In Usage CONtrol (UCON) access decisions relyon mutable attributes. A reference monitor should re-evaluatesecurity policies each time attributes change their values. Identifyingall attribute changes in a timely manner is a challengingissue, especially if the attribute provider and the referencemonitor reside in different security domains. Some attributechanges might be missed, corrupted, and delayed. As a result,the reference monitor may erroneously grant access to malicioususers and forbid it for eligible ones.This paper proposes a set of policy enforcement modelswhich help to mitigate the uncertainties associated with mutableattributes. In our model the reference monitor, as usual, evaluateslogical predicates over attributes and, additionally, makes someestimates on how much observed attribute values differ from thereal state of the world. The final access decision takes into accountboth factors. We assign costs for granting and revoking access tolegitimate and malicious users and compare the proposed policyenforcement models in terms of cost-efficiency
