential, and no clearance. Different access permissions are granted according to the subject role in the organization. Each role is associated with certain permissions [58]. The higher the clearance granted, the lower the associated risk value. • Resource Sensitivity: It describes the sensitivity level of resources the user wants to access. Different sensitivity levels have different risk values. The higher the resource sensitivity, the higher the risk value if the access is granted to this resource [24]. Trust is classified into two categories: identity and behavioral trust. Identity trust is concerned with validating the authenticity of an object and focuses on objective credentials. While behavioral trust works with the entity's trustworthiness, which depends on certain contexts [59]. In risk-based access control models, only behavioral trust is used. • Benefits of User: It describes any sort of advantages/privileges the user will get when the access is granted. It also represents what will be the damage that will happen for the user if the access was denied [4].

•
Outcomes of Actions: The access control system has inputs, consisting of the action and list of consequence outcomes of the action. Each outcome may occur in some specific contexts, consisting of principle context, environment context, and resource context. The outcome of actions estimates the risk of each of these contexts [20]. • Context: It signifies the real-time and environmental information that can be collected while making the access request. Contexts features are utilized to specify the security risk value related to each access request. Location and time are the most popular contexts [41]. • Access Policies: They are primarily utilized by the access control manager (risk estimation module in the risk-based access control model) to specify access decisions. These policies are designed by the resource owner or security system administrator to classify terms and situations of granting or denying access to a particular resource. In the risk-based control model, the estimated risk value resulted from the risk estimation module is compared against risk policies to decide whether granting or denying access [41].  - The results show that risk factors used to implement risk-based access control models are significantly based on the context where the risk-based access control model will be deployed. However, several risk factors can be applied in various contexts. Reviewing risk factors used in risk-based access control models of retrieved publications reveal that "Risk History" was the dominant risk factor in most risk-based access control models in which it was adopted in 18 publications, as depicted in Figure 7. This should be normal or expected, as any risk model would or should use their previous risk values given to a user/subject to assess their current and future access. In addition, the context was one of the significant risk factors used in 14 publications. Using the context as a risk factor in risk-based access control models customizes the risk model to a specific application and adds the flexibility needed for these access control models to be able to adapt to their environment. Resource sensitivity and trust were adopted in 12 and 11 risk-based models, respectively. As a conclusion, determining the appropriate risk factors for building a risk-based access control model is significantly based on the application and environment where this model will be deployed. It also depends on the availability of data for such a risk factor to be able to use it to calculate the overall security risk value associated with the access request to determine the access decision.

RQ3: What are risk estimation techniques employed in risk-based access control models?
The vital stage of implementing a risk-based access control model is the risk estimation process. This process is based on estimating the likelihood of information leakage and the value of that information. The main purpose of the risk estimation process is to build a method to arrange risks based on their priorities and use risk values to make access decisions following a specific context.
There are several challenges associated with the risk estimation process. For example, the key purpose of the risk estimation process is to forecast the future likelihood of information leakage and the impact of such leakage on system resources. Defining such a likelihood is not an easy job [60]. Moreover, if the risk estimation process is based on imprecise or incomplete information, it will result in complications and problems to identify the value of information [31].
Determining the suitable risk estimation technique for building a risk-based access control models is not an easy task, as there are many things that should be taken into consideration: for instance, the availability of data that describe the risk likelihood and its impact. In addition, in the access control context, the security risk value will be used to determine the access decision whether granting or denying access, which requires having a precise and accurate quantitative/numeric risk value.
This section answers the third research question by investigating and reviewing various risk estimation techniques utilized in risk-based access control models of retrieved/analyzed publications, as shown in Table 6.
As discussed earlier, one of the challenges of implementing a reliable and effective risk-based access control model is to determine the risk estimation technique that produces accurate and precise risk values to determine the access decision. However, due to the unavailability of datasets that describe risk likelihood and its impact, most publications did not discuss a clear method to assess the security risks of each access request. This reflected on having 18 publications from retrieved papers without a risk estimation process.
On the other hand, there are 8 publications that proposed a mathematical equation based on relationships between input and output variables to estimate the risk. However, these mathematical equations are variable dependent and cannot be adopted in different environments. In the same way, there are 7 publications that proposed the fuzzy logic system for the risk estimation process. However, the major issue in that method is the subjectivity and the need for domain experts to define fuzzy variables and build fuzzy rules. In addition, there are 7 publications that utilized the risk assessment to determine risks and assign them priorities. However, the risk assessment itself cannot provide a numeric risk value that can be used to make the access decision. For the machine learning and game theory as risk estimation methods, there are a few publications that discussed these methods. This is due to the lack of datasets that are required for training and testing phases in machine learning and for building appropriate strategies in game theory.
As discussed, providing a dataset that describe risk likelihood and its impact on a specific context is one of the key issues of implementing risk-based access control models. We encourage various researchers to build and share different datasets regarding risk-based access control models that can improve the performance and add learning ability to current risk-based access control models. Having datasets that consider different risk factors in different domains can help researchers improve and optimize their current risk-based models. There are no specific criteria for a dataset for the risk-based access control model except it should provide quantitative values of risk likelihood and its impact for a set of access control scenarios in a specific context with the specifying risk factors adopted. Table 6. Risk estimation techniques used in retrieved/analyzed publications of risk-based access control models.

Conclusions
Current access control models provide a static way to provide access decisions for various applications. However, an access control model for a dynamic and distributed system should rely on contextual and real-time data. With billions of sensors and devices in our environment, contextual information can be collected and utilized in the access control process, which can provide what is called dynamic access control models. One of these dynamic models is the risk-based access control model. This model is capable of providing the access decision dynamically by estimating the security risk value associated with the access request. The risk-based access control model can provide several benefits for several trending technologies such as IoT, cloud computing, etc. This paper presented a systematic literature review and analysis of the state-of-the-art of the risk-based access control model to provide a detailed understanding of the topic. Based on the selected search strategy, 44 articles (of 1044 articles) were chosen for a closer examination in terms of recent risk-based models, risk factors, and risk estimation techniques. The results provided a summarized version of selected articles to give the reader a basic view of different risk-based access control models from the perspective of various researchers. Although there are several risk factors that can be applied in various contexts-for example, risk history, which was adopted in 18 publications-the results show that risk factors used to implement risk-based access control models are significantly based on the context/domain. In addition, the results demonstrated that providing an efficient and accurate risk estimation technique that can be applied in different domains is one of the major issues of implementing risk-based access control models. Although some risk estimation approaches can work well such as decision tree, the lack of a dataset to represent the likelihood and impact of each risk scenario in a specific context is the key problem.