In complex and generally large scale systems and organizations such as corporate Information Technology (IT) infrastructures for example, there exist potential impacts to the security of the system. Such security vulnerabilities, even if they can be discovered and defined in a meaningful way, are typically difficult and costly to assess. This can be because of the number and nature of the vulnerabilities for example, as well as the number of assets present in such large systems, all of which can have an impact on potential solutions which vary greatly.
For example, as people join and leave an organization or change their roles, their access rights should reflect these changes. The processes involved can be complex and difficult to manage, especially when an employee turnover is high, parts of the IT organization is outsourced, and management behavior interferes with good security practices for example. Equally these latter activities are expensive and quite often detect violations and issues a long time after they have happened. Typically, one of the main threats which exposes an organization to risk is related to the abuse and misuse of access rights. This can be carried out by personnel (and ex-employees) for a variety of reasons, including curiosity, revenge or economic matters for example.