Attribute-based access control (ABAC)


Which of the following provides the most flexible access control?

A. A subject asserting unmarried
B. A subject with the Top Secret clearance
C. A subject with need-to-know
D. A subject assigned to the Admin role

Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications. 

The recommended answer is A, A subject asserting unmarried.

This question is designed to help you understand the characteristics of the common access control mechanisms as follows:

  • A subject asserting unmarried ⇒ Attribute-based access control (ABAC)
  • A subject with the Top Secret clearance ⇒ Mandatory access control (MAC)
  • A subject with need-to-know ⇒ Discretionary access control (DAC)
  • A subject assigned to the Admin role ⇒ Role-based access control (RBAC)

Access control mechanism comprises 3 parts: authentication, authorization, and accounting. A subject implies a user or principal completes the identification process and its identity has been authenticated.

A subject’s access to objects must be authorized. ABAC, MAC, DAC, and RBAC can enforce the authorization process.

Attribute-based access control (ABAC)

An entity comes with attributes. For example, a user is an entity with attributes, such as Full Name, Marriage Status, Gender, and Aage, to name a few.

Privileges can be granted by attributes. e.g. Access to the Corporate Bonus Mileage Program, a web page, is granted to those members who are female (gender), married (marriage) and come from Taiwan (nationality).

A subject’s attributes, shaping claims or assertions, are dynamic in nature. It’s the most flexible way among the four mechanisms to implement authorization.

Mandatory access control (MAC)

MAC is based on the subject’s security clearance and the object’s classification level, or label. A security clearance is determined through a formal process. Both security clearance and object label are hard to change.

Discretionary access control (DAC)

DAC is based on the Access Control Matrix, a two-dimension matrix of subjects on the row by objects on the column. A row is a subject’s capability; a column is an object’s access control list.

The granularity of DAC is at the entity level (subject or object). ABAC is at the attribute level.

Role-based access control (RBAC)

As the name suggests, RBAS is based on roles. A role is a named collection of predefined permissions and rights; it usually maps to the organizational structure.

A user assigned a role is automatically granted the predefined permissions and rights. It reduces the administrative burden, unlike that of DAC. As the permissions and rights are predefined, or sometimes hard-coded, it’s not convenient to change them.


The concept of flexibility is not rigidly defined in the question, as the question is designed to help you understand the characteristics of the common access control mechanisms. You can evaluate flexibility in terms of granularity of criteria, convenience to change, and administrative or implementation burden.


The CISSP CBK 5th Edition


Under Development…


  • Domain 1
    • The CIA Triad is extended to the Parkerian Hexad
    • Security Governance is highly simplified (almost cut off)
    • Cyber Warfare and Cyberthreat Information Sharing are introduced
    • Headings of topic 1.4 (Understand legal and regulatory issues that pertain to information security in a global context) are not adequately organized
    • Privacy is well explained
    • Policy is well explained
    • Business Continuity is well organized and addressed
    • The explicit official definition of risk from ISC2 is given
    • Risk Management Concepts are highly simplified in Domain 1, while the primary parts are addressed in Domain 8
    • Supply Chain is well addressed
  • Domain 2
    • Data Governance is introduced
    • Data Classification and Data Categorization (based on FIPS 199) are distinguished
    • Asset Classification is addressed
    • Asset Management Lifecycle based on NIST SP 1800-5a is introduced
    • Privacy contents are up-to-date
    • Data Remanence issues are highly simplified
  • Domain 3
    • Security engineering principles and ISO/IEC 19249
    • Physical Security is simplified, and CPTED is cut off
  • Domain 4
  • Domain 5
    • Emerging authentication technologies are introduced.
    • Identity Assurance Levels are introduced.
    • Identity lifecycle is mentioned.
    • Provisioning is defined.
  • Domain 6
    • Contents are well organized and addressed.
    • Assessment standards and PenTest approach are addressed.
    • CSA and STAR for security assurance in the cloud are introduced.
    • KPI and KRI are introduced.
    • ISO Standards for audits and audit programs are introduced.
  • Domain 7
    • Need to Know is clarified.
    • Information lifecycle based on ISO 27002
  • Domain 8
    • Agile is adequately introduced
    • Application security standards are introduced
    • Microsoft security development lifecycle is introduced
    • Trending topics are introduced, such as Microservices and AI
    • Maturity models are emphasized

Pros and Cons


  • Well-organized
  • Matching the CISSP exam outline to the first level of topics in each domain
  • Trending materials
  • Smaller in size


  • No review questions
  • No appendix for supplement materials or document templates
  • No glossary
  • No references


The Official Risk Definition from ISC2

We finally have the explicit official definition of risk from ISC2.😂 It reads as follows:

“The possibility of damage or harm and the likelihood that damage or harm will be realized.”

But I am not sure if the definition of risk from ISC2 has typos or not, I would revise it as follows:

The possibility of damage or harm and the “magnitude” that damage or harm will be realized.

As a certified professional in ISACA-CRISC and PMI-RMP, I developed my risk management concepts based on the definition from ISO and Dr. David Hillson’s approach, and treat information security as a subdiscipline of risk management.

If you are interested in risk management, please refer to and google the Risk Doctor, Dr. David Hillson for details.


The Clark-Wilson Model

Please refer to

InfoSec 101


Security is the state or outcome of protecting assets from danger through controls (also called safeguards or countermeasures). Assets are anything of value. Value is anything of importance, significance, or use.

Information Security is a discipline to protect information and information systems from threats through security controls to achieve the objectives of confidentiality, integrity, and availability, or CIA for short. Information is useful data; an information system is a system that converts data into information; a system is a collection of related elements that work together to achieve a common goal. A typical information system comprises such elements as data, computers, operating systems, software, networks, data centers, people, business processes, and so forth. Kindly be reminded that a CISSP is a Certified Information Systems Security Professional.

Risk is the effect of uncertainty on objectives. Risks with positive effects are opportunities, while negative effects are threats. Information Security, which not uncommonly emphasizes addressing threats more than opportunities, is a subdiscipline of risk management.

This post answers the Brain Burner Questions.

Strategy Execution Framework

Strategic Management is one of the most important issues of information security governance which can be divided into strategy formulation and strategy execution.
As a CISO, you have to think strategically to develop the information security strategy and align the InfoSec strategy to the business goals and objectives and the upper-level corporate or business strategy.

Reviewing the mission/vision statement, BCG Matrix, SWOT analysis, Porter’s value chain, and five forces model are useful tools for you to develop the strategy.

After the strategy is crafted, the PMI OPM (Organizational project management) strategy execution framework is an ideal one to implement your strategy. Other frameworks, such as COBIT or ITIL, are alternatives in terms of strategy execution.


從1989年接觸8086 PC開始,就註定了我投入IT產業的職涯;而1992年第一次站上電腦講師的講台,從此激發我對教育訓練的熱情。從DOS, ET, KC, Multiplan, DB3, Paradox, Access, SQL, Ami Pro, Office; Windows, NT, Novell, Slackware, MCSE, AD, Azure, AWS; Assembly, C, Clipper, VB6, COM/DCOM, SOAP, C#, MVC, ORM, RESTful, TypeScript, Angular, Android; Waterfall, UML, ICONIX, XP, Agile, Scrum; management, governance, vision, mission; 一直到self-awareness. 我看到除了錢以外, 落在自己肩上的責任與使命。如果我有一個夢, 那就是有朝一日能看到台灣人民, 即使面對排山倒海而來的各種壓力, 能在自主的意志下決定台灣的前途與未來。太陽花,讓我對新一代的年輕人產生無比的敬意!

N年前,台北的天瓏書局難得看到一本簡體的電腦書; 反而台灣出版的電腦書被翻譯成簡體版熱銷。

台灣的低薪,其實反應創業的現實。這也提醒每個工作者,不論創業或就業,都必須具備真本事、為自己負責及接受成敗論英雄的現實標準。因為,除了自己,沒有人能為我們自己的人生負責。白話的說,在這個強烈競爭的年代,企業的生存都面臨強大的挑戰,能有什麼條件、能力與優勢照顧員工一輩子? 而員工又有什麼義務或熱情為一家企業賣力一輩子? 未來的職場,只有真本事的供需交換;從理想面來看,有能力的須多照顧能力相對弱的,真正的弱勢就只能由政府的社會福利制度來補救了。

台灣很棒! 棒到連我們面對挑戰時的抗壓力都退化了!
台灣很讚! 讚到我們無法面對外界早已劇烈變化、讚到我們忽視早已看不到香港、新加坡及南韓車尾燈的殘酷現實!

台灣真的太棒了! 我們有融合歐、美、日、中及本土特色的台灣文化、我們有東方的人文與西方的理性、我們有獨特的人情味、我們有優質的公務人員與行政體系、更有我們自己看不見價值卻舉世傲人的民主制度!

台灣的美好,需要我們用盡全力去保護、去捍衛。要讓台灣更美好,須要從我們每一個人自己作起! 提升自己的能力,就是加強競爭力;讓我們一起走向國際、由世界走向中國! 期待有一天,我們能拿台灣的護照到中國旅行! 天祐台灣!!